Comment 6 for bug 1820278

I assume there is "systemd-resolved is running, so using resolvconf: /run/systemd/resolve/resolv.conf" in the deamon logs, or I don't understand what is going on at all.

I think there is a docker bug upstream here: if it sees a systemd-resolved process and /run/systemd/resolve/resolv.conf exists, it assumes systemd-resolved and copies /run/systemd/resolve/resolv.conf into the container. But it doesn't check that /etc/resolv.conf is a symlink to ../run/systemd/resolve/stub-resolv.conf, which is probably should.

Although... reading your report again, I wanted to check, when you activate the VPN does the /etc/resolv.conf symlink get replaced with a regular file? Or does the VPN software mutate /run/systemd/resolve/stub-resolv.conf? Because if it's the latter I'm not sure what docker can really do.