OpenVPN and systemd-resolved: DNS does not resolve VPN internal names
I have a VPN set up on some virtual machines using OpenVPN. One of the VMs is running dnsmasq to provide a basic DNS for inside the network. My client is running Ubuntu, which now more or less forces systemd-resolved. I am finding that although it claims to have configured DNS, I can't actually do an nslookup or dig on hostnames inside the VPN. I can ping them by IP, but not by name.
Let's dive into configuration files.
OpenVPN server conf:
mode server
local 192.168.50.101
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ssl/ca.pem
cert /etc/openvpn/server/ssl/cert.pem
key /etc/openvpn/server/ssl/key.pem
dh /etc/openvpn/server/ssl/dh2048.pem
topology subnet
server 10.99.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.0.0 255.255.255.0"
push "dhcp-option DNS 10.99.0.1"
keepalive 10 120
cipher AES-128-CBC # AES
comp-lzo
push "comp-lzo yes"
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 6
mute 20
Client conf:
client
dev tun
proto udp
remote 192.168.50.101 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca REDACTED
cert REDACTED
key REDACTED
remote-cert-tls server
cipher AES-128-CBC
comp-lzo
verb 3
mute 20
ping-restart 30
script-security 2
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
I have installed https://github.com/jonathanio/update-systemd-resolved, as seems to be recommended. It does, in fact, update the DNS settings as can be shown by the systemd-resolved logs (Switching to DNS server 10.99.0.1 for interface tun0.) and --status output:
Link 26 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.99.0.1
/etc/resolve.conf points to 127.0.0.53, as is the default for using systemd-resolved.
I've tried using NetworkManager's built-in OpenVPN connection, and it neither fixes the DNS issue, nor even sets up routes correctly (so I can't even ping or connect by IP).
Just a few other things that people will probably ask about:
- This setup works for my coworkers on Macs, using Viscosity. It's only Ubuntu/Linux that's failing here on the client side.
- Firewall on OpenVPN server allows port 53 and I can verify with telnet.
- If I set up
/etc/resolv.confto point to my VPN's DNS server (on 10.99.0.1), then DNS resolution works fine. However, resolv.conf is managed by either systemd-resolved or NetworkManager via resolvconf and I'd like to keep those if possible so as not to upset the Ubuntu apple cart.
First, test connect from console:
sudo openvpn --verb 1 --config /path_to_conf/config.ovpn
If you have this error:
/etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /run/resolvconf/resolv.conf
then fix /etc/resolvconf/update.d/libc
before
DYNAMICRSLVCNFFILE="/run/resolvconf/resolv.conf"
after
#DYNAMICRSLVCNFFILE="/run/resolvconf/resolv.conf"
DYNAMICRSLVCNFFILE="/run/systemd/resolve/resolv.conf"
Second, add option to openvpn server config.
push "dhcp-option DOMAIN YOUR_DOMAIN_NAME"
Update. DNS requests only via VPN. Search UUID vpn connection
nmcli c show
nmcli c modify <UUID vpn connection> ipv4.dns-priority -1
After this command reconnect vpn. Now all dns request go to vpn