Ubuntu 18.04 no DNS resolution when connected to OpenVPN

Question

When I connect to a VPN network through Gnome Network-manager I lose DNS resolution and in practice, I cannot access resources inside the VPN network or outside.

When I was using Ubuntu 16.04 and I was using the VPN, the "/etc/resolv.conf/" file would contain the DNS servers of the (VPN) network I had connected. Now it always contains the following entries:

nameserver 127.0.0.53
search myprovider.com

From what I have understood 127.0.0.53 is the address of the DNS stub used by the system-resolved.

I suspect that this is a bug because the VPN was working fine the Ubuntu 16.04. Is there any way that I can set the DNS servers of my network when I am using a VPN service?

Update:

I tried connecting to the OpenVPN network with the configuration file attached at the end of the post, but I get the following error:

 Authenticate/Decrypt packet error: cipher final failed

I have verified that the server uses lzo compression and I have enabled it as well. The connection stays active but I cannot navigate to any page inside or outside the VPN.

In the configuration file listed below, I have included the solutions posted in the replies

 client
 dev tun
 proto udp
 remote openvpn.bibsys.no 1194
 remote my-server-2 1194
 resolv-retry infinite
 nobind
 user myuser
 group myuser
 persist-key
 persist-tun
 ca ca-cert.pem
 cert openvpn.crt
 key openvpn.key
 cipher AES-256-CBC
 comp-lzo yes
 script-security 2
 up /etc/openvpn/scripts/update-systemd-resolved
 down /etc/openvpn/scripts/update-systemd-resolved
 down-pre

When debugging a similar problem to this that couldn't be solved exactly the same, I used resolvectl status and resolvectl help to figure out my specific solution. — notbad.jpeg, Apr 09 '19 at 00:52

score 132 · Answer 1 · edited Dec 03 '18 at 21:15

132

Problem

The file /etc/resolv.conf does not get updated by the /etc/openvpn/update-resolv-conf script because resolvconf is not installed by default on ubuntu 18.04.

In fact, one of the first lines of that script checks for the /sbin/resolvconf executable:

[ -x /sbin/resolvconf ] || exit 0

Installing resolvconf via apt-get is not a solution as the /etc/openvpn/update-resolv-conf script updates the /etc/resolv.conf file with the pushed DNS entry but the tun device seems to ignore it.

Solution

Ubuntu 18.04 uses systemd-resolved, so all you have to do is install the openvpn helper script for systemd-resolved via
```
sudo apt install openvpn-systemd-resolved
```
or with these GitHub instructions
Update your config.ovpn file adding these lines:
```
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
```
That instead of adding up and down of /etc/openvpn/update-resolv-conf to the conf.
To prevent DNS Leakage, you should add this line to the end of the config.ovpn file (according to this systemd issue comment):
```
dhcp-option DOMAIN-ROUTE .
```

edited Dec 03 '18 at 21:15

purplexa

103
1

answered May 14 '18 at 18:09

Qlimax

1,429

1

Thanks a lot, working for me on Ubuntu 18.04. And I want to specify, that parameter script-security 2 is still needed before up/down lines, otherwise the program falls down with an error (OpenVPN 2.4.4) – lucidyan Jun 08 '18 at 20:51
Glad it helped :) Changed the last sentence in the answer, with in my case script-security 2 was not necessary. That's perhaps because I'm running the openvpn client as root (with sudo) – Qlimax Jun 12 '18 at 15:54
I am running the client as root and I still (also) need to add script-security 2 for this setup to work. BTW, thanks a lot for this tip, @Qlimax. :-) – n1ghtm4n4g3r Jun 16 '18 at 05:50
1

@Qlimax Do you know how do we import these settings to the gnome openvpn client? – orestis Jun 16 '18 at 21:05
2

@orestis you have to install this package sudo apt-get install network-manager-openvpn-gnome Then you should be able to import .ovpn config files into the gnome network manager. https://askubuntu.com/questions/187511/how-can-i-use-a-ovpn-file-with-network-manager UI has changed over time, you should be able to find that in settings->network->vpn – Qlimax Jun 18 '18 at 09:06
3

This should be the accepted answer. – Vanessa Deagan Dec 18 '18 at 00:25
1

Thanks! The last line for preventing dns leakage is necessary because the systems still uses the default dns. – A. Ahanchi Feb 25 '19 at 01:21
4

