NetworkManager 1.10.6-2ubuntu1.2 breaks VPN DNS

Status changed to 'Confirmed' because the bug affects multiple users.

Joe, thanks for reporting the bug.
I am unable to reproduce the issue in my test env.

Can you please provide a step-by-step procedure to reproduce it on a clean 18.04 installation?

Thanks.

1) Add an openvpn connection, which emits DHCP DNS servers, and is flagged "use only for resources on this connection"
2) Add a negative dns_priority to the connection via CLI or editing the connection

Prior to the change, this worked fine, you could connect, and the indicated DNS server would become prioritised.

After the change, this no longer works, and networkmanager will not associate a DNS server to the connection at all.

I had the exact same issue, upon upgrading I got the same issues as jhohertz, I followed the above instructions and the issue was fixed.

Joe, I still can't reproduce your issue.
Can you please verify against what I'm trying:
1. Setup a VPN that provides DNS via DHCP
2. Connect to that VPN and verify DNS by:
$ systemd-resolve --status
(...)
Link 4 (tun0)
(...)
DNS Servers: X.X.X.X
(...)
3. Disconnect VPN and edit connection:
$ nmcli connection edit myvpn
nmcli> set ipv4.dns-priority -30
nmcli> save
$ nmcli connection show myvpn | grep dns-priority
ipv4.dns-priority: -30
ipv6.dns-priority: 0

4. Re-connect to VPN and try to reach a name within the VPN:
$ dig some.host.in.my.vpn

I have used:
$ apt-cache policy network-manager
network-manager:
  Installed: 1.10.6-2ubuntu1.2

Please tell me in which of the steps in your case network-manager behaves differently.

Did you ensure that the connection was set for "use only for resources on the connection"? (I believe this may be ipv4.never-default=yes setting in nmcli... and only bring it up because you do not mention it.)

I also think the negative DNS priority might be historical, no longer needed. (I just noticed mine was set to 50, which I believe is default for VPN connections now)

I should also note that if the never-default is set to "no"... I *will* see the DNS server, however the routing is then incorrect as the VPN concerned doesn't provide public routes.

So to be clear... never-default needs to be set to yes... DNS we expect is from DHCP options sent from the VPN server, and the problem is that you will see NO DNS servers for tun0 when you run the 'systemd-resolve --status' command

Thanks Joe.

There has to be another factor coming into play, as my setup contains "use only for resources on its network".

$ nmcli connection show my-vpn | grep -e ipv4.never-default -e ipv4.dns-priority
ipv4.dns-priority: -30
ipv4.never-default: yes

Are you able to test this on Ubuntu 19.10?
It does not have the patch and in my tests it's consistent with what I observe on the patched 18.04.

I can possibly try 19.10 later, however at the moment I only have my LTS laptop to test with.

Just to ensure we've covered any variations, here is a redacted version of my connection file, in case I have missed anything.

[connection]
id=Vxxxxxxx
uuid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
type=vpn
permissions=user:xxxxxxxx:;
timestamp=1572967683

[vpn]
auth=SHA512
ca=/home/xxxxxxxx/.cert/nm-openvpn/xxx-ca.pem
cert=/home/xxxxxxxx/.cert/nm-openvpn/xxx-cert.pem
cert-pass-flags=0
cipher=AES-256-CBC
comp-lzo=adaptive
connection-type=password-tls
dev=tun
key=/home/xxxxxxxx/.cert/nm-openvpn/xxx-key.pem
password-flags=2
remote=1.vpn.xxxxxxxx.xxx
remote-cert-tls=server
reneg-seconds=604800
ta=/home/xxxxxxxx/.cert/nm-openvpn/xxx-tls-auth.pem
ta-dir=1
username=xxxxxx
service-type=org.freedesktop.NetworkManager.openvpn

[ipv4]
dns-priority=50
dns-search=
method=auto
never-default=true

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto