openvpn-block-incoming-udp-plugin
openvpn-block-incoming-udp-plugin copied to clipboard
ValdikSS
PLUGIN_ROUTE_UP failed with status 1 issue
Hello. I have been experimenting with the plugin and I have been getting this strange message showing up in the log of openvpn. I know that another person had the same thing happen. I have tried different things (enabling IPV6. etc), yet it still happens. Any advise would be appreciated.
Here is the output: Fri Jan 27 00:50:55 2017 WARNING: plugin 'block-incoming-udp-64.dll' specified by a relative pathname -- using an absolute pathname would be more secure Fri Jan 27 00:50:55 2017 OpenVPN 2.4_rc2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 16 2016 Fri Jan 27 00:50:55 2017 Windows version 6.2 (Windows 8 or greater) 64bit Fri Jan 27 00:50:55 2017 library versions: OpenSSL 1.0.2i 22 Sep 2016, LZO 2.09 Enter Management Password: Fri Jan 27 00:50:55 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341 Fri Jan 27 00:50:55 2017 Need hold release from management interface, waiting... Fri Jan 27 00:50:55 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341 Fri Jan 27 00:50:55 2017 MANAGEMENT: CMD 'state on' Fri Jan 27 00:50:55 2017 MANAGEMENT: CMD 'log all on' Fri Jan 27 00:50:55 2017 MANAGEMENT: CMD 'hold off' Fri Jan 27 00:50:55 2017 MANAGEMENT: CMD 'hold release' Fri Jan 27 00:50:55 2017 PLUGIN_INIT: POST block-incoming-udp-64.dll '[block-incoming-udp-64.dll]' intercepted=PLUGIN_DOWN|PLUGIN_ROUTE_UP Fri Jan 27 00:50:56 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Jan 27 00:50:56 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Jan 27 00:50:56 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]185.9.19.106:41185 Fri Jan 27 00:50:56 2017 Socket Buffers: R=[65536->262144] S=[65536->262144] Fri Jan 27 00:50:56 2017 UDP link local: (not bound) Fri Jan 27 00:50:56 2017 UDP link remote: [AF_INET]185.9.19.106:41185 Fri Jan 27 00:50:56 2017 MANAGEMENT: >STATE:1485496256,WAIT,,,,,, Fri Jan 27 00:50:56 2017 MANAGEMENT: >STATE:1485496256,AUTH,,,,,, Fri Jan 27 00:50:56 2017 TLS: Initial packet from [AF_INET]185.9.19.106:41185, sid=be6d9b01 e0bff1cc Fri Jan 27 00:50:56 2017 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, [email protected] Fri Jan 27 00:50:56 2017 Validating certificate key usage Fri Jan 27 00:50:56 2017 ++ Certificate has key usage 00a0, expects 00a0 Fri Jan 27 00:50:56 2017 VERIFY KU OK Fri Jan 27 00:50:56 2017 Validating certificate extended key usage Fri Jan 27 00:50:56 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Fri Jan 27 00:50:56 2017 VERIFY EKU OK Fri Jan 27 00:50:56 2017 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Alderamin, [email protected] Fri Jan 27 00:50:56 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Fri Jan 27 00:50:56 2017 [Alderamin] Peer Connection Initiated with [AF_INET]185.9.19.106:41185 Fri Jan 27 00:50:57 2017 MANAGEMENT: >STATE:1485496257,GET_CONFIG,,,,,, Fri Jan 27 00:50:57 2017 SENT CONTROL [Alderamin]: 'PUSH_REQUEST' (status=1) Fri Jan 27 00:50:57 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.30.0.1,comp-lzo no,route-gateway 10.30.