Ubuntu 18.04 no DNS resolution when connected to OpenVPN

dns openvpn systemd-resolved

157,209

Solution 1

I found a solution on this blog post. While there are two solutions mentioned, I prefer using the second one because it means my DNS is set by the OpenVPN server (the first solution means I use the same DNS servers whether or not I'm connected to the OpenVPN server).

In short:

sudo mkdir -p /etc/openvpn/scripts
sudo wget https://raw.githubusercontent.com/jonathanio/update-systemd-resolved/master/update-systemd-resolved -P /etc/openvpn/scripts/
sudo chmod +x /etc/openvpn/scripts/update-systemd-resolved

Then edit your OpenVPN client file (e.g. client.ovpn) by changing the up/down scripts to:

script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved

(I have commented out the original up/down settings).

Solution 2

Problem

The file /etc/resolv.conf does not get updated by the /etc/openvpn/update-resolv-conf script because resolvconf is not installed by default on ubuntu 18.04.

In fact, one of the first lines of that script checks for the /sbin/resolvconf executable:

[ -x /sbin/resolvconf ] || exit 0

Installing resolvconf via apt-get is not a solution as the /etc/openvpn/update-resolv-conf script updates the /etc/resolv.conf file with the pushed DNS entry but the tun device seems to ignore it.

Solution

Ubuntu 18.04 uses systemd-resolved, so all you have to do is install the openvpn helper script for systemd-resolved via
```
sudo apt install openvpn-systemd-resolved
```
or with these GitHub instructions
Update your config.ovpn file adding these lines:
```
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
```
That instead of adding up and down of /etc/openvpn/update-resolv-conf to the conf.
To prevent DNS Leakage, you should add this line to the end of the config.ovpn file (according to this systemd issue comment):
```
dhcp-option DOMAIN-ROUTE .
```

Solution 3

Actually, there is a much easier solution to this problem. The issue is with DNS traffic and how Ubuntu 18 manages that. By default IP forwarding is disabled which is what OpenVPN needs in order to provide proper networking. All you have to do is run the following command:

sudo nano /etc/sysctl.conf

Once you have this file opened, look for the line that contains net.ipv4.ip_forward. If this line is commented, remove the # sign at the front of the line (if it is not commented then you have another issue). Save the file and then restart your OpenVPN server instance.

This fix does not require any modifications to the client or OpenVPN code following upgrade to Ubuntu 18. Tested and confirmed working.

However, this obviously requires you can administer the server. And unfortunately, the bug exists for many who just connect with 18.04 to an OpenVPN server that is administered by somebody else...

Solution 4

Tested on Ubuntu 18.04 at 13 Sep 2018

There is another useful command to setup what you need via command line. You can control your VPN connection both with command line and GUI.

sudo nmcli connection add type vpn vpn-type openvpn con-name la.vpn.contoso.com ifname --

ifname -- is the required by default, but does not affect anything

sudo nmcli connection modify la.vpn.contoso.com ipv4.dns 172.16.27.1
sudo nmcli connection modify la.vpn.contoso.com ipv4.dns-search int.contoso.com
sudo nmcli connection modify la.vpn.contoso.com ipv4.never-default yes

never-default should not use remote gateway as default route

And much more interested final touch:

nmcli connection modify la.vpn.contoso.com vpn.data 'ca = /tmp/la.vpn.contoso.com/you/ca.crt, key = /tmp/you.key, dev = tun, cert = /tmp/you.crt, cert-pass-flags = 1, comp-lzo = adaptive, remote = la.vpn.contoso.com:1194, connection-type = tls'

Afterwards you can control vpn with GUI or use following commands:

sudo nmcli --ask connection up la.vpn.contoso.com
sudo nmcli connection down la.vpn.contoso.com

Solution 5

I'm impacted too. In my case, I'm using OpenVPN with an internal name server (which is inside the VPN). That worked until Ubuntu 17.10 (with hosts: files dns in /etc/nsswitch.conf).

/etc/resolv.conf was updated correctly by the openvpn scripts (through calls to /etc/openvpn/update-resolv-conf in the openvpn client configuration file).

However, name resolution for hosts inside the VPN was not working any more (or at least sporadically... I guess the local DNS cache was picking the names, but after a rather long time).

What seems to help, or even resolve the issue (though that's too early to say) is to install the below package:

sudo apt install openvpn-systemd-resolved

View more solutions

157,209

orestis

I am a developer and Ubuntu fan

Updated on September 18, 2022

Comments

orestis over 1 year
When I connect to a VPN network through Gnome Network-manager I lose DNS resolution and in practice, I cannot access resources inside the VPN network or outside.

When I was using Ubuntu 16.04 and I was using the VPN, the "/etc/resolv.conf/" file would contain the DNS servers of the (VPN) network I had connected. Now it always contains the following entries:
```
nameserver 127.0.0.53
search myprovider.com
```
From what I have understood 127.0.0.53 is the address of the DNS stub used by the system-resolved.

I suspect that this is a bug because the VPN was working fine the Ubuntu 16.04. Is there any way that I can set the DNS servers of my network when I am using a VPN service?

Update:

I tried connecting to the OpenVPN network with the configuration file attached at the end of the post, but I get the following error:
```
 Authenticate/Decrypt packet error: cipher final failed
```
I have verified that the server uses lzo compression and I have enabled it as well. The connection stays active but I cannot navigate to any page inside or outside the VPN.

In the configuration file listed below, I have included the solutions posted in the replies
```
 client
 dev tun
 proto udp
 remote openvpn.bibsys.no 1194
 remote my-server-2 1194
 resolv-retry infinite
 nobind
 user myuser
 group myuser
 persist-key
 persist-tun
 ca ca-cert.pem
 cert openvpn.crt
 key openvpn.key
 cipher AES-256-CBC
 comp-lzo yes
 script-security 2
 up /etc/openvpn/scripts/update-systemd-resolved
 down /etc/openvpn/scripts/update-systemd-resolved
 down-pre
```
- notbad.jpeg about 5 years
  
  When debugging a similar problem to this that couldn't be solved exactly the same, I used resolvectl status and resolvectl help to figure out my specific solution.
Michael Opdenacker about 6 years

Eventually, it doesn't seem to be a solution. I have the problem again. I guess something else made it work...
orestis about 6 years

If one is using the gnome openvpn utility where should the file config.ovpn be stored?
Andy Turfer almost 6 years

config.ovpn isn't "found" - it's the client config file used for connecting. You either generate it, or it is issued to you by your OpenVPN provider (and it might not be called config.ovpn - it could be called anything, like client.ovpn).
lucidyan almost 6 years

Thanks a lot, working for me on Ubuntu 18.04. And I want to specify, that parameter script-security 2 is still needed before up/down lines, otherwise the program falls down with an error (OpenVPN 2.4.4)
Qlimax almost 6 years

Glad it helped :) Changed the last sentence in the answer, with in my case script-security 2 was not necessary. That's perhaps because I'm running the openvpn client as root (with sudo)
n1ghtm4n4g3r almost 6 years

I am running the client as root and I still (also) need to add script-security 2 for this setup to work. BTW, thanks a lot for this tip, @Qlimax. :-)
orestis almost 6 years

@Qlimax Do you know how do we import these settings to the gnome openvpn client?
Qlimax almost 6 years

@orestis you have to install this package sudo apt-get install network-manager-openvpn-gnome Then you should be able to import .ovpn config files into the gnome network manager. askubuntu.com/questions/187511/… UI has changed over time, you should be able to find that in settings->network->vpn
lucidyan almost 6 years

Maybe then you delete your answer? It seems that the decision has already been found below
hwjp over 5 years

didn't work for me. how did you determine that this was the problem, in your case?
Vanessa Deagan over 5 years

This should be the accepted answer.
Ahsanul Haque over 5 years

This works just perfectly.
A. Ahanchi about 5 years

Thanks! The last line for preventing dns leakage is necessary because the systems still uses the default dns.
blockhead about 5 years

I get WARNING: Failed running command (--up/--down): external program fork failed
higuita almost 5 years

WARNING: you do not need to enable ip_forward on the openvpn client, NEVER! it is a security risk. On the openvpn server, you may need it, depending on the config used and this is probably why this comment show up.
Harald almost 5 years

Surprised this works for so many of you: I have an ovpn.config, yes, but NetworkManager does not seem to use it. Did you edit the file and the re-import it, in particular to replace the up/downs scripts. Because I see this opaque binary /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper used for which i could not find documentation. If re-import of ovpn.config is needed, please amend the answer.
Saisurya Kattamuri over 4 years

Unfortunately this didn’t work for a vpn which is using tcp, sites outside vpn are not resolved, hence I started using client.pritunl.com/#install found useful
lucidyan over 4 years

Without down-pre in the end of .ovpn file, you would get nasty warnings at stop update-systemd-resolved: Invalid device name: 'tun0'. Usage: update-systemd-resolved up|down device_name. WARNING: Failed running command (--up/--down): external program exited with error status: 1 Exiting due to fatal error
Milan Maharjan over 4 years

this worked for me as well
Kevin C over 4 years

This was it for me. Weird issue. Thanks.
Karl Forner over 4 years

this seems to work for me ! Thanks. I tested so many different fixes...
Joao Tavora over 4 years

Can't +1 this enough. It really should be the accepted answer
Mnemosyne over 4 years

This did not work for me either. Am having the exact same issue.
Falc over 4 years

My client.ovpn file doesn't have up and down lines, can I just add them?
chaz about 4 years

Didn't work for me at first because my resolv.conf was still looking at my router dns. I made sure the stub was used first (127.0.0.53) on ubuntu 19.10, and it worked. I still can't figure out how to get the stub resolver to do the local then remote resolving by itself, but this is a good workaround for now.
Andy Turfer about 4 years

@Falc Yes, you can.
Amit Patil about 4 years

Sorry but not worked with me.
Zorglub29 almost 4 years

Is it expected that this should solve Pritunl problems on Ubuntu 20.04 too?
Shayan almost 4 years

Adding the script-security 2 and (up/down) /etc/openvpn/update-resolv-conf lines fixed it for me.
nekofar over 3 years

Thank you! This is still valid for Ubuntu 20.04.1 LTS.
foo over 2 years

as of 2021-10, there's also the package "openvpn-systemd-resolved" as part of standard repositories, instead of referring to some githubusercontent URL.
JonnyRaa over 2 years

the final line dhcp-option DOMAIN-ROUTE . was critical - my problem wasn't fixed until I added that aswell
axel22 about 2 years

Best. Answer. On the Internet. Thanks - it took me a while until I found your answer, the part that resolveconf should have been installed.