Date and Time incorrect Vero 4K +

I’m using wired but I’m able to stream all my LAN content so there is nothing wrong with the cable.
I think the problem is that the ntp reset to a wrong date after it crashed, then it didn’t allow me to connect to my VPN anymore so it blocks all networking since the time and date are incorrect.

Trying to get the log on my device so I can copy and paste gives me this error.

grab-logs -A -C
Unable to write temporary log to /var/tmp/uploadlog.txt
Failed

Hi,

Are using a vpn kill switch with iptables?

If so try setting the date manually. So for example the the I would set the local time here with:

sudo date -s "16 NOV 2021 16:18:00"

Try connecting to the VPN and then restarting ntp.

Thanks Tom.

Yes it is. I set the time manually but it’s still not resolving curl https://ipinfo.io/ip
so I don’t think the VPN is connecting and I don’t know how to get into the debug log of that so I don’t know what’s wrong with it.

Only this but it doesn’t show a log>

sudo systemctl status openvpn

  • openvpn.service - OpenVPN service
    Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset:
    Active: active (exited) since Tue 2021-11-16 17:28:44 CET; 11min ago
    Process: 2403 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
    Main PID: 2403 (code=exited, status=0/SUCCESS)

Nov 16 17:28:44 osmc systemd[1]: Starting OpenVPN service…
Nov 16 17:28:44 osmc systemd[1]: Started OpenVPN service.

Restarted ntp and it gives me this

ntp.service - Network Time Service
   Loaded: loaded (/lib/systemd/system/ntp.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-11-16 17:47:56 CET; 4s ago
     Docs: man:ntpd(8)
  Process: 3501 ExecStart=/usr/lib/ntp/ntp-systemd-wrapper (code=exited, status=0/SUCCESS)
 Main PID: 3517 (ntpd)
    Tasks: 2 (limit: 1620)
   Memory: 1.0M
   CGroup: /system.slice/ntp.service
           `-3517 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 105:107

Nov 16 17:47:56 osmc ntpd[3517]: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): good hash signature
Nov 16 17:47:56 osmc ntpd[3517]: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): loaded, expire=2022-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
Nov 16 17:47:56 osmc ntpd[3517]: Listen and drop on 0 v6wildcard [::]:123
Nov 16 17:47:56 osmc ntpd[3517]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Nov 16 17:47:56 osmc ntpd[3517]: Listen normally on 2 lo 127.0.0.1:123
Nov 16 17:47:56 osmc ntpd[3517]: Listen normally on 3 eth0 192.168.1.114:123
Nov 16 17:47:56 osmc ntpd[3517]: Listen normally on 4 lo [::1]:123
Nov 16 17:47:56 osmc ntpd[3517]: Listening on routing socket on fd #21 for interface updates
Nov 16 17:47:56 osmc ntpd[3517]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
Nov 16 17:47:56 osmc ntpd[3517]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
Nov 16 17:48:57 osmc ntpd[3517]: error resolving pool 2.debian.pool.ntp
Nov 16 17:49:17 osmc ntpd[3517]: error resolving pool 3.debian.pool.ntp
Nov 16 17:49:37 osmc ntpd[3517]: error resolving pool 1.debian.pool.ntp
Nov 16 17:49:57 osmc ntpd[3517]: error resolving pool 0.debian.pool.ntp
Nov 16 17:50:17 osmc ntpd[3517]: error resolving pool 2.debian.pool.ntp
Nov 16 17:50:37 osmc ntpd[3517]: error resolving pool 3.debian.pool.ntp
Nov 16 17:50:57 osmc ntpd[3517]: error resolving pool 1.debian.pool.ntp
Nov 16 17:51:17 osmc ntpd[3517]: error resolving pool 0.debian.pool.ntp
Nov 16 17:51:37 osmc ntpd[3517]: error resolving pool 2.debian.pool.ntp
Nov 16 17:51:57 osmc ntpd[3517]: error resolving pool 3.debian.pool.ntp

This is my iptables output

sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT
-A OUTPUT -o eth0 -j DROP

Warning: iptables-legacy tables present, use iptables-legacy to see them

Hi,

Have you tried restarting openvpn?

Also you could temporarily remove the drop rule for eth0:

sudo iptables -D OUTPUT -o eth0 -j DROP

Once ntp and openvpn issues have been resolved, you can re-add the rule:

sudo iptables -A OUTPUT -o eth0 -j DROP

It is possible, that your openvpn provider is having issues. Have you tried a different server?

Thanks Tom.

Yes I tried restarting the openvpn service, and restarting the device multiple times
Do you think that temporarily removing them would fix the issue?

