Ubuntu 18.04 no DNS resolution when connected to OpenVPN

Problem

The file /etc/resolv.conf does not get updated by the /etc/openvpn/update-resolv-conf script because resolvconf is not installed by default on ubuntu 18.04.

In fact, one of the first lines of that script checks for the /sbin/resolvconf executable:

[ -x /sbin/resolvconf ] || exit 0

Installing resolvconf via apt-get is not a solution as the /etc/openvpn/update-resolv-conf script updates the /etc/resolv.conf file with the pushed DNS entry but the tun device seems to ignore it.

Solution

  1. Ubuntu 18.04 uses systemd-resolved, so all you have to do is install the openvpn helper script for systemd-resolved via

    sudo apt install openvpn-systemd-resolved
    

    or with these GitHub instructions

  2. Update your config.ovpn file adding these lines:

    script-security 2
    up /etc/openvpn/update-systemd-resolved
    down /etc/openvpn/update-systemd-resolved
    down-pre
    

    That instead of adding up and down of /etc/openvpn/update-resolv-conf to the conf.

  3. To prevent DNS Leakage, you should add this line to the end of the config.ovpn file (according to this systemd issue comment):

    dhcp-option DOMAIN-ROUTE .
    

I found a solution on this blog post. While there are two solutions mentioned, I prefer using the second one because it means my DNS is set by the OpenVPN server (the first solution means I use the same DNS servers whether or not I'm connected to the OpenVPN server).

In short:

  • sudo mkdir -p /etc/openvpn/scripts
  • sudo wget https://raw.githubusercontent.com/jonathanio/update-systemd-resolved/master/update-systemd-resolved -P /etc/openvpn/scripts/
  • sudo chmod +x /etc/openvpn/scripts/update-systemd-resolved

Then edit your OpenVPN client file (e.g. client.ovpn) by changing the up/down scripts to:

script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved

(I have commented out the original up/down settings).


Actually, there is a much easier solution to this problem. The issue is with DNS traffic and how Ubuntu 18 manages that. By default IP forwarding is disabled which is what OpenVPN needs in order to provide proper networking. All you have to do is run the following command:

sudo nano /etc/sysctl.conf

Once you have this file opened, look for the line that contains net.ipv4.ip_forward. If this line is commented, remove the # sign at the front of the line (if it is not commented then you have another issue). Save the file and then restart your OpenVPN server instance.

This fix does not require any modifications to the client or OpenVPN code following upgrade to Ubuntu 18. Tested and confirmed working.

However, this obviously requires you can administer the server. And unfortunately, the bug exists for many who just connect with 18.04 to an OpenVPN server that is administered by somebody else...