Surprised this works for so many of you: I have an ovpn.config, yes, but NetworkManager does not seem to use it. Did you edit the file and the re-import it, in particular to replace the up/downs scripts. Because I see this opaque binary /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper used for which i could not find documentation. If re-import of ovpn.config is needed, please amend the answer. – Harald May 31 '19 at 06:43
this worked for me as well – Milan Maharjan Nov 06 '19 at 16:38
1

Can't +1 this enough. It really should be the accepted answer – joao Dec 19 '19 at 20:28
Didn't work for me at first because my resolv.conf was still looking at my router dns. I made sure the stub was used first (127.0.0.53) on ubuntu 19.10, and it worked. I still can't figure out how to get the stub resolver to do the local then remote resolving by itself, but this is a good workaround for now. – chaz Mar 10 '20 at 03:01
Sorry but not worked with me. – Amit Patil May 11 '20 at 12:11
Is it expected that this should solve Pritunl problems on Ubuntu 20.04 too? – Zorglub29 Jun 05 '20 at 07:03
1

Thank you! This is still valid for Ubuntu 20.04.1 LTS. – igorp1024 Aug 21 '20 at 10:31
the final line dhcp-option DOMAIN-ROUTE . was critical - my problem wasn't fixed until I added that aswell – JonnyRaa Jan 19 '22 at 16:12
Best. Answer. On the Internet. Thanks - it took me a while until I found your answer, the part that resolveconf should have been installed. – axel22 Apr 14 '22 at 00:43

Andy Turfer · Accepted Answer · 2018-12-22T01:05:04.810

49

I found a solution on this blog post. While there are two solutions mentioned, I prefer using the second one because it means my DNS is set by the OpenVPN server (the first solution means I use the same DNS servers whether or not I'm connected to the OpenVPN server).

In short:

sudo mkdir -p /etc/openvpn/scripts
sudo wget https://raw.githubusercontent.com/jonathanio/update-systemd-resolved/master/update-systemd-resolved -P /etc/openvpn/scripts/
sudo chmod +x /etc/openvpn/scripts/update-systemd-resolved

Then edit your OpenVPN client file (e.g. client.ovpn) by changing the up/down scripts to:

script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved

(I have commented out the original up/down settings).

edited Dec 22 '18 at 01:05

answered May 15 '18 at 22:23

Andy Turfer

1,658

If one is using the gnome openvpn utility where should the file config.ovpn be stored? – orestis May 17 '18 at 12:19
2

config.ovpn isn't "found" - it's the client config file used for connecting. You either generate it, or it is issued to you by your OpenVPN provider (and it might not be called config.ovpn - it could be called anything, like client.ovpn). – Andy Turfer May 26 '18 at 19:30
This works just perfectly. – Ahasanul Haque Jan 16 '19 at 09:36
2

I get WARNING: Failed running command (--up/--down): external program fork failed – blockhead May 07 '19 at 13:38
Unfortunately this didn’t work for a vpn which is using tcp, sites outside vpn are not resolved, hence I started using https://client.pritunl.com/#install found useful – Sai Surya Kattamuri Oct 02 '19 at 16:31
Without down-pre in the end of .ovpn file, you would get nasty warnings at stop update-systemd-resolved: Invalid device name: 'tun0'. Usage: update-systemd-resolved up|down device_name. WARNING: Failed running command (--up/--down): external program exited with error status: 1 Exiting due to fatal error – lucidyan Oct 29 '19 at 18:48
This did not work for me either. Am having the exact same issue. – Mnemosyne Dec 20 '19 at 14:34
My client.ovpn file doesn't have up and down lines, can I just add them? – Falc Jan 23 '20 at 16:34
@Falc Yes, you can. – Andy Turfer Apr 26 '20 at 09:57
Adding the script-security 2 and (up/down) /etc/openvpn/update-resolv-conf lines fixed it for me. – Shayan Jun 14 '20 at 09:41
as of 2021-10, there's also the package "openvpn-systemd-resolved" as part of standard repositories, instead of referring to some githubusercontent URL. – foo Oct 20 '21 at 16:56

score 7 · Answer 3 · edited Nov 02 '18 at 15:26

7

Actually, there is a much easier solution to this problem. The issue is with DNS traffic and how Ubuntu 18 manages that. By default IP forwarding is disabled which is what OpenVPN needs in order to provide proper networking. All you have to do is run the following command:

sudo nano /etc/sysctl.conf

Once you have this file opened, look for the line that contains net.ipv4.ip_forward. If this line is commented, remove the # sign at the front of the line (if it is not commented then you have another issue). Save the file and then restart your OpenVPN server instance.

