Comment 50 for bug 1211110

I've maintained NetworkManager for a while, and routinely use OpenVPN for various things. Pushing nameservers from the openvpn server to the client works as intended, as far as I can tell. If you use the default settings, which I believe are to tunnel everything through the VPN, you will only use the nameservers pushed by your VPN, and if using split tunnelling, you will use any nameservers already defined for you "local" connection, PLUS VPN nameservers.

All this is handled by dnsmasq, and largely depends on what information it is fed. In the case where there are no search domains passed by the VPN server, all we can do is add the nameserver from the VPN as an IP address. In this case, if split tunnelling is enabled, DNS requests may happen on any of the nameservers defined, regardless of whether they come from the ISP, from the VPN, or elsewhere.

If no split-tunnelling is being done; then the VPN nameserver(s) REPLACES the nameserver otherwise set in dnsmasq. Along with the fact that all the traffic is routed through the VPN, this means all the network traffic will happen over the VPN, including DNS requests.

You can check in NM, under the connection's IPv4 and IPv6 tabs, behind the "Routes.." button, if "Use this connection only for the resources on its network" checkbox is checked. If you want all traffic to go through the VPN, it *MUST NOT* be checked. If you want to use split tunnelling, then it can, but you should configure your VPN to pass search domains along with the nameservers to ensure they are only used on the right domains.

Things have been working this way at least for a few releases, probably since Trusty (14.04). Bugs happen here and there of course, but we've been fixing them as they popped up. The important thing here is that they need to be well defined, explained so that we really understand what is the issue you're facing, what kind of VPN you use, and how your system (and more importantly your VPN connection) is configured.

Setting up VPNs correctly typically requires a fair amount of understanding of how networks work in general, along with the extra knowledge of what VPNs do exactly. If you're not the person who configured the VPN servers, it's *much* better to ask them to file a bug here to explain the issue in as much detail as possible, and including any non-security-sensitive details about the VPN setup as they can.

Additionally, we've done a "minor" fix in 16.10 (the development release) to avoid leaking search domains (see https://launchpad.net/ubuntu/+source/network-manager/1.2.2-0ubuntu4). If you feel like you've been seeing this, you may want to try out Ubuntu using a live CD to see if the fix provided helps with your particular setup.

Finally; from the looks of things and from my experience with these kinds of bugs, there are far too many comments on this bug for everyone to be having the exact same issue, considering things appear to largely work correctly to me. What this means is that many of the commenters here are actually seeing quite different issues; maybe related to VPN, maybe not -- any bugs can be fixed, but they need to be isolated correctly...

In other words, if you think you are seeing this bug here, and that the description and comments above look like a problem you've been having, then please file a new bug report, just for you (or have your VPN administrator do it), with as much information as possible about the issue, and we'll look at them individually. It's easier to mark bugs as duplicates later if they really are the same than to split them up when there are tons of me-toos.

In the meantime, I'm setting this bug as Incomplete; there currently isn't enough information to know what has been happening exactly; and I'd rather see individual good bug reports than risk ignoring one genuine problem among a sea of comments.