VPN não reconecta (não é possível resolver o endereço do host)

talvez alguém possa me ajudar:

No momento, estou tentando configurar uma conexão VPN segura contra falhas para um provedor de VPN comercial em uma máquina virtual. Isso está funcionando bem, até que meu roteador queira redefinir meu endereço IPv4 (a cada poucos dias). Em seguida, o cliente VPN na VM não pode se reconectar ao servidor VPN, porque ele não pode se conectar a um servidor DNS, causa de minhas configurações do iptables (apenas minha suposição).

Minha configuração:

A VM tem um endereço IP virtual na minha rede local. Na VM, há um servidor proxy em execução (squid). Assim, todos os meus clientes (no meu netwok local) aplicativos podem usar a conexão VPN na VM para acessar a internet.

Estou usando o Debian 7.8 com o openvpn 2.2.1-8 + deb7u3, o squid 2.7.STABLE9-4.1 + deb7u1 e o iptables 1.4.14-3.1 na minha VM.

Configurações:

openvpn:

client
dev tun
proto udp
remote urlofvpnserver.com 3478
cipher AES-128-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca TrustedRoot.pem
verb 3
auth-user-pass /root/.secretfile
reneg-sec 0
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log

iptables:

*filter
:INPUT DROP [6:1984]
:FORWARD DROP [0:0]
:OUTPUT DROP [177:11271]

//local communication
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

//accept local network traffic
-A INPUT -s 192.168.2.0/24 -j ACCEPT
-A OUTPUT -d 192.168.2.0/24 -j ACCEPT

//allow connections to the VPN servers different IP ranges
-A OUTPUT -d hiddenvpnwebsite -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A INPUT -s hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT
-A OUTPUT -d hidden -j ACCEPT

//squid port
-A INPUT -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT

//DNS servers
-A INPUT -s 208.67.222.222/32 -j ACCEPT
-A OUTPUT -d 208.67.222.222/32 -j ACCEPT

//allow traffic on tun
-A INPUT -i tun+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT

//open openvpn ports
-A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
COMMIT

/ etc / network / interfaces

auto lo eth0
iface lo inet loopback
iface eth0 inet static
        address 192.168.2.122
        netmask 255.255.255.0
        gateway 192.168.2.1
        dns-nameservers 208.67.222.222 208.67.220.220 8.8.8.8
        dns-search 208.67.222.222

/etc/resolv.conf

nameserver 208.67.222.222
nameserver 208.67.220.220

/var/log/openvpn/openvpn.log

Wed Jan 28 03:59:46 2015 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec  1 2014
Wed Jan 28 03:59:46 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Jan 28 03:59:46 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jan 28 03:59:46 2015 Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jan 28 03:59:46 2015 Socket Buffers: R=[229376->131072] S=[229376->131072]
Wed Jan 28 03:59:47 2015 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Wed Jan 28 03:59:47 2015 Local Options hash (VER=V4): '8326dbaa'
Wed Jan 28 03:59:47 2015 Expected Remote Options hash (VER=V4): 'b7f67de4'
Wed Jan 28 03:59:47 2015 UDPv4 link local: [undef]
Wed Jan 28 03:59:47 2015 UDPv4 link remote: [AF_INET]one_of_the_hidden_vpn_ips:3478
Wed Jan 28 03:59:47 2015 TLS: Initial packet from [AF_INET]one_of_the_hidden_vpn_ips:3478, sid=68e25514 fb7384de
Wed Jan 28 03:59:47 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jan 28 03:59:47 2015 VERIFY OK: depth=2, hidden_CA
Wed Jan 28 03:59:47 2015 VERIFY OK: depth=1, hidden_CA
Wed Jan 28 03:59:47 2015 VERIFY OK: depth=0, hidden_CA .hidden_vpn_url
Wed Jan 28 03:59:47 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jan 28 03:59:47 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 28 03:59:47 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jan 28 03:59:47 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 28 03:59:47 2015 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jan 28 03:59:47 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 28 03:59:47 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Wed Jan 28 03:59:47 2015 [_.hidden_vpn_url] Peer Connection Initiated with [AF_INET]hidden_vpn_ip:3478
Wed Jan 28 03:59:49 2015 SENT CONTROL [_.hidden_vpn_url]: 'PUSH_REQUEST' (status=1)
Wed Jan 28 03:59:49 2015 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,topology subnet,ping 5,ping-restart 15,explicit-exit-notify,route-gateway 10.3.$
Wed Jan 28 03:59:49 2015 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jan 28 03:59:49 2015 OPTIONS IMPORT: explicit notify parm(s) modified
Wed Jan 28 03:59:49 2015 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jan 28 03:59:49 2015 OPTIONS IMPORT: route options modified
Wed Jan 28 03:59:49 2015 OPTIONS IMPORT: route-related options modified
Wed Jan 28 03:59:49 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jan 28 03:59:49 2015 ROUTE default_gateway=192.168.2.1
Wed Jan 28 03:59:49 2015 TUN/TAP device tun0 opened
Wed Jan 28 03:59:49 2015 TUN/TAP TX queue length set to 100
Wed Jan 28 03:59:49 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jan 28 03:59:49 2015 /sbin/ifconfig tun0 10.3.134.57 netmask 255.255.255.0 mtu 1500 broadcast 10.3.134.255
Wed Jan 28 03:59:49 2015 /sbin/route add -net hidden_vpn_ip netmask 255.255.255.255 gw 192.168.2.1
Wed Jan 28 03:59:49 2015 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Wed Jan 28 03:59:49 2015 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.3.134.57
Wed Jan 28 03:59:49 2015 Initialization Sequence Completed

