I have a VPN set up on some virtual machines using OpenVPN. One of the VMs is running dnsmasq to provide a basic DNS for inside the network. My client is running Ubuntu, which now more or less forces systemd-resolved. I am finding that although it claims to have configured DNS, I can't actually do an nslookup or dig on hostnames inside the VPN. I can ping them by IP, but not by name.
Let's dive into configuration files.
OpenVPN server conf:
mode server
local 192.168.50.101
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ssl/ca.pem
cert /etc/openvpn/server/ssl/cert.pem
key /etc/openvpn/server/ssl/key.pem
dh /etc/openvpn/server/ssl/dh2048.pem
topology subnet
server 10.99.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.0.0 255.255.255.0"
push "dhcp-option DNS 10.99.0.1"
keepalive 10 120
cipher AES-128-CBC # AES
comp-lzo
push "comp-lzo yes"
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 6
mute 20
Client conf:
client
dev tun
proto udp
remote 192.168.50.101 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca REDACTED
cert REDACTED
key REDACTED
remote-cert-tls server
cipher AES-128-CBC
comp-lzo
verb 3
mute 20
ping-restart 30
script-security 2
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
I have installed https://github.com/jonathanio/update-systemd-resolved, as seems to be recommended. It does, in fact, update the DNS settings as can be shown by the systemd-resolved logs (Switching to DNS server 10.99.0.1 for interface tun0.
) and --status
output:
Link 26 (tun0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.99.0.1
/etc/resolve.conf
points to 127.0.0.53, as is the default for using systemd-resolved.
I've tried using NetworkManager's built-in OpenVPN connection, and it neither fixes the DNS issue, nor even sets up routes correctly (so I can't even ping or connect by IP).
Just a few other things that people will probably ask about:
- This setup works for my coworkers on Macs, using Viscosity. It's only Ubuntu/Linux that's failing here on the client side.
- Firewall on OpenVPN server allows port 53 and I can verify with telnet.
- If I set up
/etc/resolv.conf
to point to my VPN's DNS server (on 10.99.0.1), then DNS resolution works fine. However, resolv.conf is managed by either systemd-resolved or NetworkManager via resolvconf and I'd like to keep those if possible so as not to upset the Ubuntu apple cart.
Best Answer
First, test connect from console:
If you have this error:
then fix /etc/resolvconf/update.d/libc
before
after
Second, add option to openvpn server config.
Update. DNS requests only via VPN. Search UUID vpn connection
After this command reconnect vpn. Now all dns request go to vpn