Ubuntu
openvpn package

  1. Bug #1211110
  2. Comment #55

Comment 55 for bug 1211110

Revision history for this message
Marco (marcoalexandrerico) wrote :

Hi,

I also thought I had a bug on this, but actually the problem is configuration of search domains for VPN resolutions.
I have an updated Ubuntu 16.04 and the scenario described here works for me.

Network Manager uses dnsmasq for DNS resolution so the /etc/resolv.conf name server is always 127.0.1.1 independently of the VPN being up or down. Don't expect /etc/resolv.conf to change nameserver values.
The only thing that is updated in resolv.conf are the search domains.
Having 127.0.1.1 in resolv.conf points the DNS resolutions to the dnsmasq daemon which is running locally.

In the scenario that you have an ethernet connection and a VPN connection, you need first to decide if you want your traffic all to go through the VPN connection or not. This is done by the configuration "Use this connection only for the resources on its network" inside IPV4 Settings->routes (it can also be forced by the VPN Server, just check where is pointing the first 0.0.0.0 route in netstat -r).
In my case VPN server is not forcing and I want traffic to go through both interfaces (split tunnel) so the option is checked.

With the VPN up you'll have DNS servers for the ethernet connection and the DNS servers for the VPN connection. They can be automatically given by DHCP or statically assigned by you. You can even add additional DNS servers to the ones you receive automatically.
Having DNSs in both sides you need to use search domains to decide if you are going to use DNS from one side or the other.
Similar to the DNS servers you can also receive those search domains by DHCP for each interface and you can also add your own.

The problem I had with resolution was that I was trying to resolve VPN domains which where not being pushed as a search domain by the VPN and so they were being sent to the ethernet DNSs instead of the VPN DNSs.
Basically to solve this I had to add the VPN search domains manually in IPV4 Settings.
(easier than ask VPN server admins to push the correct search domains when the VPN comes up)

Hope this helps.