I'm trying to setup an openvpn client with Ubuntu 18. I run these magic steps:
$ sudo apt-get install openvpn
$ sudo apt-get install openvpn-systemd-resolved
$ sudo openvpn --client --config ./client.ovpn
Wed Jan 2 16:24:14 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2018
Wed Jan 2 16:24:14 2019 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
...
<14>Jan 2 15:58:07 update-systemd-resolved: Link 'tun0' coming up
<14>Jan 2 15:58:07 update-systemd-resolved: Adding IPv4 DNS Server 172.17.0.1
<14>Jan 2 15:58:07 update-systemd-resolved: Setting DNS Domain mycompany.com
<14>Jan 2 15:58:07 update-systemd-resolved: Adding IPv4 DNS Server 172.17.0.1
<14>Jan 2 15:58:07 update-systemd-resolved: Adding IPv4 DNS Server 8.8.8.8
<14>Jan 2 15:58:07 update-systemd-resolved: Setting DNS Domain mycompany.com
<14>Jan 2 15:58:07 update-systemd-resolved: Setting DNS Domain mycompany.com
<14>Jan 2 15:58:07 update-systemd-resolved: SetLinkDNS(4 3 2 4 172 17 0 1 2 4 172 17 0 1 2 4 8 8 8 8)
<14>Jan 2 15:58:07 update-systemd-resolved: SetLinkDomains(4 1 mycompany.com false)
Wed Jan 2 15:58:12 2019 ROUTE remote_host is NOT LOCAL
Wed Jan 2 15:58:12 2019 /sbin/ip route add 96.78.182.190/32 via 172.20.10.1
Wed Jan 2 15:58:12 2019 /sbin/ip route add 8.8.8.8/32 metric 101 via 172.27.232.1
Wed Jan 2 15:58:12 2019 /sbin/ip route add 172.27.224.0/20 metric 101 via 172.27.232.1
Wed Jan 2 15:58:12 2019 /sbin/ip route add 172.17.0.0/16 metric 101 via 172.27.232.1
Wed Jan 2 15:58:12 2019 Initialization Sequence Completed
where:
$ tail ./client.ovpn # Recently downloaded from the openvpn server
... # Appended this magic
.... # from here: https://askubuntu.com/questions/1032476/ubuntu-18-04-no-dns-resolution-when-connected-to-openvpn
script-security 2
dhcp-option DNS 172.17.0.1
dhcp-option DOMAIN mycompany.com
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
And if I look at:
$ ls -la /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Nov 21 16:53 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
$ cat /etc/resolv.conf
nameserver 127.0.0.53 <<< SHOULD BE 172.17.0.1
search mycompany.com
So it seems that the openvpn client didn't configure /etc/resolv.conf
as happened with Ubuntu 14. Without this, if I "ping git" or "ping git.mycompany.com" to find our internal git service (or any internal service), I simply git the IP address of cable modem for all ping requests.
If I edit /etc/resolv.conf and replace 127.0.0.53 with 172.17.0.1 as was requested in client.ovpn, then all works fine.
Why doesn't this client.ovpn cause /etc/resolv.conf to be updated in Ubuntu 18?
Curiously, systemd-resolve
disagrees with /etc/resolv.conf
. What's up with that?
$ systemd-resolve --status
Global
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
...
home
internal
intranet
lan
local
private
test
Link 4 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 172.17.0.1
8.8.8.8
DNS Domain: mycompany.com
Link 2 (wlp2s0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 172.20.10.1
fe80::1c71:e8cb:d5ec:89ef
For dig, at least, whatever systemd-resolve --status
is reporting, is ignored:
$ dig git
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> git
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55917
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;git. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) <<< Not the DNS I want
;; WHEN: Wed Jan 02 15:41:39 PST 2019
;; MSG SIZE rcvd: 32
Related questions that didn't help:
Best Answer
This is not a direct answer to the question (I don't know why /etc/resolv.conf is not properly updated -- but regardless of why, the real problem is that it isn't), but rather a solution to the underlying problem. After trying a LOT of things I read here and elsewhere, this is the only thing that finally worked for me:
in /etc/systemd/resolved.conf, change "yes" to "no" in this line (and uncomment if necessary) so that you end up with:
DNSStubListener=no
I believe what this does is tells the system not to look at /etc/resolv.conf (which in my case was directing it to 127.0.0.53 only -- it did not have the name servers OpenVPN was providing, as the original question mentions) for DNS. My guess is that being disallowed from relying upon /etc/resolv.conf forces it to fall back on the other (correct) DNS settings OpenVPN is providing.
Note that this will not work (at least it didn't for me) while dnsmasq is running, so if you have that installed, stop the service and set it not to run
Note that this assumes Ubuntu 18.04, and perhaps that other solutions mentioned here and elsewhere are already implemented, including having
openvpn-systemd-resolved
andresolvconf
installed, and including the necessary lines in the.ovpn
file:Although I suspect that this fix renders that all irrelevant since it is getting DNS from somewhere besides /etc/resolv.conf, which I believe is what the update-systemd-resolved scripts are supposed to fix (but don't for some people).