Can't update DNS using OpenVPN

[brunoriscado]

Hi,

I'm having an issue despite following the setup. I'm currently running Ubuntu 16.04 Xenial and using openvpn.

I'm having DNS issues connecting to some AWS hosted applications.

I've installed the update-systemd-resolved binaries and enabled/started the service. Also added the following config to my *.ovpn configuration file:

setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved
down-pre

And this to my /etc/nsswitch.conf:

# Use systemd-resolved first, then fall back to /etc/resolv.conf
hosts: files resolve dns myhostname
# Use /etc/resolv.conf first, then fall back to systemd-resolved
hosts: files dns resolve myhostname

When I start the openvpn with my credentials, I can definitely see that the UP/DOWN scripts have been added:

UP:

Wed Oct 18 15:18:33 2017 us=576640 /etc/openvpn/scripts/update-systemd-resolved tun0 1500 1544 11.185.11.138 11.185.11.137 init
<14>Oct 18 15:18:33 update-systemd-resolved: Link 'tun0' coming up
<14>Oct 18 15:18:33 update-systemd-resolved: Adding IPv4 DNS Server xxx.x.x.x (dns name server ip)
<14>Oct 18 15:18:33 update-systemd-resolved: SetLinkDNS(21 1 2 4 10 185 0 2)

Wed Oct 18 15:18:21 2017 us=776291   up_script = '/etc/openvpn/scripts/update-systemd-resolved'

DOWN:

Wed Oct 18 15:18:53 2017 us=130312 /etc/openvpn/scripts/update-systemd-resolved tun0 1500 1544 11.185.11.138 11.185.11.137 init
<14>Oct 18 15:18:53 update-systemd-resolved: Link 'tun0' going down

Wed Oct 18 15:18:21 2017 us=776296   down_script = '/etc/openvpn/scripts/update-systemd-resolved'

However I don't see any changes to my /etc/resolv.conf file, I was expecting to see something like

nameserver xxx.x.x.x in there with my DNS nameserver

But all I see is:

nameserver 192.168.72.8

And I still can't resolv the DNS for my AWS hosted apps, any suggestions?

[piotr-dobrogost]

Which of the three modes of operation described at https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html#/etc/resolv.conf do you use in regard to /etc/resolv.conf?
You can get curent DNS settings using systemd-resolve --status – see How to troubleshoot DNS with systemd-resolved?

[brunoriscado]

Hi @piotr-dobrogost,

I have /run/systemd/resolve/resolv.conf symlinked to /etc/resolv.conf, however my /etc/resolv.conf is also managed by the ubuntu's NetworkManager service.

systemd-resolve --status return and unreconigzed option (there's no status in the options at all).

I'm using version (as per systemd-resolve --version):

systemd 229
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN

[piotr-dobrogost]

However I don't see any changes to my /etc/resolv.conf file, I was expecting to see something like

You won't see any per this note:

Note the file format's limitations: it does not know a concept of per-interface DNS servers and hence only contains system-wide DNS server definitions.

As to

I have /run/systemd/resolve/resolv.conf symlinked to /etc/resolv.conf, however my /etc/resolv.conf is also managed by the ubuntu's NetworkManager service.

…having both systemd-resolved and NetworkManager manage /etc/resolv.conf at the same time is a bad idea. Starting with version 1.6 NetworkManager should cooperate with systemd-resolved – Support for systemd-resolved local DNS forwarder backend. You should probably find out (by reading NM's docs) how to configure it properly to work with systemd-resolved.

systemd-resolve --status return and unreconigzed option (there's no status in the options at all).

That's because --system switch to systemd-resolve was added in systemd 231. Version 229 is ancient (according to systemd standards) as it was released on 2016-02-11.

[brunoriscado]

So I have my NetworkManager configured to use dns=systemd-resolved, as per the documentation. I can see that my /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf
Added configuration to nsswitch.conf and openvpn configuration... Still no luck.

I'm guessing it's related with the version of NetworkManager I'm using from the default ubutnu repos, Version 1.2.6 and seems to be the latest they offer.

[jonathanio]

@brunoriscado,

I've never been a fan of NetworkManager. 😄 While it's nice to be able to manage your interfaces and their configuration from the toolbar, it comes with a whole host of shortcomings for me which limit flexibility, automatability, and stability.

The question I think here is: What is the nature of the relationship between NetworkManager and systemd-resolved?

NetworkManager has always had a history of being the ultimate authority over what it controlled and it sounds like this carries on here. My script treats systemd-resolved as the single source of truth and commands it to update the DNS settings as requested by OpenVPN and your configuration. However, if NetworkManager is monitoring these changes and either reverting or blocking, them, then you may just find yourself in the situation you see here.

Is there any chance you can look into trying this without NetworkManager being enabled? Maybe kill -9 it once everything is set up to prevent it tearing down established network connections on close (and meaning that a reboot is all that is needed to restore normal service).

Let us know how it goes.