F5 VPN dns issue with systemd-resolvd

Hi, I am trying to use a proprietary VPN (F5) client on fedora 33. It appears to be up and working but I have problems, eg I can not open websites on the VPN network. I think it is related to DNS, it looks to me that systemd-resolvd is not configured properly:

resolvectl domain
Global:
Link 2 (eno1): ~. home
Link 15 (tun0):

resolvectl dns
Global:
Link 2 (eno1): 192.168.1.1 2a01:cb19:6a9:af00:2a9e:fcff:fe94:4c0 fe80::2a9e:fcff:fe94:4c0%22006
Link 15 (tun0):

I have seen the other thread in this forum saying “systemd-resolved not querying DNS server set by openvpn” as well as the “systemd-resolved: introduction to split DNS” article on the Fedora Magazine but I still haven’t found how to fix it.

My understanding is that it simply won’t work unless I disable systemd-resolvd and go back to the previous solution.

Yep, or use NetworkManager-openvpn which supports systemd-resolved.

Hi, thanks for replying! Do you happen to know how can I use openvpn instead of the proprietary F5vpn client (or maybe do you have any hints where to look for that)?

1 Like
sudo dnf install NetworkManager-openvpn-gnome
nmcli connection import type openvpn file /path/to/profile.ovpn
restorecon -R ~/.cert

And set up DNS: https://discussion.fedoraproject.org/t/systemd-resolved-not-querying-dns-server-set-by-openvpn/74961/2?u=vgaetera

I have seen this thread. My question is, do you know if openvpn support connecting to an F5 BIG-IP vpn server?

I think it does not hurt to try.
Usually VPN providers based on OpenVPN support third party clients.

Sure, it doesn’t. Where do I get a profile.ovpn file then?

Typically from the VPN provider.
Otherwise you can try to configure it manually with the same configuration parameters as the proprietary client.

i tried doing that but I am not comfortable with the several VPN technologies/parameters and I was not given a list of my client, it is supposed to “simply work”

the networkmanager-openvpn-gnome package was already installed on my system but I do not have a connection parameter file neither do I know how to write one so I can not try it. Thanks for trying :slight_smile:

You can also try using the GUI dialogue:
Settings > Network > VPN > + > OpenVPN

I think F5 is not using OpenVPN, it some SSL based propriertary protocol, afaik.

Thanks a lot for the input everyone.
Îśy use case is F5VPN specific.
I can see some lines mentioning openvpn in the logs but I guess they are not compatible.

I did find a solution, I set by hand the domain and dns servers like this:

sudo resolvectl dns tun0 1.2.1.1 1.2.2.1
sudo resolvectl domain tun0 "~ourdomain.com"

I would like to have found why they are not passed “automatically” from the vpn client I am using or how they could be set automatically on connection, but at least it works now.

Thanks again *

3 Likes

Those changes are supposed to be runtime.
You need to find a way to apply them upon the VPN connection activation.
Otherwise it might be easier to disable systemd-resolved for the time being.

I know they are runtime. I tried adding these

[Network]
DNS=10.0.0.1
Domains=~other.some

in this file /etc/systemd/network/tun0.network and restarting the service but it didn’t work. I guess either the file is wrong or I didn’t properly restart the service.

For my personal workstation this is a preferable solution than disabling systemd-resolvd and configuring by hand.

I hope these are useful to others and I hope that it will be solved in the future (i suspect when the f5vpn client is updated)

Thanks again everyone.

Hi pattakosn,
I’m facing the exact same problem as you.

Have you found a solution to permanently keep the modification of resolvectl?

If your VPN service is a systemd unit, you can try using ExecStartPost=.

Hi, no I haven’t. Unfortunately people keep suggesting me things I do not understand (for eg this ExecStartPost that vgaetera suggested. So I just run a script by hand every time I connect.

It’s problematic to advice anything specific unless someone shares the VPN client distribution for testing.

Yes, I understand. Thanks a lot for any advice however. The VPN client I am using is F5.