network manager openvpn dns push data not updating system DNS addresses

Status changed to 'Confirmed' because the bug affects multiple users.

I am having the same issue on Ubuntu 13.04. But i don't have it on my other machine that is running 12.04 LST

I'm running 12.04LTS and this effects me. Massively painful that I cannot get DNS servers added from our openvpn server.

It seems that the fix suggested in description will not work because /etc/openvpn/update-resolv-conf updates /etc/resolv.conf (it adds the DNS server sent by openvpn server to this file). However /etc/resolv.conf is automatically updated by network manager, second line of this file says:

# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

Not sure what the proper solution is, maybe the entries should be added to some file in /etc/resolvconf/resolv.conf.d/ and /etc/resolv.conf should be regenerated?

I have the same problem on Ubuntu 14.04 Trusty Tahr.

Not sure this is a bug, though, just a M$ Windows-only feature as it's a TCP/IP extended property. The man page for OpenVPN describes --dhcp-option as a Windows-specific option.

If the OpenVPN server pushes a DNS server address to the client with, eg

dhcp-option DNS 8.8.8.8

then on a Linux platform this option is not actioned by the client. Instead it is copied to a set of incrementally numbered local environment variables named

foreign_option_{n}

which are available to scripts run by the --up and --down OpenVPN options.

The /etc/openvpn/update-resolve-conf script provided with the OpenVPN package parses these environment variables and
calls resolvconf to effectively do the same job in a Linuxy way.

Comment #5 is invalid since the script uses resolvconf to update /etc/resolv.conf -- it is not edited directly.

This is not, therefore, an OpenVPN bug, excepting that the current OpenVPN solution requires a reduced security policy by allowing builtin executables and scripts to be called when, by design, this is normally prohibited by default.

It is a feature request for Network Manager, though.

Feature request?

Status changed to 'Confirmed' because the bug affects multiple users.

Would love to see this feature to make a very popular VPN client work seamlessly with Ubuntu. I'm on 14.04 and trying to figure out a work-around for this (probably will disable resolvconf).

Works for me after disabling NetworkManager's own dnsmasq. I'm using trusty with the following versions:

* network-manager 0.9.8.8-0ubuntu7pitti1
* network-manager-openvpn 0.9.8.2-1ubuntu4
* network-manager-openvpn-gnome 0.9.8.2-1ubuntu4
* openvpn 2.3.2-7ubuntu3

I can confirm that this bug does not occur when you disable dnsmasq for NetworkManager.

However, I wanted to add how you can do so:
Open /etc/NetworkManager/NetworkManager.conf in an editor and change
dns=dnsmasq
to this:
#dns=dnsmasq

Then, restart NetworkManager:
sudo service network-manager restart

I'd like to point out that the description of the bug is inaccurate. When networkmanager uses dnsmasq, resolv.conf should not be updated when new dns servers must be used. Instead, networkmanager needs to update dnsmasq's configuration. And it does not do that, which is a problem.

Proper description should be:
network manager openvpn dns push data not updating system dns addresses

I can confirm that the problem exists on 14.10.

Whether this is a bug or feature request, I don't know, but to be sure, it is possible to do this with a .conf file and "sudo service openvpn start" and not possible to do it via network-manager-openvpn (unless you count disabling dnsmasq--I'm curious what side effects this has). As described in the original report, I have verified that these lines in a .conf file allow the server to configure DNS (as long as the server pushes 3 or more DNS servers):

  script-security 2
  up /etc/openvpn/update-resolv-conf
  down /etc/openvpn/update-resolv-conf

but network-manager-openvpn does not support the 'up' and 'down'.

This same issue was addressed here:

  http://askubuntu.com/questions/519920/how-to-run-an-up-script-using-network-manager-openvpn

Actually, I'd like to retract part of what I said above. Via tcpdump, I was able to confirm that --push on the server for "dhcp-option DNS ..." and "redirect-gateway" ARE ACTUALLY WORKING, though the changes are not visible in /etc/resolv.conf. Rather, they are updated in dnsmasq and resolv.conf points to dnsmasq. (I don't think the "def1" flag for "redirect-gateway" works.)

