OpenVPN Client Ignores DNS

Bug #691723 reported by Cerin on 2010-12-17
This bug affects 6 people
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)

Bug Description

Binary package hint: openvpn

The openvpn client does not correctly update /etc/resolv.conf with DNS data provided by the openvpn server.

The log shows the client is receiving control messages containing valid DNS.

e.g. Fri Dec 17 16:17:35 2010 PUSH: Received control message: 'PUSH_REPLY,route,dhcp-option DNS,dhcp-option DOMAIN,route,topology net30,ping 10,ping-restart 120,ifconfig'

However, I'm unable to resolve any VPN-specific domains until I manually add the DNS and DOMAIN values to my /etc/resolv.conf. Even then, the mechanism that normally maintains this file appears to periodically revert the file to the original values.

I've tried installing both Network-Manager xor Wicd network managers, as well as resolvconf, but I'm still required to manually edit /etc/resolv.conf in order to use my VPN.

Openvpn, or some proxy program for openvpn, should update /etc/resolv.conf with the DNS and DOMAIN received through control messages. e.g.


ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: openvpn 2.1.0-1ubuntu1.1
Uname: Linux 2.6.32-020632-generic x86_64
NonfreeKernelModules: wl nvidia
Architecture: amd64
Date: Fri Dec 17 16:15:17 2010
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
 PATH=(custom, user)
SourcePackage: openvpn

Cerin (chrisspen) wrote :
Thierry Carrez (ttx) wrote :

This is what /etc/openvpn/update-resolv-conf should do. This is not done automatically, you have to enable it in your openvpn config.
Do you have the following in your openvpn configuration:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf


Changed in openvpn (Ubuntu):
status: New → Incomplete
Cerin (chrisspen) wrote :

I added those two lines to the end of my vpn.conf, which I execute like:

sudo openvpn --config vpn.conf

However, after the script reports "Initialization compete", the only data added to my resolve.conf are two nameserver entries, neither of which is the nameserver specified in the push command. The domain and search entries aren't added either. Therefore, I'm still unable to resolve domains inside the VPN.

The following are the contents of my vpn.conf file:

dev tun
script-security 2
proto udp
remote 1194
resolv-retry infinite
ca ca.crt
cert myuser.crt
key myuser.key
verb 3
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Are there any other directives that I should add?

Thierry Carrez (ttx) wrote :

Hm, I think the problem comes from using directly OpenVPN with a NetworkManager than owns resolv.conf. Both try to overwrite resolv.conf and NM wins. You should either configure network outside NM (using /etc/network/interfaces), or use network-manager-openvpn for an hopefully integrated experience...

Launchpad Janitor (janitor) wrote :

[Expired for openvpn (Ubuntu) because there has been no activity for 60 days.]

Changed in openvpn (Ubuntu):
status: Incomplete → Expired
zasran (erik-zasran) wrote :

Can this be fixed? Think it's obvious it's broken and it makes using openvpn fairly inconvenient, i.e. command line usage essentially does not work. Using it from network manager seems to be sort of working but network manager does not understand the config file (does not get all gateway servers, does not get the certificates from the config file).

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers