Ubuntu 18.04 no DNS resolution when connected to OpenVPN

Problem

The file /etc/resolv.conf does not get updated by the /etc/openvpn/update-resolv-conf script because resolvconf is not installed by default on ubuntu 18.04.

In fact, one of the first lines of that script checks for the /sbin/resolvconf executable:

[ -x /sbin/resolvconf ] || exit 0

Installing resolvconf via apt-get is not a solution as the /etc/openvpn/update-resolv-conf script updates the /etc/resolv.conf file with the pushed DNS entry but the tun device seems to ignore it.

Solution

1. Ubuntu 18.04 uses systemd-resolved, so all you have to do is install the openvpn helper script for systemd-resolved via

   sudo apt install openvpn-systemd-resolved
   

   or with these GitHub instructions

2. Update your config.ovpn file adding these lines:

   script-security 2
   up /etc/openvpn/update-systemd-resolved
   down /etc/openvpn/update-systemd-resolved
   down-pre
   

   That instead of adding up and down of /etc/openvpn/update-resolv-conf to the conf.

3. To prevent DNS Leakage, you should add this line to the end of the config.ovpn file (according to this systemd issue comment):

   dhcp-option DOMAIN-ROUTE .
   

I found a solution on this blog post. While there are two solutions mentioned, I prefer using the second one because it means my DNS is set by the OpenVPN server (the first solution means I use the same DNS servers whether or not I'm connected to the OpenVPN server).

In short:

• sudo mkdir -p /etc/openvpn/scripts
• sudo wget https://raw.githubusercontent.com/jonathanio/update-systemd-resolved/master/update-systemd-resolved -P /etc/openvpn/scripts/
• sudo chmod +x /etc/openvpn/scripts/update-systemd-resolved

Then edit your OpenVPN client file (e.g. client.ovpn) by changing the up/down scripts to:

script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved

(I have commented out the original up/down settings).

Actually, there is a much easier solution to this problem. The issue is with DNS traffic and how Ubuntu 18 manages that. By default IP forwarding is disabled which is what OpenVPN needs in order to provide proper networking. All you have to do is run the following command:

sudo nano /etc/sysctl.conf

Once you have this file opened, look for the line that contains net.ipv4.ip_forward. If this line is commented, remove the # sign at the front of the line (if it is not commented then you have another issue). Save the file and then restart your OpenVPN server instance.

This fix does not require any modifications to the client or OpenVPN code following upgrade to Ubuntu 18. Tested and confirmed working.

However, this obviously requires you can administer the server. And unfortunately, the bug exists for many who just connect with 18.04 to an OpenVPN server that is administered by somebody else...

Tested on Ubuntu 18.04 at 13 Sep 2018

There is another useful command to setup what you need via command line. You can control your VPN connection both with command line and GUI.

sudo nmcli connection add type vpn vpn-type openvpn con-name la.vpn.contoso.com ifname --

ifname -- is the required by default, but does not affect anything

sudo nmcli connection modify la.vpn.contoso.com ipv4.dns 172.16.27.1
sudo nmcli connection modify la.vpn.contoso.com ipv4.dns-search int.contoso.com
sudo nmcli connection modify la.vpn.contoso.com ipv4.never-default yes

never-default should not use remote gateway as default route

And much more interested final touch:

nmcli connection modify la.vpn.contoso.com vpn.data 'ca = /tmp/la.vpn.contoso.com/you/ca.crt, key = /tmp/you.key, dev = tun, cert = /tmp/you.crt, cert-pass-flags = 1, comp-lzo = adaptive, remote = la.vpn.contoso.com:1194, connection-type = tls'

Afterwards you can control vpn with GUI or use following commands:

sudo nmcli --ask connection up la.vpn.contoso.com
sudo nmcli connection down la.vpn.contoso.com

I'm impacted too. In my case, I'm using OpenVPN with an internal name server (which is inside the VPN). That worked until Ubuntu 17.10 (with hosts: files dns in /etc/nsswitch.conf).

/etc/resolv.conf was updated correctly by the openvpn scripts (through calls to /etc/openvpn/update-resolv-conf in the openvpn client configuration file).

However, name resolution for hosts inside the VPN was not working any more (or at least sporadically... I guess the local DNS cache was picking the names, but after a rather long time).

What seems to help, or even resolve the issue (though that's too early to say) is to install the below package:

sudo apt install openvpn-systemd-resolved

If your system is using NetworkManager, then you may only need to change the connection's DNS priority, as per this answer:

nmcli -p connection modify VPN_CONNECTION_NAME ipv4.dns-priority -1

In my case, the DNS was being updated, but ignored as the existing DNS servers had precedence. You may need root/sudo. If that doesn't work, try ipv6.dns-priority.

None of the proposed CLI-oriented (non-NetworkManager) solutions worked for me (I don't even have up and down lines in myconfig.ovpn).

However, I've found that NetworkManager VPN seems to work again (it did not work a year or two ago, which is why I switched to openvpn CLI then). I did not tweak it in any way: just tried to activate it with the appropriate credentials.