In my view, two things are needed: (1) a documented way to view the list of DNS servers within Network Manager's dnsmasq so folks here can watch what is happening without tcpdump, and (2) support for "dhcp-option DNS ..." and "redirect-gateway" on the client (not just options pushed from the server). The first item seems more important and should be much easier.

I can confirm this is still an issue in Ubuntu 14.04 LTS using network-manager-openvpn.

disabling dnsmasq does not fix the issue.

In my opinon this issue is critical since it renders the use of openvpn practically useless through network manager gui.

And even in Ubuntu 15.04 the bus still exists. This is a total show stopper for using Ubuntu in a company environment.

On 04/29/2015 04:16 PM, JanMalte wrote:
> And even in Ubuntu 15.04 the bus still exists. This is a total show
> stopper for using Ubuntu in a company environment.

While not as user friendly, interacting with OpenVPN's init script works
well in that regard. One only need to enable the update-resolv-conf
helper script:

 script-security 2
 up /etc/openvpn/update-resolv-conf
 down /etc/openvpn/update-resolv-conf

That said, I don't know if the init script is still shipped in Vivid as
OpenVPN now supports systemd.

HTH,
Simon

This is still a bug on 14.04 LTS and the suggested workarounds don't work. Can someone suggests a working workaround?

The init script was shipped with my copy of Ubuntu 15.04 and is present in "/etc/openvpn" however the initial bug/problem still remains...

Still a problem with 14.04.02

This work-around works for me .... but I have no idea what the side effects may be:

Open /etc/NetworkManager/NetworkManager.conf in an editor and change
dns=dnsmasq
to this:
#dns=dnsmasq

Then, restart NetworkManager:
sudo service network-manager restart

Still this is a problem. It is a horrible bug and prevent us from using network manager at all, which is highly inconvenient and nearly breaks the whole system and causes many problems. PLEASE FIX THIS, or tell us how to modify dnsmasq so that it uses the right dns server

I have found a work-around for 14.04 LTS. It's not the prettiest one but it works. When I started a vpn connection and then ran
ps -efwww | grep vpn
I could see that the openvpn is already called with flags "--script-security 2 --up /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper". So the following can be performed.

sudo cp /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper.orig

sudo nano /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper
--- Add the following 3 lines to the file. ---
#!/bin/bash
/etc/openvpn/update-resolv-conf $@
/usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper.orig $@
--- End---

sudo chmod +x /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper

Now here is the really ugly part. Since openvpn was not called with the --down flag, you should run the following command every single time the vpn connection is closed.
Change the device name according to your connection settings.

sudo script_type=down dev=tun0 /etc/openvpn/update-resolv-conf

Also problem in 15.10

Same issue for me on 15.10, but it didn't happen on 15.04.

Using the script-security 2 option in the configuration file, everything works correctly when run from command line: "sudo openvpn --config file.ovpn"

For me, this problem only happens when connecting through Network Manager.

I just discovered this issue in a newly upgraded version of Lubuntu 15.10. I tried two of the possible solutions in this thread. The "sudo openvpn --config file.ovpn" doesn't work for me, it gives an error: "Error: Object 'nm' is unknown"... This DNS leak is really annoying because it makes my vpn connection useless!

This bug is also in Xenial Xerus development.
Sites that use SSO keeps login user out as moving around.
Any dns leak site confirms the leak only on the newer versions of Ubuntu.
This DNS leak is really annoying because it makes my vpn connection useless!

A simple workaround is to edit your VPN connection (via NM) and set up static DNS, for example using Google servers:

8.8.8.8, 8.8.4.4

This way, the DNS request is sent through an external IP, hence it is routed using the VPN. If you were using the default DNS from your router (probably an internal IP like 192.168.x.y) then the DNS request would go outside the VPN.