And how do you remove them and re-add the rules?
I set this up so long ago and i’m not that good with iptables or SSH.

I had a issue with failed to start netfilter persistent configuration error for a while, I don’t know what causes it but I get it on every boot and when I update. Something went wrong setting it up but that was months ago and it never caused any problems but it did tell me to report it here every time, which I kept forgetting because you don’t restart boxes that often.

I tried the same server range on different devices since it uses a dynamic host name, no problems on any other devices, just on the vero and only since the screen went green and I had to restart into the wrong time and date.

Hi,

Following the instructions in this post, will probably resolve that:

First off I would save the current rules:

sudo netfilter-persistent save

Then I would disable iptables-restore:

sudo systemctl disable netfilter-persistent

Then reboot. Hopefully openvpn and ntp are now up.

If that is the case, you can now restore iptables:

sudo systemctl enable netfilter-persistent
sudo systemctl start netfilter-persistent

Thanks Tom.

Can’t @MarchHare just reset the date manually?

Already tried that see posts 6 & 7.

How did I miss that?

2 Likes

I will try what you said today, I just read on reddit that PIA changed their default port for udp

I don’t know if this is true and I don’t know how to change everything if it is but if so that could cause the VPN to no longer connect, which would mean that my IPtable rules aren’t correct anymore either so that might have caused the ntp to longer work.

Hi,

Also the openvpn configuration files will need updating aswell. I’ve just downloaded the latest configs and 1198 & 1197 are still their. Perhaps PIA are having issues their end. All I can say I’m using 501 TCP with no issues here with PIA.

Thank Tom.

I started with the netfilter fix

 sudo update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).

  Selection    Path                       Priority   Status
------------------------------------------------------------
  0            /usr/sbin/iptables-nft      20        auto mode
  1            /usr/sbin/iptables-legacy   10        manual mode
* 2            /usr/sbin/iptables-nft      20        manual mode

Press <enter> to keep the current choice[*], or type selection number: 1
update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in manual mode

Then I rebooted and it seems the FAILED netfilter problem is gone.

Iptables show this

sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT
-A OUTPUT -o eth0 -j DROP

I used

sudo netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save

then disabled sudo systemctl disable netfilter-persistent

sudo systemctl disable netfilter-persistent
Synchronizing state of netfilter-persistent.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable netfilter-persistent
Removed /etc/systemd/system/multi-user.target.wants/netfilter-persistent.service.

Rebooted but I still do not have a connection. NTP was turned off, I tried to start that but it can’t resolve hosts. I removed PIA’s DNS servers 209.222.18.222 209.222.18.218 from the OSMC addon then checked NTP and restarted Openvpn

* ntp.service - Network Time Service
   Loaded: loaded (/lib/systemd/system/ntp.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2021-11-17 16:10:44 CET; 52s ago
     Docs: man:ntpd(8)
  Process: 3192 ExecStart=/usr/lib/ntp/ntp-systemd-wrapper (code=exited, status=0/SUCCESS)
 Main PID: 3198 (ntpd)
    Tasks: 2 (limit: 1620)
   Memory: 1.0M
   CGroup: /system.slice/ntp.service
           `-3198 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 105:107

Nov 17 16:10:44 osmc ntpd[3198]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
Nov 17 16:10:45 osmc ntpd[3198]: Soliciting pool server 213.239.154.12
Nov 17 16:10:46 osmc ntpd[3198]: Soliciting pool server 94.228.220.14
Nov 17 16:10:47 osmc ntpd[3198]: Soliciting pool server 5.39.184.5
Nov 17 16:10:48 osmc ntpd[3198]: Soliciting pool server 213.239.154.12
Nov 17 16:11:17 osmc ntpd[3198]: Deleting interface #4 tun0, 10.12.110.28#123, interface stats: received=0, sent=4, dropped=0, active_time=33 secs
Nov 17 16:11:17 osmc ntpd[3198]: Deleting interface #6 tun0, fe80::4020:a04f:a3a6:a52b%4#123, interface stats: received=0, sent=0, dropped=0, active_time=33 secs
Nov 17 16:11:19 osmc ntpd[3198]: Listen normally on 7 tun0 10.1.100.1:123
Nov 17 16:11:19 osmc ntpd[3198]: Listen normally on 8 tun0 [IPV6 deleted this]:123
Nov 17 16:11:19 osmc ntpd[3198]: new interface(s) found: waking up resolver

It looks like VPN is up after checking ipinfo.io/ip

I used sudo systemctl enable netfilter-persistent

sudo systemctl enable netfilter-persistent
Synchronizing state of netfilter-persistent.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable netfilter-persistent
Created symlink /etc/systemd/system/multi-user.target.wants/netfilter-persistent.service → /lib/systemd/system/netfilter-persistent.service.

and started it.
The iptables output is now

sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1197 -j ACCEPT
-A OUTPUT -o eth0 -j DROP

I restarted my Vero and everything seems to be up but I don’t know how to check if my IP leaks or if my DNS leaks since the DNS leak addon doesn’t work anymore in the latest version of Kodi.