This fix does not require any modifications to the client or OpenVPN code following upgrade to Ubuntu 18. Tested and confirmed working.

However, this obviously requires you can administer the server. And unfortunately, the bug exists for many who just connect with 18.04 to an OpenVPN server that is administered by somebody else...

edited Nov 02 '18 at 15:26

mjeltsch

13

answered Sep 15 '18 at 19:32

Max

95

1

didn't work for me. how did you determine that this was the problem, in your case? – hwjp Nov 27 '18 at 12:13
6

WARNING: you do not need to enable ip_forward on the openvpn client, NEVER! it is a security risk. On the openvpn server, you may need it, depending on the config used and this is probably why this comment show up. – higuita May 22 '19 at 16:48
This was it for me. Weird issue. Thanks. – Kevin C Nov 20 '19 at 16:40
this seems to work for me ! Thanks. I tested so many different fixes... – Karl Forner Dec 18 '19 at 09:41

score 4 · Answer 4 · edited Aug 21 '21 at 16:13

Tested on Ubuntu 18.04 at 13 Sep 2018

There is another useful command to setup what you need via command line. You can control your VPN connection both with command line and GUI.

sudo nmcli connection add type vpn vpn-type openvpn con-name la.vpn.contoso.com ifname --

ifname -- is the required by default, but does not affect anything

sudo nmcli connection modify la.vpn.contoso.com ipv4.dns 172.16.27.1
sudo nmcli connection modify la.vpn.contoso.com ipv4.dns-search int.contoso.com
sudo nmcli connection modify la.vpn.contoso.com ipv4.never-default yes

never-default should not use remote gateway as default route

And much more interested final touch:

nmcli connection modify la.vpn.contoso.com vpn.data 'ca = /tmp/la.vpn.contoso.com/you/ca.crt, key = /tmp/you.key, dev = tun, cert = /tmp/you.crt, cert-pass-flags = 1, comp-lzo = adaptive, remote = la.vpn.contoso.com:1194, connection-type = tls'

Afterwards you can control vpn with GUI or use following commands:

sudo nmcli --ask connection up la.vpn.contoso.com
sudo nmcli connection down la.vpn.contoso.com

score 3 · Answer 5 · answered Aug 06 '20 at 01:54

If your system is using NetworkManager, then you may only need to change the connection's DNS priority, as per this answer:

nmcli -p connection modify VPN_CONNECTION_NAME ipv4.dns-priority -1

In my case, the DNS was being updated, but ignored as the existing DNS servers had precedence. You may need root/sudo. If that doesn't work, try ipv6.dns-priority.

score 1 · Answer 6 · edited Aug 21 '21 at 16:11

1

I'm impacted too. In my case, I'm using OpenVPN with an internal name server (which is inside the VPN). That worked until Ubuntu 17.10 (with hosts: files dns in /etc/nsswitch.conf).

/etc/resolv.conf was updated correctly by the openvpn scripts (through calls to /etc/openvpn/update-resolv-conf in the openvpn client configuration file).

However, name resolution for hosts inside the VPN was not working any more (or at least sporadically... I guess the local DNS cache was picking the names, but after a rather long time).

What seems to help, or even resolve the issue (though that's too early to say) is to install the below package:

sudo apt install openvpn-systemd-resolved

edited Aug 21 '21 at 16:11

Matthieu

476

answered May 10 '18 at 14:48

Michael Opdenacker

339

Eventually, it doesn't seem to be a solution. I have the problem again. I guess something else made it work... – Michael Opdenacker May 13 '18 at 16:48
2

Maybe then you delete your answer? It seems that the decision has already been found below – lucidyan Jul 25 '18 at 20:58

score 0 · Answer 7 · answered Oct 17 '21 at 10:34

None of the proposed CLI-oriented (non-NetworkManager) solutions worked for me (I don't even have up and down lines in myconfig.ovpn).

However, I've found that NetworkManager VPN seems to work again (it did not work a year or two ago, which is why I switched to openvpn CLI then). I did not tweak it in any way: just tried to activate it with the appropriate credentials.

Ubuntu 18.04 no DNS resolution when connected to OpenVPN

7 Answers7

Linked