update-resolv-conf script does not restore old values

Thanks for your bug report.

update-resolv-conf uses /sbin/resolvconf (if installed) -a and -d options to handle the update of the /etc/resolv.conf file. If you have resolvconf installed, the /etc/resolv.conf file should no longer be edited by hand, otherwise your changes will be lost at next update : resolvconf doesn't backup/restore configurations, it builds resolv.conf dynamically.

Try :
$ cp /etc/resolv.conf my_backup_resolv.conf
$ echo nameserver 10.0.0.1 | sudo /sbin/resolvconf -a eth0
$ cat /etc/resolv.conf

$ echo nameserver 192.168.0.1 | sudo /sbin/resolvconf -a eth1
$ cat /etc/resolv.conf

$ sudo /sbin/resolvconf -d eth1
$ cat /etc/resolv.conf
$ sudo mv my_backup_resolv.conf /etc/resolv.conf

You can see that if the original configuration of the /etc/resolv.conf file was created by resolvconf, everything works ok.

So you should decide if you want to use resolvconf to handle your /etc/resolv.conf file : if yes, you should provide the original configuration using /sbin/resolvconf -a to make sure it will not be overwritten by update-resolv-conf. If not, you should create scripts to backup/restore your resolv.conf file and use them (instead of update-resolv-conf) in your openvpn config files.

AFAICT the behavior you're experiencing is the way resolvconf is designed to work. I'll close this bug as invalid, please feel free to reopen it if you think I did not properly understand.

This bug report is *not* for resolvconf, but for OpenVPN package, is indicated at the top of this page. Specifically, it is for the script, '/etc/openvpn/update-resolv-conf', whch is is included in the OpenVPN Ubuntu package.

I do know how resolvconf works, which is I say why this script included with the Ubuntu package for OpenVPN is buggy. Take the following case:

I have /etc/resolvconf/resolv.conf.d/{base|head|etc...} empty because while my laptop is most often at home and the line 'nameserver 192.168.0.1' is appropriate there, it will not be if I am out somewhere. Thus 'base' & 'head' are blank, let the nameserver be assigned via DHCP.

Then I go to a client where use their wifi and IP, gateway, and nameserver are assigned by their DHCP. I start openvpn so I can access my home LAN for whatever reason.

Because of the way '/etc/openvpn/update-resolv-conf' script is written, it trashes the nameserver lines added by DHCP for my client's wifi, overwriting them with whatever was specified by my openvpn server at home so I can access all the hosts there by name. Whatever nameserver that was provided by the DHCP on my client's wifi is now gone. I can still access the Internet, websurfing and whatnot, because my named at home is answering all queries across the VPN link.

When I shut down openvpn on my laptop, the '/etc/openvpn/update-resolv-conf' script simply runs 'resolvconf -d ${dev}.inet'. This deletes the nameserver lines which were supplied by openvpn settings on VPN connect. Because the original nameserver line was overwritten and not stored, my resolv.conf no longer has a nameserver line in it. While technically I still have access to the 'Net, since packets will get routed, for all practical purposes I do not because domain names cannot be resolved into addresses.

Simply put, the '/etc/openvpn/update-resolv-conf' provided with the Ubuntu package for OpenVPN does not play nice in an environment where other processes like DHCP clients may also be altering '/etc/resolv.conf'.

Reopening for more discussion.

What are you using as DHCP client ? Also are you using Network-Manager ? Are you using Network-Manager-OpenVPN ?
I'm still convinced openvpn calls resolvconf properly, however if the other elements of the system (DHCP client / Network Manager...) modify /etc/resolv.conf without using resolvconf, openVPN's update-resolv-conf will indeed trash their settings. The system must either fully use resolvconf or fully use some other way of keeping /etc/resolv.conf sane.

Note that using network-manager-openVPN instead of update-resolv-conf to update /etc/resolv.conf is apparently also buggy (DHCP keeps on overwriting the settings, see bug 247257). Also see bug 107564 for related problems and solutions.

Sorry for the delay in getting back to you.

Unfortunately, my laptop died shortly after you responded and I have not been able to resuscitate it. You might as well close this bug and when I buy a new laptop for Ubuntu I shall attempt to recreate the problem and resubmit at that point.

Thanks fro trying to help me with this, I appreciate it.

Let's set it to Incomplete, so that you can complete it in the future (or someone else can).
Thanks !

I'm running Ubuntu Hardy 64bit and I'm experiencing the same problem with the openvpn script, in addition it seems unable to restore the previous configuration while going down leaving resolv.conf with the entries added on start.

I'm using NetworkManager to manage connections and I use a wireless in roaming mode and a cable in roaming mode, I connect from the office, at home and at my girlfriend's home.

This bug is happening to me on Hardy Heron. I'm using OpenVPN and I need to add a search domain and a dns server line so that the internal VPN hosts will resolve correcty, but when the VPN disconnects the internal nameservers are left in /etc/resolv.con and not refreshed.

I'm using wicd instead of Network Manager because Network Manager doesn't remember the wireless settings after reboot. As it is, the system would require a manual interface restart to get the original DHCP information back after the OpenVPN tunnel is taken down. I'm working on how to do this automatically.

Weird. I'm actually getting a different issue now after a reboot cleared things out - the original DHCP hostname and DNS address are staying in resolv.conf, and the new server line is being added. After the OpenVPN tunnel goes down, the VPN server stays in resolv.conf.

With wicd this is working correctly, as long as I don't tell OpenVPN to drop privileges to nobody/nogroup (because then running the downscript will fail!).

I recommend changing update-resolv-conf's header to mention this gotcha, as such:

# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# You must have resolvconf installed, and OpenVPN will need to run as root to
# allow the down script to work; the up script will always run as root
#
# Used snippets of resolvconf script by Thomas Hood <email address hidden>
# and Chris Hanson
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.

Tom Dickson: your request is a separate issue. This bug was about update-resolv-conf not restoring old values, and will be set to Invalid since update-resolv-conf works properly. To avoid confusion, could you please file a separate bug about adding documentation to make it clearer how to use update-resolv-conf ?
Thanks in advance.

Thank you Tom Dickson. That little tip helped alot. That should really be in the comments of the file