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.30.0.44 255.255.0.0' Fri Jan 27 00:50:57 2017 OPTIONS IMPORT: timers and/or timeouts modified Fri Jan 27 00:50:57 2017 OPTIONS IMPORT: compression parms modified Fri Jan 27 00:50:57 2017 OPTIONS IMPORT: --ifconfig/up options modified Fri Jan 27 00:50:57 2017 OPTIONS IMPORT: route options modified Fri Jan 27 00:50:57 2017 OPTIONS IMPORT: route-related options modified Fri Jan 27 00:50:57 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Fri Jan 27 00:50:57 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Fri Jan 27 00:50:57 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Jan 27 00:50:57 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Fri Jan 27 00:50:57 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Jan 27 00:50:57 2017 interactive service msg_channel=680 Fri Jan 27 00:50:57 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=14 HWADDR=90:2b:34:29:22:ac Fri Jan 27 00:50:57 2017 open_tun Fri Jan 27 00:50:57 2017 TAP-WIN32 device [Ethernet 2] opened: \.\Global{F7894130-85F0-454F-91C6-40222770742A}.tap Fri Jan 27 00:50:57 2017 TAP-Windows Driver Version 9.21 Fri Jan 27 00:50:57 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.30.0.0/10.30.0.44/255.255.0.0 [SUCCEEDED] Fri Jan 27 00:50:57 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.30.0.44/255.255.0.0 on interface {F7894130-85F0-454F-91C6-40222770742A} [DHCP-serv: 10.30.255.254, lease-time: 31536000] Fri Jan 27 00:50:57 2017 Successful ARP Flush on interface [21] {F7894130-85F0-454F-91C6-40222770742A} Fri Jan 27 00:50:58 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Fri Jan 27 00:50:58 2017 MANAGEMENT: >STATE:1485496258,ASSIGN_IP,,10.30.0.44,,,, Fri Jan 27 00:51:03 2017 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up Fri Jan 27 00:51:03 2017 C:\WINDOWS\system32\route.exe ADD 185.9.19.106 MASK 255.255.255.255 192.168.1.1 Fri Jan 27 00:51:03 2017 ROUTE: route addition failed using service: The object already exists. [status=5010 if_index=14] Fri Jan 27 00:51:03 2017 Route addition via service failed Fri Jan 27 00:51:03 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.30.0.1 Fri Jan 27 00:51:03 2017 ROUTE: route addition failed using service: The object already exists. [status=5010 if_index=21] Fri Jan 27 00:51:03 2017 Route addition via service failed Fri Jan 27 00:51:03 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.30.0.1 Fri Jan 27 00:51:03 2017 ROUTE: route addition failed using service: The object already exists. [status=5010 if_index=21] Fri Jan 27 00:51:03 2017 Route addition via service failed Fri Jan 27 00:51:03 2017 PLUGIN_CALL: POST block-incoming-udp-64.dll/PLUGIN_ROUTE_UP status=1 Fri Jan 27 00:51:03 2017 PLUGIN_CALL: plugin function PLUGIN_ROUTE_UP failed with status 1: block-incoming-udp-64.dll Fri Jan 27 00:51:03 2017 WARNING: route-up plugin call failed Fri Jan 27 00:51:03 2017 Initialization Sequence Completed Fri Jan 27 00:51:03 2017 MANAGEMENT: >STATE:1485496263,CONNECTED,SUCCESS,10.30.0.44,185.9.19.106,41185,,
Thank you.
I have a similar issue. It's with fix-dns-leak plugin.. it was working fine but suddenly this issue came up.. This is the error I get..
