network-manager-openvpn leaks DNS information on Ubuntu 18.04

Bug #1796648 reported by Gijs Molenaar on 2018-10-08
This bug affects 2 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)

Bug Description

By default when adding a VPN configuration on Ubuntu 18.04 the DNS configuration supplied by DHCP is not used, resulting in DNS leakage.

How to reproduce:

* Add VPN configuration, for example, import a ovpn file
* activate
* Check for DNS leakage at for example

This has been reported at various locations:

The issue has been solved since network-manage-open version 1.12.0:

This version or a more recent version is part of Ubuntu 18.10 which doesn't have this issue.

A workaround is to run:

$ systemd-resolve -i tun2 --set-domain=~.

where tun2 is your VPN interface.

We think this is a security issue and at least a backport of network-manage-open > 1.12.0 should be uploaded to the archive.


 - Gijs

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: network-manager 1.10.6-2ubuntu1
ProcVersionSignature: Ubuntu 4.15.0-36.39-generic 4.15.18
Uname: Linux 4.15.0-36-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu7.4
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Oct 8 11:19:00 2018
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
InstallationDate: Installed on 2018-06-06 (123 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
 default via dev enp6s0 proto dhcp metric 100 dev virbr0 scope link metric 1000 linkdown dev docker0 proto kernel scope link src linkdown dev virbr0 proto kernel scope link src linkdown dev enp6s0 proto kernel scope link src metric 100

SourcePackage: network-manager
UpgradeStatus: No upgrade log present (probably fresh install)
 running 1.10.6 connected started full enabled enabled enabled enabled enabled

Gijs Molenaar (gijzelaar) wrote :
affects: network-manager (Ubuntu) → network-manager-openvpn (Ubuntu)
Seth Arnold (seth-arnold) wrote :
information type: Private Security → Public Security
Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
Seth Arnold (seth-arnold) wrote :

The suggested fix is quite a lot of code churn; I don't know if the security process or SRU process would be more appropriate for this much change. Thoughts?


Sebastien Bacher (seb128) wrote :

The issue is the same than bug #1754671 right?

@Seth, security pocket or not would depends of how much the security team consider of an important security problem...

Seth Arnold (seth-arnold) wrote :

Sebastien, it certainly does look like 1754671. Thanks

fessmage (fessmage) on 2018-11-02
no longer affects: network-manager-openvpn
fessmage (fessmage) wrote :

There are mistypes in head message and title - it is not network-manager-openvpn leak dns, but network-manager itself. And version with fix - network-manager 1.12. I hope fix will be backported to 1.10 for Ubuntu 18.04 (

Gijs Molenaar (gijzelaar) wrote :

Yes a backport would be great.

affects: network-manager-openvpn (Ubuntu) → network-manager (Ubuntu)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.