network-manager-openvpn leaks DNS information on Ubuntu 18.04

Bug #1796648 reported by Gijs Molenaar
This bug affects 2 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)

Bug Description

By default when adding a VPN configuration on Ubuntu 18.04 the DNS configuration supplied by DHCP is not used, resulting in DNS leakage.

How to reproduce:

* Add VPN configuration, for example, import a ovpn file
* activate
* Check for DNS leakage at for example

This has been reported at various locations:

The issue has been solved since network-manage-open version 1.12.0:

This version or a more recent version is part of Ubuntu 18.10 which doesn't have this issue.

A workaround is to run:

$ systemd-resolve -i tun2 --set-domain=~.

where tun2 is your VPN interface.

We think this is a security issue and at least a backport of network-manage-open > 1.12.0 should be uploaded to the archive.


 - Gijs

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: network-manager 1.10.6-2ubuntu1
ProcVersionSignature: Ubuntu 4.15.0-36.39-generic 4.15.18
Uname: Linux 4.15.0-36-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu7.4
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Oct 8 11:19:00 2018
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
InstallationDate: Installed on 2018-06-06 (123 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
 default via dev enp6s0 proto dhcp metric 100 dev virbr0 scope link metric 1000 linkdown dev docker0 proto kernel scope link src linkdown dev virbr0 proto kernel scope link src linkdown dev enp6s0 proto kernel scope link src metric 100

SourcePackage: network-manager
UpgradeStatus: No upgrade log present (probably fresh install)
 running 1.10.6 connected started full enabled enabled enabled enabled enabled

Revision history for this message
Gijs Molenaar (gijzelaar) wrote :
affects: network-manager (Ubuntu) → network-manager-openvpn (Ubuntu)
Revision history for this message
Seth Arnold (seth-arnold) wrote :
information type: Private Security → Public Security
Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

The suggested fix is quite a lot of code churn; I don't know if the security process or SRU process would be more appropriate for this much change. Thoughts?


Revision history for this message
Sebastien Bacher (seb128) wrote :

The issue is the same than bug #1754671 right?

@Seth, security pocket or not would depends of how much the security team consider of an important security problem...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Sebastien, it certainly does look like 1754671. Thanks

fessmage (fessmage)
no longer affects: network-manager-openvpn
Revision history for this message
fessmage (fessmage) wrote :

There are mistypes in head message and title - it is not network-manager-openvpn leak dns, but network-manager itself. And version with fix - network-manager 1.12. I hope fix will be backported to 1.10 for Ubuntu 18.04 (

Revision history for this message
Gijs Molenaar (gijzelaar) wrote :

Yes a backport would be great.

Mathew Hodson (mhodson)
affects: network-manager-openvpn (Ubuntu) → network-manager (Ubuntu)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers