Ubuntu 18.04 no DNS resolution when connected to OpenVPN
When I connect to a VPN network through Gnome Network-manager I lose DNS resolution and in practice, I cannot access resources inside the VPN network or outside. When I was using Ubuntu 16.04 and I was using the VPN, the » /etc/resolv.conf/ » file would contain the DNS servers of the (VPN) network I had connected. Now it always contains the following entries:
nameserver 127.0.0.53 search myprovider.com
From what I have understood 127.0.0.53 is the address of the DNS stub used by the system-resolved . I suspect that this is a bug because the VPN was working fine the Ubuntu 16.04. Is there any way that I can set the DNS servers of my network when I am using a VPN service? Update: I tried connecting to the OpenVPN network with the configuration file attached at the end of the post, but I get the following error:
Authenticate/Decrypt packet error: cipher final failed
I have verified that the server uses lzo compression and I have enabled it as well. The connection stays active but I cannot navigate to any page inside or outside the VPN. In the configuration file listed below, I have included the solutions posted in the replies
client dev tun proto udp remote openvpn.bibsys.no 1194 remote my-server-2 1194 resolv-retry infinite nobind user myuser group myuser persist-key persist-tun ca ca-cert.pem cert openvpn.crt key openvpn.key cipher AES-256-CBC comp-lzo yes script-security 2 up /etc/openvpn/scripts/update-systemd-resolved down /etc/openvpn/scripts/update-systemd-resolved down-pre
Openvpn client, force DNS server
When using openvpn client on that Linux, the nameserver is not changed (by the VPN server) but I would like to set it — only during the VPN session — to another specific DNS server x.y.z.t , by changing the openvpn client config. Then, when the openvpn session ends, nameserver should be back to 127.0.0.1 . Is there a «clean» way (ie a line in the openvpn client config file) to do that?
(Note: The VPN server config cannot be changed)
5 Answers 5
After more googling, could find the answer — below if it can help someone.
- install resolvconf which can save and restore the resolv.conf config file
- add a script to be run by openvpn, in /usr/share/openvpn , named update-resolv-conf . The script determines what should be the new resolv.conf , and how to restore it (see link below)
- add
script-security 2 up /usr/share/openvpn/update-resolv-conf down /usr/share/openvpn/update-resolv-conf
in the openvpn client config file.
Read on this wiki for more information.
Newer installs of OpenVPN include this script with the installation. Instead of manually downloading and installing at /usr/share/openvpn/update-resolv-conf , you can find it pre-installed at /etc/openvpn/update-resolv-conf .
2022 update (Arch Linux)
To set a public dns server and update resolvconf, add the following to your ovpn client profile file:
dhcp-option DNS 1.1.1.1 script-security 2 up /usr/share/openvpn/contrib/pull-resolv-conf/client.up down /usr/share/openvpn/contrib/pull-resolv-conf/client.down
Consider using route-up / route-down scripts on your client to alter your configuration on connection setup as you see fit. See the OpenVPN docs on details for how to set this up and which variables you might use in these scripts.
+1, interesting and useful. The resolvconf solution via up and down (above or below dep. on rating..) is however more to the point, and, imo, cleaner.
@ring0 I would advise using route-up instead of up to minimize race conditions. When the up script is executed, the connection is not yet set up and you have no chance to query the remote resolver you’re setting. If you start the OpenVPN client in a situation where the connection setup would not complete, you are putting your resolver into a possibly non-functional state for a prolonged period of time. See the «Script Order of Execution» section in the OpenVPN man page for details.
I did a few tests, and the up script is called right when «Initialization Sequence Completed» is reached, not before. Btw cannot find «route-down» in the man.
This was useful information in order to help me fixing this issue.
I’m an arch linux user and what I saw is that when a Linux client is used with Access Server, this one is unable to alter the DNS settings on the client in question not resolving host as it the stands on OPEN VPN Documentation
I created a script which fixes the problem and with a couple of extra parameters handles openvpn connections via command line.
Here is the main command being executed for the connection:
nohup openvpn --config $OVPN_FILE_PATH --askpass $OVPN_PRIVATE_KEY_FILE_PATH \ --script-security 2 \ --setenv PATH '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \ --up /etc/openvpn/scripts/update-systemd-resolved \ --down /etc/openvpn/scripts/update-systemd-resolved \ --down-pre \ &>/dev/null &
Any feedback is more than appreciated it.
How to define DNS server in openvpn?
I setup an openvpn server with static key (certificate mode is not usable due to DPI at the national gateway), but I cannot successfully change the DNS automatically after the connection. I searched over the Internet and SE, and every one suggests the use dhcp-option . I tried to add this line to client.ovpn
—dhcp-option type [parm] Set extended TAP-Win32 TCP/IP properties, must be used with —ip-win32 dynamic or —ip-win32 adaptive.
4 Answers 4
On a Linux system, you need to run an external script.
Scripts are found on here or newer Linux version here and you can call them by adding this on the openvpn client configuration:
script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
I’m no expert, but from reading the man page below your quote:
—dhcp-option type [parm]
.
Note that if —dhcp-option is pushed via —push to a non-windows client, the option will be saved in the client’s environment before the up script is called, under the name «foreign_option_».
and under foreign_option_ :
foreign_option_
An option pushed via —push to a client which does not natively support it, such as —dhcp-option on a non-Windows system, will be recorded to this environmental variable sequence prior to —up script execution.
So the command line openvpn client doesn’t automatically modify the DNS setup on your OSX machine after establishing the connection. But since the DNS options are saved to the client’s environment, you can specify a script to append the pushed servers to the system’s current DNS config with the —up option:
—up cmd
Run command cmd after successful TUN/TAP device open (pre —user UID change).
cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single- or double-quoted and/or escaped using a backslash, and should be separated by one or more spaces.
E.g. Tunnelblick also does this by utilizing this script.
Another solution might be a script that was posted to the openvpn mailing list at DNS for OS X clients — the Definitive Guide.