I just discovered that Google provides also IPv6 servers, by searching for "IPv6 DNS Servers" on DuckDuckGo (a very convenient table of DNS servers by provider shows up).

@Andrea, I tried that, but then my VPN connection uses the static servers. And unless Google DNS connections are encrypted, it's still a DNS leak.

Tristan, how is that a leak? Connections to 8.8.8.8 will go through the VPN, not outside of it. By the way, the problem remaining is that sometimes NM seems to still use the DNS of the router as well. It's as if without VPN you have say 192.168.0.1 as primary DNS, but with VPN you get these DNS servers:

8.8.8.8
8.8.4.4
192.168.0.1 (for example)

Then sometimes the third DNS receives the query. I will experiment with setting the static DNS to the Wi-Fi connection as well. Of course it would be easier if this bug actually gets fixed.

Andrea, a DNS Leak is defined as any DNS traffic going outside your VPN's assigned servers. Even if 8.8.8.8 goes through the VPN, it's still leaking your traffic. https://www.dnsleaktest.com/what-is-a-dns-leak.html

I'm glad to see that I am not the only one fighting this issue on Ubuntu 15.10. This is a real show stopper to this being brought into a production environment. I found the same as post from Tristan on 2015-12-11. I CAN run command line but it is a pain to enter my username/pwd every time I need to launch VPN. There is definitely a bug in how the network manager runs openvpn.

Surprised to see this has been open over 2 years.

I had some dns leaks in 16.04 as I posted above but it seems the updates over the last few days fixed them. Wished I would have tested for leaks as the updates were coming in.

DaveHenson,
It doesn't solve the bug, but I think you can solve the problem of entering your usr/pwd on each connect in terminal by adding your usr/pwd to a simple text file (e.g., file.txt) that is literally nothing but your credentials:

(line 1) usr
(line 2) pwd

located in the same dir. where your .conf or .ovpn file is located. Be sure also to change this credential file's permissions to read/wrt for root only (chmod 600).

Then just change the .conf file itself to include the line
`auth-user-pass file.txt`

Hope this helps.

Thank you Zephyr for the tip. That does help me automate the login somewhat.

As for the fix Sam mentioned, I've been applying every update available for 15.10 and while I thought it was fixed after initial testing, I have found that the DNS is still leaking after subsequent tests. I admit though I have not yet installed 16.04 to verify the fix. Fingers crossed that it really is finally fixed!

just installed 14.04 then upgraded to 16.04 today's daily build. unfortunately still see the DNS leaking issue.

Really OpenVPN is not a high enough priority for Canonical to have it fixed in over 2 years ?!

I thought Ubuntu was supposed to be a replacement OS for businesses ...

anyhow, it is possible to run the configurations using the command line.

It is a joke to explain to users of other 'OSes' that Ubuntu does not have a GUI that works with OPENVPN.

Apologies for the ranting ... but I do believe it to be necessary.

about running the OPENVPN via command-line

it is possible to have the option of using a file with the USERNAME & PASSWORD for the OPENVPN stored in a safe location (if you believe that!)

you can add the following into the config:

auth-user-pass {fullpath to file with USERNAME & PASSWORD}

this file should only contain 2 line: the first with the USERNAME & the 2nd with the PASSWORD

Good Luck!

I am using Ubuntu 16.04 64-bit and I have tried every option I can find on this thread and on google but nothing seems to work.

The only thing I can do is change my entire systems DNS to the DNS servers of my VPN service for now.

I did find a tutorial on the program dnscrypt which has a PPA that will encrypt your DNS. I'm going to give that a try.

Thanks to whoever comes up with a solution.

Running the following command from Terminal solved to problem for me. Only hassle is that I have to log in every time with my pass and username (for vpn): sudo openvpn --config file.ovpn

Be sure to find the correct folder where the relevant ovpn file is via terminal, and then execute the before mentioned command.

