Ubuntu – DNS Routing Fails for VPN Connections on Ubuntu 16.04 Out-of-the-Box


I would like to report some odd behavior, and my solution. I am left extremely unsatisfied as it relies on custom scripts and non-standard packages. I would like the community's help in figuring out a better fix for this.


I heavily rely on OpenVPN for all of my servers. After I upgrading to Ubuntu 16.04.1 from 14.04.5, I stopped being able to access any websites and most services.

My OpenVPN servers continued to tunnel traffic just fine for Mac OS X, Windows, and Ubuntu 12.04/14.04 clients.

System Details

My out-of-the-box resolv.conf file looked like:


My routes indicated that I was routing through a router at and was assigned the dynamic IP address of Shown by the commands:

ip r
ip a

My traffic would function normally (internet, XMCP, IRC, etc…) until I connected to my OpenVPN Server via the terminal with the command

sudo openvpn ~/client.ovpn

Once connected, it will immediately stop all traffic.

A new adapter (tun0) was created for this connection. Shown by the command:

ip a

Connecting with Wireshark revealed dozens of DNS calls aimed at my original DNS servers, even though the configuration was set to tunnel all traffic through my OpenVPN servers.

My Solution

After a full week of reading many dozens of bug-reports, blog posts, and tutorials, I still had no success. But, this is a DNS issue and DNS is managed by resolv.

Finally, I stumbled upon this GitHub library and my problem was resolved.


To implement these scripts, I cloned the repo into my home directory with:

git clone https://github.com/masterkorp/openvpn-update-resolv-conf.git

I copied those scripts to /etc/openvpn with:

sudo chmod +x *.sh && sudo mv *.sh /etc/openvpn

Next, I installed openresolv, nscd, and unbound with:

sudo apt-get install openresolv nscd unbound

Then, I edited my OpenVPN Client Configuration file (*.ovpn or *.conf) and appended the following lines at the end of the configuration directives, but before the "ca" tag (your inline certs, if any):

script-security 2
up "/etc/openvpn/update-resolv-conf.sh /etc/openvpn/update-systemd-network.sh"
down "/etc/openvpn/update-resolv-conf.sh /etc/openvpn/update-systemd-network.sh"

This allowed me to connect successfully to the VPN and tunnel my traffic.

My resolv.conf file now looks like:

# Generated by resolvconf

Discussion and Need for Better Solution

It appears to me that Ubuntu's DNS records are not being properly updated. The purpose of the above code and the new entries is to rewrite a malfunctioning update process of the internal DNS server records. I have read some bug reports on Launchpad that suggest that 16.04 relies on some old network management update code that was written and working in 14.04, and was never properly migrated to the new 16.04 framework.

There must be a better way of handling this process. I don't like the idea that I need to use custom scripts to patch problematic OS behavior.

Anyone have any insight in this?

Best Answer

Set your DNS servers in /etc/resolv.conf then try this in the terminal as root:

chattr +i /etc/resolv.conf

then reboot