Ubuntu – Default DNS Server not switched after connecting to OpenVPN

18.04dnsopenvpnserversystemd-resolved

I'm using a OpenVPN connection between my laptop and my server. The configuration was working until today (i simply ran apt update && apt upgrade), but since then my DNS settings are "wrong" after connecting to the OpenVPN.

After connecting to the OpenVPN Server, i have two "catch all" DNS Domain entries (DNS Domain: ~.) in my systemd-resolve configuration.

Stripped output of systemd-resolve --status:

Link 11 (tun0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.X.Y
          DNS Domain: ~.

Link 2 (enp0s25)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 10.16.X.Y
                      10.16.X.Y
          DNS Domain: ~.

Therefore DNS queries now aren't savely tunneled through the VPN but also may be transfered via the normal network.

This leads to a DNSLeak and even worse: VPN-Internal Hostnames aren't resolved correctly (every now and then).

I only know of options to add the DNS Domain: ~. entry to the tun0-Interface for resolved. But how do i remove an already existing one from the real interface?

I'm already using this config to update systemd-resolved in my OpenVPN client.conf:

# Upate systemd-resolvd
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
dhcp-option DOMAIN-ROUTE .

Anybody got an idea how to solve this?

// Update:
Looks like this is a longer known problem with NetworkManager starting to attach the root DNS Domain to links at random. There is an interesting discussion about it in a GitHub Issue in the repo of the developer of the update-systemd-resolved script.

// Probably this commit to NetworkManager broke it. Since it introduced the default dns route for all interfaces behavior.

Best Answer

  • Add to the client configuration file (the file with extension .ovpn) downloaded from the OpenVPN server the line:

    dhcp-option DOMAIN-ROUTE .
    

    As you know, before adding this line, in Ubuntu 18.04 you must install update-systemd-resolved scripts as described in https://github.com/jonathanio/update-systemd-resolved

    If it still does not work, perhaps you must add your internal DNS server too. Check the lines you add at the end of the .ovpn file looks like:

    script-security 2
    dhcp-option DNS 10.1.0.1  # replace this IP with your DNS server IP.
    dhcp-option DOMAIN yourinternaldomain.local  # replace this with your internal domain name.
    dhcp-option DOMAIN-ROUTE .
    up /etc/openvpn/update-systemd-resolved
    down /etc/openvpn/update-systemd-resolved
    down-pre
    

    If you use the UI (gnome) to connect

    Last, if you are using the UI VPN Icons to connect to your VPN, you must re-import the .ovpn modified file.

    To do that execute in a terminal:

    sudo apt install openvpn openvpn-systemd-resolved resolvconf
    sudo apt install network-manager-openvpn network-manager-openvpn-gnome
    

    Click in Ubuntu start menu:

    Ubuntu Menu

    Type the word "network" and click on Network. It should show somthing like:

    Network setup

    Click in the "+" sign on VPN and click in "import from file" option:

    import ovpn file

    Once imported, add a name and click the "add" button at the top right of the dialog.

    You are all set!


    To connect to the VPN, click in the network icon and after that in the lock icon.

    enter image description here