Signed up just to show my frustration with this particular bug and am currently upgrading to 16.04 with fingers crossed that Sam was correct and this has been rectified.

I have this issue on ubuntu 16.04.

My current workaround to stop the leak is to add entries such as.

```
cat /etc/NetworkManager/dnsmasq.d/hosts.conf
server=/mydomain/dnsip
```

Hopefully dns don't change much. Filename is not important. It's gonna be pickup by the NM and dnsmasq.

I don't know what part of the big thing it is no trigging the update...

it seems that dnsmasq is creating this problem. Is it possible to setup dnsmasq resolving multiple DNS for IP?

Folks i resolv my issue of splitting VPN and DNs leaking with hosts.conf and parameters:

strict-order
server=/sub.dom/10.100.11.116
server=/dom/10.100.11.66
server=//10.100.22.11
server=/100.10.in-addr.arpa/ #

it seems that NM works quite fine;-)

This might be my a-ha moment from comment # 64 "after upgrading to 16.10, yes it is even worse, the first VPN connection works as it should, but after disconnect/connect, DNS from VPN isn't propagated"

I came to this bug because suddenly my VPN connection wasn't working when I *swear* it was yesterday. I didn't have (/don't remember having!) any problems under 16.04, obviously the 16.10 update was recent. I'm about to reboot - if it comes right after that, then I'll be able to confirm this diagnosis. That said, interesting discussion on http://askubuntu.com/questions/838948/16-10-fail-to-resolve-dns - is dnsmasq out of the equation now? That would suggest problems with upgrading from 16.04 to 16.10 not reconfiguring (and maybe the commenting-out of dns=dnsmasq is the missing sort of step).

Also agree with Mathieu in comment # 50 that this bug report is way past its use-by date. It was started for 13.04 and now we're discussing the 16.04 to 16.10 upgrade? Similar symptoms, but highly unlikely that the same remedy would work across all these versions.

On 16.10 - Confirmed that after reboot, my VPN-pushed DNS comes back, on second connection it is missing. I've logged a fresh Bug #1644098 pertaining ONLY to this issue. (Please don't pollute it with "DNS doesn't work at all" comments!)

Probably duplicate of https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1390623

Since this number comes before the other, if it were a duplicate, it would be the other way around.
While maybe related it is another bug related to ipv6 as far as I can read.

The pile of crap coming from changes in networkmanager, vpn, dnsmasq or wherever they come from is horrible : I have never had so many things breaking over a release and never so vital.

While I am not happy with the content and tend to disagree, please follow the suggestion of post 50. Let's try to be as specific as possible and file the bugs like that. Thank you

[Expired for openvpn (Ubuntu) because there has been no activity for 60 days.]

[Expired for network-manager (Ubuntu) because there has been no activity for 60 days.]

Hello,

I have the same issue on ubuntu 16.10 yakkety

This issue still exists in Xenial for me.

Same issue on ubuntu 16.10 yakkety too.

I suggest following the workaround in comment #58 by Micah Mangione (ok123jump-z).

$ git clone https://github.com/masterkorp/openvpn-update-resolv-conf
$ sudo chmod +x ~\openvpn-update-resolv-conf\*.sh && sudo mv *.sh /etc/openvpn
$ sudo apt-get install openresolv nscd unbound

Then add these lines to \etc\openvpn\*.ovpn:

script-security 2
up "/etc/openvpn/update-resolv-conf.sh /etc/openvpn/update-systemd-network.sh"
down "/etc/openvpn/update-resolv-conf.sh /etc/openvpn/update-systemd-network.sh"

This worked perfectly in my case (Ubuntu 16.04.1 LTS Xenial + OpenVPN 2.3.10).

@msclectera, the problem is not in OpenVPN config files. The problem is in NetworkManager (that does not store configs in .ovpn format and does not support running update-resolv-conf.sh).

