Home / ubuntu / Questions / 449642
In Process
Tommy Brunn
Asked: 2014-04-19 03:37:10 +0800 CST

Network only using one DNS when connected to VPN

  • 772

My company has a VPN that I need to connect to. In OSX, I do this by using openvpn with the following configuration:

client
dev tun
proto udp
remote <GATEWAY_ADDRESS> <PORT>
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /Users/Tommy/.openvpn/dev/ca-dev.crt
cert /Users/Tommy/.openvpn/dev/tommy.brunn-20131122-dev.crt
key /Users/Tommy/.openvpn/dev/tommy.brunn-20131122-dev.key
ns-cert-type server
tls-auth /Users/Tommy/.openvpn/dev/ta-dev.key 1
cipher BF-CBC
comp-lzo
verb 3
auth-nocache
;daemon
;writepid openvpn.pid

In Ubuntu, I've installed network-manager-openvpn and added a new VPN connection (trying to import the config file caused a crash) with the same configuration options set: Screenshots of my settings

Once I connect to the VPN, I can't resolve any domains whatsoever.

If I edit /etc/NetworkManager/NetworkManager.conf, comment out the line dns=dnsmasq and restart network-manager, I can resolve internal domains from my company, but other domains like google.com won't resolve at all. I've made sure to set my "Method" to "Automatic (VPN) addresses only" in the IPv4 and IPv6 tabs of the network manager for my VPN connection, but it doesn't seem to make any difference.

I've also tried re-enabling dnsmasq and modifying /etc/resolvconf/resolv.conf.d/base to contain nameserver 127.0.1.1, then running sudo resolveconf -u, but then no domains will resolve again.

What I would like is to be able to connect to my VPN so that domains pushed by my company's DNS server are resolved that way, and all other domains are resolved normally.

EDIT: Turns out dnsmasq wasn't actually installed, which I thought it would be by default. Nevertheless, if I install it, re-enable it in /etc/NetworkManager/NetworkManager.conf, add the local nameserver address in /etc/resolvconf/resolv.conf.d/base, restart all the services and connect to the VPN, I can resolve domains from the company DNS, but I can't resolve any other domains. So basically the same situation as when I disabled dnsmasq entirely.

EDIT: Contents of /etc/dnsmasq.conf: http://paste.ubuntu.com/7297231/

networking

2 Answers

  1. From your configuration, your dnsmasq installation is getting the list of DNS servers to use from /etc/resolv.conf. By default, dnsmasq tries to favor using DNS servers that are up, but will only send a given request to a single DNS server. This can cause problems if you have multiple DNS servers that can/will only serve certain queries.

    I believe you can solve this issue by making sure you have a DNS server on your LAN (the one you use when you aren't connected to the VPN) set up in /etc/resolv.conf, as well as the DNS server on the corporate network you want to use over the VPN.

    Then, you will need to edit /etc/default/dnsmasq and add or edit the DNSMASQ_OPTS= line to include --all-servers.

    If you are still unable to get DNS queries with this setup, copy the resolv.conf file you created during the steps above to another location, like ~/resolv.conf, set /etc/resolv.conf up with nameserver 127.0.0.1 and set the following option in /etc/dnsmasq.conf:

    resolv-file=/home/your_username/resolv.conf

    That should configure your system to query your dnsmasq installation for DNS, and it will in turn use both your local DNS server and the VPN DNS server for every query.

    Edit: You can find the DNS servers you are currently using for a particular connection using the nmcli tool. For finding the DNS servers used by my wireless connection, I used the following syntax:

    nmcli dev list iface wlan0 | grep IP4.DNS

    If you run this command while you are not connected to your VPN, and then again when you are connected and are able to resolve your corporate addresses, you should get your list of DNS servers off and on the VPN. I hope this helps.

    Edit 2: Looking at your routing tables, it appears your VPN administrator has set you up to route all your traffic through the VPN while you're connected (your default gateway changes to a VPN address). Since both of your DNS servers are public addresses, and neither have a specific route set up while you are on the VPN, you are trying to do normal DNS lookups through the VPN and that is what is failing.

    You may have a couple ways to make this work, depending on your VPN setup:

    • If the VPN will allow you to access the internet through the corporate network, but not perform DNS queries to servers on the internet, add routes to your DNS servers like so: sudo route add -host 83.255.245.11 gw 192.168.0.1, and sudo route add -host 193.150.193.150 gw 192.168.0.1 after connecting to the VPN.

    • If the VPN will not allow you to access the internet through the corporate network, you will need to change the default gateway settings on your computer to point at 192.168.0.1 after you connect to the VPN. In this case, you will want to set up your usual default gateway and then add network routes to access VPN-only equipment.

    You may need to whittle down your routing table in the connected-to-the-VPN case shown in your second pastebin to the following:

    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0
10.100.0.0      10.100.0.105    255.255.255.0   UGH   0      0        0 tun0
10.100.0.105    0.0.0.0         255.255.255.255 UH    0      0        0 tun0

    Then, add routes as you need to in order to access the corporate equipment. In the routing table shown above I have assumed a /24 network on the VPN, which may be incorrect. You'll have to set the mask appropriately.

    • 5

  2. There's some gaps that I can't fill in for you related to how to get NetworkManager to coordinate things for you. I'll try though to clarify how the things it coordinates need to work. Not a perfect answer, but hopefully useful. Actually, given that this is an old question, this is really for posterity.

    You probably don't want to use the corporate VPN, except for connections to the corporate network. That being the case, it'd be better if your VPN setup only routes the appropriate Network Ranges to the VPN, and keeps the default route pointing to your local router, as before. It'd be nice if companies set up their VPNs to only route the traffic or their networks, but unfortunately that seems to be rare. Fortunately you can configure the routes in your local setup.

    That still leaves you with a potential DNS problem. jtk123's comments about what dnsmasq does with DNS are not dnsmasq specific - that's the way DNS works. If a DNS client, or intermediary resolver gets a response that a DNS entry does not exist, then it is not normal behaviour to fall back to asking another DNS server. That means you need a dns resolver that will answer as you want it to whether the request relates to the company network or not.

    Maybe your company network answers DNS queries relating to the broader internet, in which case you just use it, and that's probably OK. Otherwise, you need a local DNS server which forwards requests for domains associated with the company to their DNS server, and forwards other requests elsewhere as appropriate.

    dnsmasq can be told to forward requests for specific domains to specific upstream DNS servers. e.g. see the --server option as outlined in the dnsmasq.conf man page. I'm not clear though how to get networkmanager to play nice with that (which is what I'm currently looking to find out).

    • 0