I added PIA’s DNS Resolvers again 209.222.18.222 209.222.18.218 but it looks like those are down, I don’t know what to do now. I don’t know what DNS servers to use in the addon without them leaking.
I don’t think I have dnsmasq or connman installed and I do not know how it works. Maybe you can help me with that.
I do have this at the bottom of my openvpn config.

disable-occ
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

I also do not know how or what I would have to update in the VPN config as you mentioned.

Hi,

PIA’s dns servers are down, I suggest contacting them and finding out when they’ll be back up (I don’t use them my self, use DNSoverTLS instead). In the
mean time all I can suggest, is to use non logging name servers such as cloudflare (1.1.1.1 & 1.0.0.1)

If you’r entering the PIA’s nameservers in the MyOSMC addons, these lines are not required.

Thanks Tom.

1 Like

I’m not using them either I had them as a fail-safe because I need something to connect with. I have NextDNS on my router so I could let it use the routers DNS.

If I set the DNS to auto detect from my router and use the NextDNS to connect, will it start using PIA’s DNS servers matching the IP, like with the windows client, and prevent leaking once connected with the update-resolv-conf? I think someone on here told me that’s how it worked in the past but I don’t know for sure. So that if my VPN disconnects it won’t leak DNS or IP with the iptables settings I have but will reconnect to the VPN again and use their DNS.

Whatever I have to do I don’t mind doing it if you can explain how, but I want it to use PIA’s DNS pushed by the OpenVPN client to match with my IP. I don’t know what I have to change to get this but this is how it has always worked and it never leaked so I would like that again. What would I have to do to make it only use a different DNS to connect to PIA and nothing else, even if the VPN disconnects I don’t want it to leak but block.
I use PIA DNS on all my windows devices and none of them ever have issues connecting.

Hi,

Once PIA’s dns servers are working, the easiest way to use them is by adding the the DNS servers in MyOSMC. Being as you have setup openvpn to always be on, on your vero4k; their is no need to set them to auto switch.

Have you updated the openvpn config, so the 3 lines have been removed?

Thanks Tom.

PIA’s DNS servers are online because they work on every other platform. Only the 2 static DNS servers they used to have seem to not work anymore but they don’t use those on apple or windows. They push a DNS once you connect so I don’t think the old DNS servers will come back, they aren’t listed on the website anymore either so I don’t have a DNS server, that is the problem right now.

No because I currently have no DNS server. I had these 3 lines for a long time and I never had leaks.
Maybe they changed something in the latest ovpn files that makes you always use their DNS by default?

Hi,

Then I suggest you contact PIAs support and ask them to advise how to use their active dns servers with openvpn?

Alternatively: How is nextdns configured on your router?

If its using DNS-over-TLS/QUIC or DNS-over-HTTPS, then you can use that instead and their shouldn’t be any leaks.

Thanks Tom.

The people in tech support of PIA aren’t qualified to give advice about this, it’s really bad. The last time I had a conversation with support they didn’t know their files had a MD5/SHA256 hash… so I can’t go for help there…

NextDNS isn’t configured in any way, it’s just a number linking to a NextDNS account, just like 1.1.1.1. So that would leak.

I need to find a way to connect to my VPN again without leaking and getting a pushed DNS…

I can only find this Next Generation DNS Custom Configuration - Knowledgebase / Technical / Application Settings and Features / DNS - PIA Support Portal in their knowledgebase but that doesn’t help either.
And this for setup of a router PIA Support Portal

HI,

Not in position to test, but from reading the links provided this should work.

Set dns servers in myosmc to your router or the nextdns ones. Then update your vpn configuration:

Remove:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Replace with:

dhcp-option DNS 10.0.0.243

Then reboot or restart openvpn.

Thanks Tom.

Should I set OSMC to DHCP the request? or just set it to the router IP or should I set it to the NextDNS IP?
Because when I did put it to DHCP in MyOSMC the VPN connected, I just couldn’t see if there was a leak since the DNS leak addon is not available for Kodi 19.

If I add dhcp-option DNS 10.0.0.243 would this prevent it from leaking? Is there any way to test this? I never used this in the config but the leak test was always ok back when the DNS leak test addon worked.