Most (if not all) of us are already using OpenVPN configs that include up and down scripts, nevertheless these settings get lost when imported into NM. Of course openvpn from terminal works, but that is not really the point of this bug.

It is still present in Kubuntu 17.04

Can confirm: Still present in Kubuntu 17.04.

Excerpt from /var/log/syslog:

May 9 10:52:20 edbook NetworkManager[938]: <info> [1494319940.4289] vpn-connection[0x561ae8e38690,34bc52ee-321f-42eb-af39-9dfc33ee2c5c,"WorkVPN",7:(tun0)]: Data: Internal DNS: 10.42.10.2
May 9 10:52:20 edbook NetworkManager[938]: <info> [1494319940.4289] vpn-connection[0x561ae8e38690,34bc52ee-321f-42eb-af39-9dfc33ee2c5c,"WorkVPN",7:(tun0)]: Data: DNS Domain: '[localdomain_propagated_by_vpn]'

----

ico@edbook:~$ nmcli device show tun0
GENERAL.DEVICE: tun0
GENERAL.TYPE: tun
GENERAL.HWADDR:
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: tun0
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/10
IP4.ADDRESS[1]: 10.52.0.2/24
IP4.GATEWAY:
IP4.ROUTE[1]: dst = 10.42.0.0/18, nh = 10.52.0.1, mt = 50
IP4.ROUTE[2]: dst = 10.42.90.0/24, nh = 10.52.0.1, mt = 50
IP4.ROUTE[3]: dst = 10.42.80.0/24, nh = 10.52.0.1, mt = 50
IP6.ADDRESS[1]: fe80::e9e3:17e7:f72:e672/64
IP6.GATEWAY:

Also, since dnsmasq appears not to be used anymore in favor of systemd-resolved, the "old" workaround of commenting out the
dns=dnsmasq
line in NetworkManager.conf isn't applicable anymore.

On Ubuntu 17.04, I could get this working with the following steps:

1. rm -rf /etc/resolv.conf

This will tell systemd-resolved not to manage resolve.conf file. Simply disabling systemd-resolved service does not work because of some other depending service is enabled and starts systemd-resolved anyway.

2. Add this line to the [main] section of /etc/NetworkManager/NetworkManager.conf
dns=dnsmasq

Appeartently network manager manages its own instance of dnsmasq so if you have dnsmasq package installed, you should make sure the dnsmasq service is not enabled otherwise this will not work. You can also install dnsmasq-base package instead, which does not include a systemd unit.

A reboot probably is also necessary, I did these via ansible playbooks to create bootable images so this was the case for me. Restarting network manager service might also work.

Hope this helps, best

Ubuntu 16.04.

Problem exists

wow, this was opened in 2013...linux users are really patient! I will restart my Ubuntu Mate and boot into Win10...where I can use openvpn config files...pushed dns server...log verbosity...

Pls don't get me wrong...I love linux...but bugs like this one gets me nuts...2013...wow...even I know to use the command line quite well...this is not user friendly at all...

peace out!

Actually it was solved on 17.04 :)

https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624317/comments/82

Enjoy!

@Silas
Linux users are patient indeed and they are certainly not waiting for useless comments like yours.
If you want to contribute, educate yourself and try to help out. Ranting does contribute NOTHING.
So if you really love Linux, think about that.
Try to follow the rules regarding the bug report and contribute where you can and people will like it.

Nobody asked you to use Ubuntu, if you're happy with windows 10 (which probably nobody else here is) then use it and be happy, why post here?
Don't forget Linux is a community effort and the ways to fix certain problems is difficult.
However, making an effort to get it to work will teach you and will get you appreciation from others.

As bagl0312 commented already, your point is not even viable, because the issue was fixed in 17.04 by a patch.
If you google the issue for older versions, you will probably land on a page that describes how to fix that too:
https://askubuntu.com/questions/838948/16-10-fail-to-resolve-dns
 and see work arounds in this thread, so your comment is really just bad timing.

