Ubuntu – Problem with DNS with OpenVPN on Ubuntu 20.04


I have installed the OpenVPN server and the Bind9 DNS server on the company server. The part of the server config is below. The important part is a pushing route and DHCP DNS option.

port 1194
proto udp
dev tun
topology subnet
ifconfig-pool-persist ipp.txt
push "route" 
push "dhcp-option DNS"

When connecting on Windows or Elementary OS, everything works great. Only traffic to the server is going through the VPN, the rest does not. If the client is forcing to pass all traffic through the VPN, the internet access works too. In both cases, when trying to access git.internal.mycompany.org it gets DNS records from my Bind9 DNS server and connects correctly.

But this does not work in Ubuntu. When passing whole traffic through VPN, a record from DNS is taken. But when only server traffic goes through VPN, then DNS is not reached and I cannot access the git server via URL. When reaching via IP, it works.

I tried also to add to the client config this.

script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved

But this does not help. Maybe because when I try to run the script directly, I got an error /etc/openvpn/update-systemd-resolved: řádek 404: dev: unbound variable.

I don't know how to fix this. I tried to search here on AskUbuntu and others, but most suggest adding up and down to the config. Which does not work for me. It is a problem because most of my colleagues are using Ubuntu. Only few computers are using Windows or other Linux distro.

Update with applied changes

When applied changes from @heynnema, here is what is printed in console https://pastebin.com/DkjHguqE when connecting via terminal. After that, ping git.internal.mycompany.org doesn't work.

Another found facts:

  • When I added redirect-gateway def1 bypass-dhcp into config, then my public IP is IP of the server, but still cannot ping URL above.
  • When imported config into the UI of Ubuntu as mentioned https://askubuntu.com/a/1188022/972420, ping works until I uncheck Use this connection only for traffic within this network.

Best Answer

It seems, that the main problem is with systemd-resolve as described here: https://github.com/systemd/systemd/issues/6076
Really great article is here, which I took as a starting point: https://www.gabriel.urdhr.fr/2020/03/17/systemd-revolved-dns-configuration-for-vpn/

A small workaround that worked for me is to run this after every connection to VPN. Basically setting DNS manually

sudo resolvectl dns tun0 # Replace with IP of your DNS server
# All internal services are like git.int.mycompany.com or ldap.int.mycompany.com
# You can try to set up "~mycompany.com", worked for me as well
sudo resolvectl domain tun0 "~int.mycompany.com" 

How to automate it

With NetworkManager:
If you use Network Manager (pictures of Manager available here), you can automate this with scripts in /etc/NetworkManager/dispatcher.d/

Create custom script, name it 02-ifupdown set chmod +x to it and paste


EXPECTED_VPN_NAME="MyCompany VPN" # Put your VPN name here
VPN_CONN_NAME=`nmcli --get name,type con show --active | grep vpn | sed 's/\:.*//'`

if [ "$2" = "vpn-up" ] && [ "$EXPECTED_VPN_NAME" = "$VPN_CONN_NAME" ]; then
        resolvectl dns tun0 # Replace with IP of your DNS server
        resolvectl domain tun0 "~int.mycompany.com"

With CLI:
Create your custom script, set chmod +x to it and paste into config:

script-security 2
up /path/to/my/script