any dns defined in network-manager doesnt go in openvpn tunnel (leaks on gnome/mate/xubuntu only in 21.10)

If you look into the openvpn configuration file that Network Manager creates for your connection in /etc/NetworkManager/system-connections, could you please paste the [ipv4] and [ipv6] sections?

for Marc Deslauriers

Hi,
openvpn doesnt create any file in /etc/NetworkManager/system-connections
(I dont have any script up option in my openvpn config files since I want network manager to define dns not openvpn, it worked perfect untill ubunut version 21.1

here for the wired connection: in /etc/NetworkManager/system-connections

[ipv4]
dns=1.1.1.1;
dns-search=
ignore-auto-dns=true
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=disabled

----------------------------
>
> If you look into the openvpn configuration file that Network Manager
> creates for your connection in /etc/NetworkManager/system-connections,
> could you please paste the [ipv4] and [ipv6] sections?
>
> ** No longer affects: ubuntu
>
> ** Changed in: network-manager (Ubuntu)
> Status: New => Incomplete
>
> ** Information type changed from Public Security to Public
>
> -------------------------------------------------------------
>
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1948533
>
> Title:
> any dns defined in network-manager doesnt go in openvpn tunnel (leaks
> on gnome/mate/xubuntu only in 21.10)
>
> Status in network-manager package in Ubuntu:
> Incomplete
>
> Bug description:
> in all linux including ubuntu up to version 21.04, when dns is set to not automatic in network manager and one dns is set manually (exemple 1.1.1.1) when openvpn is used the dns is going through the vpn tunnel.
> On ubuntu 21.10 (I tested ubuntu, ubuntu mate and xubuntu)I can affirm the dns in this case is not going trough the vpn.it is leaking.I have used ubuntu for years this is first time this problem occurs (21.10).(and it s not just a question of packages because on my arch linux installs I never had such problem, so it must be a config problem.
>
> (when using packages stubby or dnscrypt-proxy (to encrypt dns queries)
> and dns 127.0.0.1 is set in network-manager the dns does goes trough
> the vpn (but stubby service needs to be sometimes reloded, it is less
> reliable that it used to be with previous versions of ubuntu)
>
> (I cannot speculate where the bug is from (network-manager, systemd
> resolved etc)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1948533/+subscriptions

Hi Marc,

will the issue of dns specified in network-manager not being forward in vpn tunnel when using openvpn (bug occuring ONLY on current ubuntu 21.10)
will it be solved on next ubuntu release??
I really hope so since it will be a LTS

(dns leaks are common on linux when using openvpn and putting one (whitchever one) in NM is such a simple and universal fix, one I recomend all my friends and clients...

I tried other distros (fedora, debian10 and 11, manjaro) none are affected

I need to know if I need to leave ubuntu (currently reverted to ubunut 20.04 witch is not affected by this (up to 21.04 ubuntu was behaving as expected on this).
I used ubuntu for nearly 10 years but this issue is critical for me.
Thanks a lot

Sent with [ProtonMail](https://protonmail.com) Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 11, 2022 2:14 PM, gnu.linux1 at pm.me <email address hidden> wrote:

> This email was sent to <email address hidden> from <email address hidden> with subject "(No Subject)" and has been forwarded by [AnonAddy](https://anonaddy.com)
> Click [here](https://app.anonaddy.com/deactivate/b094640d-0f4f-4e43-ad7b-0b1794928280?signature=9b46cf2a6cde81a072327647918b15de917c14b8491a7a866142b116e7dc821b) to deactivate this alias
> 06b6 is the code
>
> Sent with [ProtonMail](https://protonmail.com) Secure Email.

[Expired for network-manager (Ubuntu) because there has been no activity for 60 days.]

We have noticed this as well. Using VPN we use a special resolver to handle private IP space, and now, looking into this further it does look like the network-manager is ignoring the dns= specified in the system-connections (set via the network manager settings gui).

My settings below, noting X.X.X.x is where my DNS resolver IP address would normally be and X.com I placed in any domain search field.

A quick check from the command line shows the server is reachable, and responding properly, just not receiving any requests.

[ipv4]
dns=X.X.X.X;
dns-search=
ignore-auto-dns=true
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

It doesn't appear there are any overrides, and netplan shows NetworkManager should be controlling everything. nmcli confirms the DNS is set

$ nmcli conn show "MyVPNConnectionName" | grep dns
connection.mdns: -1 (default)
ipv4.dns: X.X.X.X
ipv4.dns-search: --
ipv4.dns-options: --
ipv4.dns-priority: 0
ipv4.ignore-auto-dns: yes
ipv6.dns: --
ipv6.dns-search: --
ipv6.dns-options: --
ipv6.dns-priority: 0
ipv6.ignore-auto-dns: no

$ cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

$ netplan get
network:
  version: 2
  renderer: NetworkManager

$ cat /etc/resolv.conf | grep -v "#"

nameserver 127.0.0.53
options edns0 trust-ad
search X.com

In the nmcli, I did notice that tun0, spawned as a seperate connection has no DNS defined

$ nmcli conn show "tun0" | grep -i dns
connection.mdns: -1 (default)
ipv4.dns: --
ipv4.dns-search: --
ipv4.dns-options: --
ipv4.dns-priority: 100
ipv4.ignore-auto-dns: no
ipv6.dns: --
ipv6.dns-search: --
ipv6.dns-options: --
ipv6.dns-priority: 100
ipv6.ignore-auto-dns: no

I also see the DNS for the actual wired or wireless connection in use is defined, and so must be superseding the OpenVPN defined setting.

It does seem like a priority issue, whereby the VPN connection should have priority. In my case both the VPN and the default WiFi connection have priority "0"

$ nmcli conn show "MyVPNConnectionName" | grep priority
connection.autoconnect-priority: 0
ipv4.dns-priority: 0
ipv6.dns-priority: 0

So it seems I would need to change the relative priority to solve this problem. Lower value is higher priority.

Network Manager should be setting the default connection to 100, and the VPN to 50, per some Network Manager defaults.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/configuring-the-order-of-dns-servers_configuring-and-managing-networking

This document also suggests if they are the same (mine...