Sat May 20 14:44:55 2017 WARNING: plugin 'fix-dns-leak-64.dll' specified by a relative pathname -- using an absolute pathname would be more secure Sat May 20 14:44:55 2017 OpenVPN 2.4.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017 Sat May 20 14:44:55 2017 Windows version 6.2 (Windows 8 or greater) 64bit Sat May 20 14:44:55 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10 Enter Management Password: Sat May 20 14:44:55 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Sat May 20 14:44:55 2017 Need hold release from management interface, waiting... Sat May 20 14:44:55 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Sat May 20 14:44:56 2017 MANAGEMENT: CMD 'state on' Sat May 20 14:44:56 2017 MANAGEMENT: CMD 'log all on' Sat May 20 14:44:56 2017 MANAGEMENT: CMD 'echo all on' Sat May 20 14:44:56 2017 MANAGEMENT: CMD 'hold off' Sat May 20 14:44:56 2017 MANAGEMENT: CMD 'hold release' Sat May 20 14:44:56 2017 PLUGIN_INIT: POST fix-dns-leak-64.dll '[fix-dns-leak-64.dll]' intercepted=PLUGIN_UP|PLUGIN_DOWN Sat May 20 14:44:56 2017 MANAGEMENT: >STATE:1495316696,RESOLVE,,,,,, Sat May 20 14:44:56 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]185.65.134.70:1300 Sat May 20 14:44:56 2017 Socket Buffers: R=[65536->65536] S=[65536->65536] Sat May 20 14:44:56 2017 UDP link local: (not bound) Sat May 20 14:44:56 2017 UDP link remote: [AF_INET]185.65.134.70:1300 Sat May 20 14:44:56 2017 MANAGEMENT: >STATE:1495316696,WAIT,,,,,, Sat May 20 14:44:56 2017 MANAGEMENT: >STATE:1495316696,AUTH,,,,,, Sat May 20 14:44:56 2017 TLS: Initial packet from [AF_INET]185.65.134.70:1300, sid=e40488e3 2794d65b Sat May 20 14:44:56 2017 VERIFY WARNING: depth=1, unable to get certificate CRL: C=NA, ST=None, L=None, O=Mullvad, CN=master.mullvad.net, [email protected] Sat May 20 14:44:56 2017 VERIFY WARNING: depth=2, unable to get certificate CRL: C=NA, ST=None, L=None, O=Mullvad, CN=Mullvad CA, [email protected] Sat May 20 14:44:56 2017 VERIFY OK: depth=2, C=NA, ST=None, L=None, O=Mullvad, CN=Mullvad CA, [email protected] Sat May 20 14:44:56 2017 VERIFY OK: depth=1, C=NA, ST=None, L=None, O=Mullvad, CN=master.mullvad.net, [email protected] Sat May 20 14:44:56 2017 VERIFY KU OK Sat May 20 14:44:56 2017 Validating certificate extended key usage Sat May 20 14:44:56 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sat May 20 14:44:56 2017 VERIFY EKU OK Sat May 20 14:44:56 2017 VERIFY OK: depth=0, C=NA, ST=None, L=None, O=Mullvad, CN=nl7.mullvad.net, [email protected] Sat May 20 14:44:57 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA Sat May 20 14:44:57 2017 [nl7.mullvad.net] Peer Connection Initiated with [AF_INET]185.65.134.70:1300 Sat May 20 14:44:58 2017 MANAGEMENT: >STATE:1495316698,GET_CONFIG,,,,,, Sat May 20 14:44:58 2017 SENT CONTROL [nl7.mullvad.net]: 'PUSH_REQUEST' (status=1) Sat May 20 14:44:58 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.14.0.1,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,route-gateway 10.14.0.1,topology subnet,ifconfig-ipv6 fdda:d0d0:cafe:1300::100a/64 fdda:d0d0:cafe:1300::,ifconfig 10.14.0.12 255.255.0.0,peer-id 25,cipher AES-256-GCM' Sat May 20 14:44:58 2017 OPTIONS IMPORT: --ifconfig/up options modified Sat May 20 14:44:58 2017 OPTIONS IMPORT: route options modified Sat May 20 14:44:58 2017 OPTIONS IMPORT: route-related options modified Sat May 20 14:44:58 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sat May 20 14:44:58 2017 OPTIONS IMPORT: peer-id set Sat May 20 14:44:58 2017 OPTIONS IMPORT: adjusting link_mtu to 1625 Sat May 20 14:44:58 2017 OPTIONS IMPORT: data channel crypto options modified Sat May 20 14:44:58 