# Ubuntu – Since Ubuntu 18, why doesn’t openvpn’s client.ovpn:”dhcp-option DNS xxx.xxx.xxx.xxx” configure /etc/resolv.conf

dnsnetworkingopenvpnresolv.conf

I'm trying to setup an openvpn client with Ubuntu 18. I run these magic steps:

$sudo apt-get install openvpn$ sudo apt-get install openvpn-systemd-resolved
$sudo openvpn --client --config ./client.ovpn Wed Jan 2 16:24:14 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2018 Wed Jan 2 16:24:14 2019 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08 ... <14>Jan 2 15:58:07 update-systemd-resolved: Link 'tun0' coming up <14>Jan 2 15:58:07 update-systemd-resolved: Adding IPv4 DNS Server 172.17.0.1 <14>Jan 2 15:58:07 update-systemd-resolved: Setting DNS Domain mycompany.com <14>Jan 2 15:58:07 update-systemd-resolved: Adding IPv4 DNS Server 172.17.0.1 <14>Jan 2 15:58:07 update-systemd-resolved: Adding IPv4 DNS Server 8.8.8.8 <14>Jan 2 15:58:07 update-systemd-resolved: Setting DNS Domain mycompany.com <14>Jan 2 15:58:07 update-systemd-resolved: Setting DNS Domain mycompany.com <14>Jan 2 15:58:07 update-systemd-resolved: SetLinkDNS(4 3 2 4 172 17 0 1 2 4 172 17 0 1 2 4 8 8 8 8) <14>Jan 2 15:58:07 update-systemd-resolved: SetLinkDomains(4 1 mycompany.com false) Wed Jan 2 15:58:12 2019 ROUTE remote_host is NOT LOCAL Wed Jan 2 15:58:12 2019 /sbin/ip route add 96.78.182.190/32 via 172.20.10.1 Wed Jan 2 15:58:12 2019 /sbin/ip route add 8.8.8.8/32 metric 101 via 172.27.232.1 Wed Jan 2 15:58:12 2019 /sbin/ip route add 172.27.224.0/20 metric 101 via 172.27.232.1 Wed Jan 2 15:58:12 2019 /sbin/ip route add 172.17.0.0/16 metric 101 via 172.27.232.1 Wed Jan 2 15:58:12 2019 Initialization Sequence Completed  where: $ tail ./client.ovpn  # Recently downloaded from the openvpn server
...   # Appended this magic
script-security 2
dhcp-option DNS 172.17.0.1
dhcp-option DOMAIN mycompany.com
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre


And if I look at:

$ls -la /etc/resolv.conf lrwxrwxrwx 1 root root 39 Nov 21 16:53 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf$ cat /etc/resolv.conf
nameserver 127.0.0.53     <<< SHOULD BE  172.17.0.1
search mycompany.com


So it seems that the openvpn client didn't configure /etc/resolv.conf as happened with Ubuntu 14. Without this, if I "ping git" or "ping git.mycompany.com" to find our internal git service (or any internal service), I simply git the IP address of cable modem for all ping requests.

If I edit /etc/resolv.conf and replace 127.0.0.53 with 172.17.0.1 as was requested in client.ovpn, then all works fine.

Why doesn't this client.ovpn cause /etc/resolv.conf to be updated in Ubuntu 18?

Curiously, systemd-resolve disagrees with /etc/resolv.conf. What's up with that?

$systemd-resolve --status Global DNSSEC NTA: 10.in-addr.arpa 16.172.in-addr.arpa ... home internal intranet lan local private test Link 4 (tun0) Current Scopes: DNS LLMNR setting: yes MulticastDNS setting: no DNSSEC setting: no DNSSEC supported: no DNS Servers: 172.17.0.1 8.8.8.8 DNS Domain: mycompany.com Link 2 (wlp2s0) Current Scopes: DNS LLMNR setting: yes MulticastDNS setting: no DNSSEC setting: no DNSSEC supported: no DNS Servers: 172.20.10.1 fe80::1c71:e8cb:d5ec:89ef  For dig, at least, whatever systemd-resolve --status is reporting, is ignored: $ dig git

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> git
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55917
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;git.               IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)      <<< Not the DNS I want
;; WHEN: Wed Jan 02 15:41:39 PST 2019
;; MSG SIZE  rcvd: 32


Related questions that didn't help:

This is not a direct answer to the question (I don't know why /etc/resolv.conf is not properly updated -- but regardless of why, the real problem is that it isn't), but rather a solution to the underlying problem. After trying a LOT of things I read here and elsewhere, this is the only thing that finally worked for me:

in /etc/systemd/resolved.conf, change "yes" to "no" in this line (and uncomment if necessary) so that you end up with:

DNSStubListener=no

I believe what this does is tells the system not to look at /etc/resolv.conf (which in my case was directing it to 127.0.0.53 only -- it did not have the name servers OpenVPN was providing, as the original question mentions) for DNS. My guess is that being disallowed from relying upon /etc/resolv.conf forces it to fall back on the other (correct) DNS settings OpenVPN is providing.

Note that this will not work (at least it didn't for me) while dnsmasq is running, so if you have that installed, stop the service and set it not to run

Note that this assumes Ubuntu 18.04, and perhaps that other solutions mentioned here and elsewhere are already implemented, including having openvpn-systemd-resolved and resolvconf installed, and including the necessary lines in the .ovpn file:

script security 2
up /etc/openvpn/update-systemd-resolved
up-restart
down /etc/openvpn/update-systemd-resolved
down-pre


Although I suspect that this fix renders that all irrelevant since it is getting DNS from somewhere besides /etc/resolv.conf, which I believe is what the update-systemd-resolved scripts are supposed to fix (but don't for some people).