I would like to report some odd behavior, and my solution. I am left extremely unsatisfied as it relies on custom scripts and non-standard packages. I would like the community's help in figuring out a better fix for this.
I heavily rely on OpenVPN for all of my servers. After I upgrading to Ubuntu 16.04.1 from 14.04.5, I stopped being able to access any websites and most services.
My OpenVPN servers continued to tunnel traffic just fine for Mac OS X, Windows, and Ubuntu 12.04/14.04 clients.
My out-of-the-box resolv.conf file looked like:
nameserver 18.104.22.168 nameserver 22.214.171.124
My routes indicated that I was routing through a router at 192.168.0.1 and was assigned the dynamic IP address of 192.168.0.3. Shown by the commands:
ip r ip a
My traffic would function normally (internet, XMCP, IRC, etc…) until I connected to my OpenVPN Server via the terminal with the command
sudo openvpn ~/client.ovpn
Once connected, it will immediately stop all traffic.
A new adapter (tun0) was created for this connection. Shown by the command:
Connecting with Wireshark revealed dozens of DNS calls aimed at my original DNS servers, even though the configuration was set to tunnel all traffic through my OpenVPN servers.
After a full week of reading many dozens of bug-reports, blog posts, and tutorials, I still had no success. But, this is a DNS issue and DNS is managed by resolv.
Finally, I stumbled upon this GitHub library and my problem was resolved.
To implement these scripts, I cloned the repo into my home directory with:
git clone https://github.com/masterkorp/openvpn-update-resolv-conf.git
I copied those scripts to /etc/openvpn with:
sudo chmod +x *.sh && sudo mv *.sh /etc/openvpn
Next, I installed openresolv, nscd, and unbound with:
sudo apt-get install openresolv nscd unbound
Then, I edited my OpenVPN Client Configuration file (*.ovpn or *.conf) and appended the following lines at the end of the configuration directives, but before the "ca" tag (your inline certs, if any):
script-security 2 up "/etc/openvpn/update-resolv-conf.sh /etc/openvpn/update-systemd-network.sh" down "/etc/openvpn/update-resolv-conf.sh /etc/openvpn/update-systemd-network.sh"
This allowed me to connect successfully to the VPN and tunnel my traffic.
My resolv.conf file now looks like:
# Generated by resolvconf nameserver 127.0.0.1 nameserver 127.0.1.1
Discussion and Need for Better Solution
It appears to me that Ubuntu's DNS records are not being properly updated. The purpose of the above code and the new entries is to rewrite a malfunctioning update process of the internal DNS server records. I have read some bug reports on Launchpad that suggest that 16.04 relies on some old network management update code that was written and working in 14.04, and was never properly migrated to the new 16.04 framework.
There must be a better way of handling this process. I don't like the idea that I need to use custom scripts to patch problematic OS behavior.
Anyone have any insight in this?