Problem with DNS with OpenVPN on Ubuntu 20.04
Solution 1
It seems, that the main problem is with systemd-resolve
as described here: https://github.com/systemd/systemd/issues/6076
Really great article is here, which I took as a starting point: https://www.gabriel.urdhr.fr/2020/03/17/systemd-revolved-dns-configuration-for-vpn/
A small workaround that worked for me is to run this after every connection to VPN. Basically setting DNS manually
sudo resolvectl dns tun0 10.0.9.2 # Replace with IP of your DNS server
# All internal services are like git.int.mycompany.com or ldap.int.mycompany.com
# You can try to set up "~mycompany.com", worked for me as well
sudo resolvectl domain tun0 "~int.mycompany.com"
How to automate it
With NetworkManager:
If you use Network Manager (pictures of Manager available here), you can automate this with scripts in /etc/NetworkManager/dispatcher.d/
Create custom script, name it 02-ifupdown
set chmod +x
to it and paste
#!/bin/sh
EXPECTED_VPN_NAME="MyCompany VPN" # Put your VPN name here
VPN_CONN_NAME=`nmcli --get name,type con show --active | grep vpn | sed 's/\:.*//'`
if [ "$2" = "vpn-up" ] && [ "$EXPECTED_VPN_NAME" = "$VPN_CONN_NAME" ]; then
resolvectl dns tun0 10.0.9.2 # Replace with IP of your DNS server
resolvectl domain tun0 "~int.mycompany.com"
fi
With CLI:
Create your custom script, set chmod +x
to it and paste into config:
script-security 2
up /path/to/my/script
Solution 2
Try installing this packages:
sudo apt install resolvconf openvpn-systemd-resolved
Comments
-
Arxeiss over 1 year
I have installed the OpenVPN server and the Bind9 DNS server on the company server. The part of the server config is below. The important part is a pushing route and DHCP DNS option.
local 10.0.9.2 port 1194 proto udp dev tun topology subnet server 10.0.12.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.0.9.0 255.255.255.0" push "dhcp-option DNS 10.0.9.2"
When connecting on Windows or Elementary OS, everything works great. Only traffic to the server is going through the VPN, the rest does not. If the client is forcing to pass all traffic through the VPN, the internet access works too. In both cases, when trying to access
git.internal.mycompany.org
it gets DNS records from my Bind9 DNS server and connects correctly.But this does not work in Ubuntu. When passing whole traffic through VPN, a record from DNS is taken. But when only server traffic goes through VPN, then DNS is not reached and I cannot access the git server via URL. When reaching via IP, it works.
I tried also to add to the client config this.
script-security 2 up /etc/openvpn/update-systemd-resolved down /etc/openvpn/update-systemd-resolved
But this does not help. Maybe because when I try to run the script directly, I got an error
/etc/openvpn/update-systemd-resolved: řádek 404: dev: unbound variable
.I don't know how to fix this. I tried to search here on AskUbuntu and others, but most suggest adding up and down to the config. Which does not work for me. It is a problem because most of my colleagues are using Ubuntu. Only few computers are using Windows or other Linux distro.
Update with applied changes
When applied changes from @heynnema, here is what is printed in console https://pastebin.com/DkjHguqE when connecting via terminal. After that,
ping git.internal.mycompany.org
doesn't work.Another found facts:
- When I added
redirect-gateway def1 bypass-dhcp
into config, then my public IP is IP of the server, but still cannot ping URL above. - When imported config into the UI of Ubuntu as mentioned https://askubuntu.com/a/1188022/972420, ping works until I uncheck
Use this connection only for traffic within this network
.
-
Arxeiss almost 4 yearsIt seems like a problem with
systemd
github.com/systemd/systemd/issues/6076
- When I added
-
Arxeiss almost 4 yearsThank you for reaching out. But this does not work either. I visited several other topics here and nothing helped. I also tried downloading VirtualBox with fresh installation of Ubuntu 20.04, configured OpenVPN and this does not work either.
-
Arxeiss almost 4 yearsAnd I tried to use GUI in Ubuntu and imported OVPN file. Even when I wrote my DNS IP directly into that GUI, it does not work.
-
Arxeiss almost 4 yearsSome changes and updates are added into my original post
-
Boris Hamanov almost 4 years@Arxeiss It's over my head then. Sorry.
-
Arxeiss almost 4 yearsI think this must be bug or something, because I can find similar questions but without any working response. Thank you for trying
-
Admin almost 2 yearsThis is the solution that worked for me.