Comment: now everything works, until my router disconnects:

Wed Jan 28 05:33:48 2015 [_.hidden_vpn_url] Inactivity timeout (--ping-restart), restarting
Wed Jan 28 05:33:48 2015 TCP/UDP: Closing socket
Wed Jan 28 05:33:48 2015 SIGUSR1[soft,ping-restart] received, process restarting
Wed Jan 28 05:33:48 2015 Restart pause, 2 second(s)
Wed Jan 28 05:33:50 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Jan 28 05:33:50 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jan 28 05:33:50 2015 Re-using SSL/TLS context
Wed Jan 28 05:33:50 2015 Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jan 28 05:33:50 2015 Socket Buffers: R=[229376->131072] S=[229376->131072]
Wed Jan 28 05:35:10 2015 RESOLVE: Cannot resolve host address: hidden_vpn_url: [HOST_NOT_FOUND] The specified host is unknown.
Wed Jan 28 05:35:10 2015 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Wed Jan 28 05:35:10 2015 Local Options hash (VER=V4): '8326dbaa'
Wed Jan 28 05:35:10 2015 Expected Remote Options hash (VER=V4): 'b7f67de4'
Wed Jan 28 05:36:30 2015 RESOLVE: Cannot resolve host address:  hidden_vpn_url: [HOST_NOT_FOUND] The specified host is unknown.
Wed Jan 28 05:37:55 2015 RESOLVE: Cannot resolve host address:  hidden_vpn_url: [HOST_NOT_FOUND] The specified host is unknown.
Wed Jan 28 05:39:20 2015 RESOLVE: Cannot resolve host address:  hidden_vpn_url: [HOST_NOT_FOUND] The specified host is unknown.
Wed Jan 28 05:40:45 2015 RESOLVE: Cannot resolve host address:  hidden_vpn_url: [HOST_NOT_FOUND] The specified host is unknown.

Eu assumo que o problema é o seguinte: Na configuração openvpn eu tenho que definir a url do provedor vpn em vez de um endereço IP com: remote urlofvpnserver.com 3478.

Eu tentei mudar isso para um endereço IP do provedor vpn. Mas eles usam mais de um endereço IP e intervalo. Eu acho que no lado do servidor eu vou estar conectado a um servidor, que não está sobrecarregado, para garantir a melhor velocidade de conexão. Mas se eu mudar urlofvpnserver.com para um dos seus endereços IP, a conexão só funciona 50% do tempo. (alguns scripts do servidor vpn podem estar bloqueando isso)

Então, depois que eu perdi a conexão com a VPN, a VM tenta resolver o endereço IP de urlofvpnserver.com perguntando ao servidor DNS. Mas a VM não consegue se conectar ao servidor DNS, porque talvez seja forçada a usar uma conexão VPN?

Sry para editar meus arquivos de configuração. Eu sou apenas um pouco paranóico. Acabei de começar a aprender iptables e protocolos de rede. Então eu posso estar totalmente errado.

Alguém tem uma ideia, como consertar isso? Assim, o cliente VPN pode se reconectar após problemas de conexão DC ou Internet do roteador? Eu ficaria feliz em fornecer informações mais específicas, se alguém precisar.