Please think twice before you post something and read the rules.
Thanks to the relentless efforts of the community, this is fixed and work is going on to get this in the main version(s).

It still exists in 16.04.

As said above, it is fixed in 17.04 so you just have to upgrade.

@andrea-lazzarotto thank you for your information. I saw, that it is fixed in 17.04, but I would like to stay on long-term-support version and I still hope that it will be fixed for 16.04 too. I understand that it cannot be fixed for all possible versions, but IMHO LTS version should have this privilege.

This issue has been bothering more of a hundred users for more than a year. In my case there was a workaround at some point, by downgrading openvpn to an older version (can't remember which).

Being so prevailing and old, it is quite disgraceful that this is not being addressed on Ubuntu 16 LTS.

Instead, I see some wall of text here (e.g. comment 80) trying to excuse the inexcusable.

This is still an issue in Ubuntu 17.10

Though it seems to fix if you restart NetworkManager first before connecting to the VPN.

sudo service NetworkManager restart

I confirm that the DNS leakage problem is still present in ubuntu 17.10

Here's how you fix the issue:

This is a bug that's fixed in upstream NetworkManager. That said, the various GUI tools which write the NetworkManager config files haven't been updated to ensure that DNS leaks are prevented when using vpn connections.

To prevent system dns from appearing and being used in /etc/resolv.conf when using a VPN, edit your vpn configuration (i.e. the file in /etc/NetworkManager/system-connections/<vpn name>) so it's something like this:

[ipv4]
dns=<vpn dns server ip address>;
ignore-auto-dns=true
method=auto
dns-priority=-1

the negative dns-priority means only this dns server will be used.
Then reload the config file:
sudo nmcli c reload <vpn name>

and toggle the vpn.

/etc/resolv.conf should now only include the one dns ip address defined in the config file.

References:
https://developer.gnome.org/NetworkManager/stable/settings-ipv4.html
https://bugzilla.gnome.org/show_bug.cgi?id=758772

I can confirm the workaround in #92 for my 16.04.3 LTS installation.

I have also just encountered this problem on 18.04 development branch.

I am having the same problem with Ubuntu 18.04 LTS release

Having the same problem with Ubuntu 18.04 LTS release.

@hnasarat, can I set up two DNS servers this way?

I had this same issue and I circumvented it installing the update-systemd-resolved script through the openvpn-systemd-resolved package.

Yesterday I installed the updates on my Ubuntu 18.04 and it broke. I reported it to the other package, but it seems the root cause is in NM: https://github.com/jonathanio/update-systemd-resolved/issues/64#issuecomment-494128506

> update-systemd-resolved is not getting called on the up command at all, however, /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper is. This seems to be taking over control. Looking at #20 on the OpenVPN tracker, it doesn't support multiple up commands. It also fails silently and there seems to be no interest in fixing it...

> You should see these under DNS Servers and one of them selected for Current DNS Server when you look at the systemd-resolve --status for tun0. If not, then this should be considered an upstream bug for NetworkManager, as the helper is not sending the correct settings through the DBus connection to NetworkManager (or NetworkManager is not acting on it properly if it is).

@alessandro-lai85, could you open a new report? If that problem just started then it might be a side effect of the recent network-manager SRU update. Could you also try downgrading to the previous version (https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/15599058) to see if that resolves the issue?

I can confirm that downgrading fixes the issue. I'll open a new report.

Done: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1829838

@gatopeich

Please don't load the bug description with personal opinions. Comment 50 is from an Ubuntu developer expert in the area, explains why this particular "report" cannot make progress, provides a path forward for users affected by these symptoms and so is the most relevant for users first finding this bug to read. Let's not put them off by wording that makes it seem like nothing can be done.

[Expired for openvpn (Ubuntu) because there has been no activity for 60 days.]

[Expired for network-manager (Ubuntu) because there has been no activity for 60 days.]