Ubuntu 18.04 no DNS resolution when connected to OpenVPN
Problem
The file /etc/resolv.conf
does not get updated by the /etc/openvpn/update-resolv-conf
script because resolvconf
is not installed by default on ubuntu 18.04.
In fact, one of the first lines of that script checks for the /sbin/resolvconf
executable:
[ -x /sbin/resolvconf ] || exit 0
Installing resolvconf via apt-get
is not a solution as the /etc/openvpn/update-resolv-conf
script updates the /etc/resolv.conf
file with the pushed DNS entry but the tun device seems to ignore it.
Solution
Ubuntu 18.04 uses
systemd-resolved
, so all you have to do is install the openvpn helper script forsystemd-resolved
viasudo apt install openvpn-systemd-resolved
or with these GitHub instructions
Update your
config.ovpn
file adding these lines:script-security 2 up /etc/openvpn/update-systemd-resolved down /etc/openvpn/update-systemd-resolved down-pre
That instead of adding up and down of
/etc/openvpn/update-resolv-conf
to the conf.To prevent DNS Leakage, you should add this line to the end of the
config.ovpn
file (according to this systemd issue comment):dhcp-option DOMAIN-ROUTE .
I found a solution on this blog post. While there are two solutions mentioned, I prefer using the second one because it means my DNS is set by the OpenVPN server (the first solution means I use the same DNS servers whether or not I'm connected to the OpenVPN server).
In short:
sudo mkdir -p /etc/openvpn/scripts
sudo wget https://raw.githubusercontent.com/jonathanio/update-systemd-resolved/master/update-systemd-resolved -P /etc/openvpn/scripts/
sudo chmod +x /etc/openvpn/scripts/update-systemd-resolved
Then edit your OpenVPN client file (e.g. client.ovpn) by changing the up/down scripts to:
script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved
(I have commented out the original up/down settings).
Actually, there is a much easier solution to this problem. The issue is with DNS traffic and how Ubuntu 18 manages that. By default IP forwarding is disabled which is what OpenVPN needs in order to provide proper networking. All you have to do is run the following command:
sudo nano /etc/sysctl.conf
Once you have this file opened, look for the line that contains net.ipv4.ip_forward
. If this line is commented, remove the # sign at the front of the line (if it is not commented then you have another issue). Save the file and then restart your OpenVPN server instance.
This fix does not require any modifications to the client or OpenVPN code following upgrade to Ubuntu 18. Tested and confirmed working.
However, this obviously requires you can administer the server. And unfortunately, the bug exists for many who just connect with 18.04 to an OpenVPN server that is administered by somebody else...