Systemd-resolved not querying DNS server set by openvpn

I have OpenVPN running on my fedora 33 laptop. I’m using /etc/openvpn/scripts/update-systemd-resolved to update systemd-resolved. When openvpn runs I see:


   Wed Oct 14 15:07:15 2020 /etc/openvpn/scripts/update-systemd-resolved tun0 1400 1472 10.8.0.2 255.255.255.0 init
    <14>Oct 14 15:07:15 update-systemd-resolved: Link 'tun0' coming up   
    <14>Oct 14 15:07:15 update-systemd-resolved: Adding IPv4 DNS Server 192.168.2.1
    <14>Oct 14 15:07:15 update-systemd-resolved: SetLinkDNS(7 1 2 4 192 168 2 1)
Wed Oct 14 15:07:15 2020 /sbin/ip route add 192.168.2.0/24 via 10.8.0.1

and my resolvectl status shows:

   Link 7 (tun0)
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: yes                      
       LLMNR setting: yes                      
MulticastDNS setting: no                       
  DNSOverTLS setting: no                       
      DNSSEC setting: no                       
    DNSSEC supported: no                       
  Current DNS Server: 192.168.2.1              
         DNS Servers: 192.168.2.1 

But DNS fails unless i explicitly try against 192.168.2.1. The odd thing was it was working prior to the latest round of updates to fedora 33.

Thanks

3 Likes

Modify your connection and re-establish it to apply changes:

sudo nmcli connection modify id VPN_CON \
    ipv4.dns-search ~. ipv6.dns-search ~. \
    ipv4.dns-priority -50 ipv6.dns-priority -50

https://developer.gnome.org/NetworkManager/stable/nm-settings-nmcli.html

See also:

1 Like

I see I’m very late here. Have you found a solution yet?

I assume that you have completely disabled NetworkManager. If not, NetworkManager is going to fight with /etc/openvpn/scripts/update-systemd-resolved, hence the above answer regarding nmcli should not be relevant. But if you are trying to use both NetworkManager and update-systemd-resolved together, don’t!

I’m not familiar with update-systemd-resolved, since Fedora defaults to using NetworkManager, and that’s the case I primarily care about. I’m very confident this script is the source of your troubles, though. The problem I see with your resolvectl status is that you have no DNS domain set. This means you’ve configured your DNS server for tun0, but have (probably, see below) told systemd-resolved to never use it. (If you were using NetworkManager, it would make sure that doesn’t happen.) Use resolvectl domain to see. For example, mine says:

$ resolvectl domain
Global:
Link 2 (enp4s0): lan
Link 3 (enp6s0):
Link 4 (wlp5s0):
Link 5 (tun0): ~.
Link 6 (virbr0):
Link 7 (virbr0-nic):
Link 8 (tun1): redhat.com

This means DNS for redhat.com goes to the DNS server configured for tun1, DNS for lan goes to the DNS server configured for enp4s0, and all other DNS goes to the DNS server configured for tun0. Make sure you have a ~. domain somewhere – it’s probably on enp4s0 I guess, but you might want it on tun0 if you want your VPN to get all your DNS – because otherwise most of your DNS will be sent to every interface’s DNS server.

2 Likes

It works for me with both NetworkManager-openvpn and systemd-resolved on Fedora 33:

> resolvectl dns
Global:
Link 2 (enp1s0): 192.168.122.1
Link 13 (tun0): 192.168.8.1

> resolvectl domain 
Global:
Link 2 (enp1s0): ~example.org
Link 13 (tun0): ~. example.net
2 Likes

Thanks everyone. Found that adding this to my openvpn config fixed the issue:

dhcp-option DOMAIN-ROUTE .
4 Likes

Could you please explain why?

1 Like

Note that NetworkManager-openvpn does not yet support the dhcp-option DOMAIN-ROUTE.

  1. Not using networkmanager-openvpn (have some other options that aren’t supported), using the openvpn cli
  2. I added that option per the github page for the update-systemd-resolved script - https://github.com/jonathanio/update-systemd-resolved#preventing-leakage-in-on-untrusted-networks . I don’t really worry about DNS leakage but when I’m on my VPN i want all DNS to go to my “corp” DNS

Hi @vgaetera, your tip worked for me, but I had to add single quotes, with that my vpn started to solve for the correct dns.

sudo nmcli connection modify id VPN_NAME \                              
    ipv4.dns-search '~.' ipv6.dns-search '~.' \
    ipv4.dns-priority -50 ipv6.dns-priority -50 

Thank you for your help

3 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.