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Sat May 20 14:44:58 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Sat May 20 14:44:58 2017 interactive service msg_channel=836 Sat May 20 14:44:58 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=13 HWADDR=dc:53:60:6d:ff:24 Sat May 20 14:44:58 2017 GDG6: remote_host_ipv6=n/a Sat May 20 14:44:58 2017 GetBestInterfaceEx() returned if=13 Sat May 20 14:44:58 2017 GDG6: II=13 DP=::/0 NH=fe80::526a:3ff:fed3:7003 Sat May 20 14:44:58 2017 GDG6: Metric=256, Loopback=0, AA=1, I=0 Sat May 20 14:44:58 2017 ROUTE6_GATEWAY fe80::526a:3ff:fed3:7003 I=13 Sat May 20 14:44:58 2017 open_tun Sat May 20 14:44:58 2017 TAP-WIN32 device [Ethernet 2] opened: \.\Global{669685AE-19C7-4461-9BF4-EB3F346629B1}.tap Sat May 20 14:44:58 2017 TAP-Windows Driver Version 9.21 Sat May 20 14:44:58 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.14.0.0/10.14.0.12/255.255.0.0 [SUCCEEDED] Sat May 20 14:44:58 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.14.0.12/255.255.0.0 on interface {669685AE-19C7-4461-9BF4-EB3F346629B1} [DHCP-serv: 10.14.255.254, lease-time: 31536000] Sat May 20 14:44:58 2017 Successful ARP Flush on interface [9] {669685AE-19C7-4461-9BF4-EB3F346629B1} Sat May 20 14:44:58 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=1 Sat May 20 14:44:58 2017 MANAGEMENT: >STATE:1495316698,ASSIGN_IP,,10.14.0.12,,,,,fdda:d0d0:cafe:1300::100a Sat May 20 14:44:58 2017 add_route_ipv6(fdda:d0d0:cafe:1300::/64 -> fdda:d0d0:cafe:1300::100a metric 0) dev Ethernet 2 Sat May 20 14:44:58 2017 IPv6 route addition via service succeeded Sat May 20 14:44:58 2017 PLUGIN_CALL: POST fix-dns-leak-64.dll/PLUGIN_UP status=1 Sat May 20 14:44:58 2017 PLUGIN_CALL: plugin function PLUGIN_UP failed with status 1: fix-dns-leak-64.dll Sat May 20 14:44:58 2017 MANAGEMENT: Client disconnected Sat May 20 14:44:58 2017 ERROR: up/down plugin call failed Sat May 20 14:44:58 2017 Exiting due to fatal error Sat May 20 14:44:58 2017 PLUGIN: Starting firewall Found 1 TAP adapters Sat May 20 14:44:58 2017 PLUGIN: Start failed!
OpenVPN 2.4 works differently than 2.3. It now starts a service and GUI is controlling that service. Anyway, you absolutely don't need fix-dns-leak plugin: there's block-outside-dns OpenVPN configuration option which do the same and even better.
Yeah, it worked. But when I use OpenVPN and do one of the leak tests, I am seeing my ISP's name but in a different location in my country.
When I use Mullvad, I don't see servers from my country at all. No leaks. How do I prevent it? That was the reason I was trying to use that plugin
I don't see any problems on my installations. Please provide additional data, like pcap dumps of DNS traffic and so on.
I don't find the block outside dns on my config file. I downloaded the config file from Mullvad. Do I have to add the block outside dns line in the config file ? Or does OpenVPN automatically take care of it?
Probably. Server can push you this option. Try to add it into config file and see if anything changes.
I added block outside dns but I still get DNS leak. Not my exact location. But I see my ISP name in some location in my country. How should I stop this? I am using OpenVPN 2.4.2 . You asked pcap dumps . Where do I get that?
First, publish all connection logs. If you're using Mullvad client and not OpenVPN, I'm not going to help you, please ask Mullvad support.
If you're using OpenVPN, install wireshark, connect to the VPN with block-outside-dns option in the cilent config, run wireshark with "port 53" capture filter, open some websites, stop capturing and save pcapng file, send it to me at [email protected]