Ubuntu – Default DNS Server not switched after connecting to OpenVPN

18.04dnsopenvpnserversystemd-resolved

I'm using a OpenVPN connection between my laptop and my server. The configuration was working until today (i simply ran apt update && apt upgrade), but since then my DNS settings are "wrong" after connecting to the OpenVPN.

After connecting to the OpenVPN Server, i have two "catch all" DNS Domain entries (DNS Domain: ~.) in my systemd-resolve configuration.

Stripped output of systemd-resolve --status:

Link 11 (tun0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.X.Y
          DNS Domain: ~.

Link 2 (enp0s25)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 10.16.X.Y
                      10.16.X.Y
          DNS Domain: ~.

Therefore DNS queries now aren't savely tunneled through the VPN but also may be transfered via the normal network.

This leads to a DNSLeak and even worse: VPN-Internal Hostnames aren't resolved correctly (every now and then).

I only know of options to add the DNS Domain: ~. entry to the tun0-Interface for resolved. But how do i remove an already existing one from the real interface?

I'm already using this config to update systemd-resolved in my OpenVPN client.conf:

# Upate systemd-resolvd
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
dhcp-option DOMAIN-ROUTE .

Anybody got an idea how to solve this?

// Update:
Looks like this is a longer known problem with NetworkManager starting to attach the root DNS Domain to links at random. There is an interesting discussion about it in a GitHub Issue in the repo of the developer of the update-systemd-resolved script.

// Probably this commit to NetworkManager broke it. Since it introduced the default dns route for all interfaces behavior.

Best Answer

Add to the client configuration file (the file with extension .ovpn) downloaded from the OpenVPN server the line:

dhcp-option DOMAIN-ROUTE .

As you know, before adding this line, in Ubuntu 18.04 you must install update-systemd-resolved scripts as described in https://github.com/jonathanio/update-systemd-resolved

If it still does not work, perhaps you must add your internal DNS server too. Check the lines you add at the end of the .ovpn file looks like:

script-security 2
dhcp-option DNS 10.1.0.1  # replace this IP with your DNS server IP.
dhcp-option DOMAIN yourinternaldomain.local  # replace this with your internal domain name.
dhcp-option DOMAIN-ROUTE .
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre

If you use the UI (gnome) to connect

Last, if you are using the UI VPN Icons to connect to your VPN, you must re-import the .ovpn modified file.

To do that execute in a terminal:

sudo apt install openvpn openvpn-systemd-resolved resolvconf
sudo apt install network-manager-openvpn network-manager-openvpn-gnome

Click in Ubuntu start menu:

Type the word "network" and click on Network. It should show somthing like:

Click in the "+" sign on VPN and click in "import from file" option:

Once imported, add a name and click the "add" button at the top right of the dialog.

You are all set!

To connect to the VPN, click in the network icon and after that in the lock icon.

Related Solutions

Ubuntu – Can “netplan” be used with OpenVPN

If you're using OpenVPN on a desktop/laptop, I strongly suggest you use NetworkManager to control your VPN. It can pass through the right DNS information to the DNS backend (dnsmasq or systemd-resolved, depending on your release of Ubuntu), and it can do the right thing to bring up the VPN automatically on some interfaces, deal better with loss of connection, having to ask for credentials again, etc.

netplan does not have any special VPN support. Setting up a tun interface in an "ethernets:" stanza is likely not what you want, as will not create tun interfaces, and might in fact interfere with that OpenVPN might do to the interface; but if you really want to use it, you do need to roll your own vpn-up/vpn-down scripts triggered by openvpn to run 'netplan apply' with the right configuration files available in /etc/netplan.

Ubuntu – Ubuntu 18.04 no DNS resolution when connected to OpenVPN

I found a solution on this blog post. While there are two solutions mentioned, I prefer using the second one because it means my DNS is set by the OpenVPN server (the first solution means I use the same DNS servers whether or not I'm connected to the OpenVPN server).

In short:

sudo mkdir -p /etc/openvpn/scripts
sudo wget https://raw.githubusercontent.com/jonathanio/update-systemd-resolved/master/update-systemd-resolved -P /etc/openvpn/scripts/
sudo chmod +x /etc/openvpn/scripts/update-systemd-resolved

Then edit your OpenVPN client file (e.g. client.ovpn) by changing the up/down scripts to:

script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved

(I have commented out the original up/down settings).

Best Answer

If you use the UI (gnome) to connect

Related Solutions

Ubuntu – Can “netplan” be used with OpenVPN

Ubuntu – Ubuntu 18.04 no DNS resolution when connected to OpenVPN

Related Question