How to Fix OpenVPN DNS Resolution Failures on Ubuntu 18.04

Connecting to an OpenVPN network on Ubuntu 18.04 can sometimes lead to unexpected Domain Name System (DNS) resolution issues.

This manifests as an inability to access resources either within the VPN network or on the public internet, even though the VPN connection itself might appear active. A common symptom is the system’s /etc/resolv.conf file pointing to the local systemd-resolved stub resolver (127.0.0.53) instead of reflecting the DNS servers provided by the VPN.

This article explores the reasons behind this behavior specifically on Ubuntu 18.04 and details several configuration adjustments and solutions to restore proper DNS functionality when using OpenVPN.

Understanding the DNS Handling Change in Ubuntu 18.04

The core reason for this DNS resolution difficulty stems from a change in how Ubuntu manages DNS starting with version 18.04. Previous versions, like Ubuntu 16.04, typically relied on the resolvconf utility to manage the /etc/resolv.conf file. OpenVPN configurations often included scripts (like /etc/openvpn/update-resolv-conf) designed to interact with resolvconf to push the VPN’s DNS settings to the system.

However, Ubuntu 18.04 introduced systemd-resolved as the default DNS resolver. Key points regarding this change include:

  • The resolvconf utility is often not installed by default on Ubuntu 18.04.
  • The traditional update-resolv-conf script checks for the existence of /sbin/resolvconf and exits if it’s not found, preventing DNS updates.
  • Even if resolvconf is installed, directly manipulating /etc/resolv.conf might not integrate correctly with systemd-resolved, which manages DNS settings internally and uses a local stub resolver at 127.0.0.53.

Consequently, OpenVPN needs a mechanism to correctly communicate DNS settings specifically to the systemd-resolved service.

Read: How to display your sound card details using the terminal on Ubuntu 22.04

Solutions to Restore OpenVPN DNS Resolution

Several approaches can be employed to ensure DNS settings provided by the OpenVPN server are correctly applied on an Ubuntu 18.04 client system.

Solution 1: Using `systemd-resolved` Integration Scripts

A common and effective method involves using helper scripts specifically designed to bridge OpenVPN and `systemd-resolved`. This can be achieved in two primary ways:

Option A: Install the `openvpn-systemd-resolved` Package

A dedicated package provides the necessary integration script.

  1. Install the package using apt: 
    sudo apt update
sudo apt install openvpn-systemd-resolved
  2. Modify your OpenVPN client configuration file (e.g., client.ovpn) to use the script provided by this package. Replace or comment out any existing up and down lines referencing update-resolv-conf: 
    script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre

    Note: The script-security 2 directive is crucial to allow OpenVPN to execute external scripts.

  3. (Optional) To help prevent potential DNS leaks, consider adding the following line to your .ovpn configuration file: 
    dhcp-option DOMAIN-ROUTE .

Option B: Manually Download and Configure the Script

Alternatively, you can download and configure a similar script manually.

  1. Create a directory for OpenVPN scripts if it doesn’t exist: 
    sudo mkdir -p /etc/openvpn/scripts
  2. Download the `update-systemd-resolved` script (ensure you trust the source): 
    sudo wget https://raw.githubusercontent.com/jonathanio/update-systemd-resolved/master/update-systemd-resolved -P /etc/openvpn/scripts/
  3. Make the downloaded script executable: 
    sudo chmod +x /etc/openvpn/scripts/update-systemd-resolved
  4. Edit your OpenVPN client configuration file (e.g., client.ovpn) to use this script. Comment out or remove lines referencing update-resolv-conf: 
    script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved

    Again, ensure script-security 2 is present.

Both options work by providing scripts that interact directly with `systemd-resolved` via its D-Bus interface, correctly registering and deregistering the VPN’s DNS servers and search domains when the connection goes up or down.

Read: How to fix Bluetooth connection issues on Ubuntu 22.04

Solution 2: Configuring via NetworkManager Command Line (`nmcli`)

If managing VPN connections through NetworkManager, the nmcli tool offers a way to configure DNS settings directly.

  1. Add a new VPN connection configuration (replace placeholders): 
    sudo nmcli connection add type vpn vpn-type openvpn con-name "YourVpnConnectionName" ifname --
  2. Modify the connection to set the specific DNS server provided by the VPN: 
    sudo nmcli connection modify "YourVpnConnectionName" ipv4.dns "172.16.27.1"

    (Replace 172.16.27.1 with the actual VPN DNS server address).

  3. Set the DNS search domain(s) if required: 
    sudo nmcli connection modify "YourVpnConnectionName" ipv4.dns-search "internal.example.com"

    (Replace internal.example.com with the actual search domain).

  4. Prevent the VPN connection from becoming the default route for all traffic, if desired: 
    sudo nmcli connection modify "YourVpnConnectionName" ipv4.never-default yes
  5. Import other VPN settings (certificates, keys, server address, etc.). Adjust paths and parameters as needed: 
    sudo nmcli connection modify "YourVpnConnectionName" vpn.data 'ca = /path/to/ca.crt, key = /path/to/your.key, dev = tun, cert = /path/to/your.crt, cert-pass-flags = 1, comp-lzo = adaptive, remote = vpn.server.com:1194, connection-type = tls'
  6. Connect using nmcli (will prompt for passwords if needed): 
    sudo nmcli --ask connection up "YourVpnConnectionName"
  7. Disconnect using nmcli: 
    sudo nmcli connection down "YourVpnConnectionName"

This approach directly configures NetworkManager’s understanding of the VPN’s DNS requirements.

Solution 3: Adjusting DNS Priority in NetworkManager

In some scenarios, NetworkManager might receive the VPN’s DNS settings but fail to prioritize them over existing system DNS servers. You can adjust the priority using `nmcli`:

sudo nmcli connection modify "YourVpnConnectionName" ipv4.dns-priority -1

A negative value typically gives the connection’s DNS servers higher priority. If IPv6 is relevant, adjust ipv6.dns-priority similarly. This forces the system to prefer the VPN’s DNS servers when the connection is active.

Solution 4: Enabling IP Forwarding on the OpenVPN Server (Use with Caution)

In certain configurations, the issue might relate to IP forwarding settings *on the OpenVPN server* itself, not the client.

Warning: Enabling IP forwarding on a client machine is generally a security risk and is **not** recommended. This adjustment should only be considered on the OpenVPN server if appropriate for the network topology.

  1. On the OpenVPN server, edit the sysctl configuration file: 
    sudo nano /etc/sysctl.conf
  2. Locate the line net.ipv4.ip_forward=1. Ensure it is uncommented (remove the leading # if present). If the line is missing, add it.
  3. Save the file and apply the change, often by restarting networking services or the server itself.

This allows the server to correctly route traffic, which might indirectly resolve DNS issues if the server itself is responsible for forwarding DNS queries appropriately. This solution is only applicable if you administer the OpenVPN server and understand the implications.

Solution 5: Re-evaluating NetworkManager GUI Functionality

Sometimes, simply attempting to configure and connect using the standard graphical NetworkManager interface for OpenVPN (potentially requiring the `network-manager-openvpn-gnome` package for importing .ovpn files) might work correctly, even if command-line methods previously failed or if GUI methods failed on earlier system versions or updates.

Verification

After applying a potential fix, verify successful DNS resolution by:

  • Attempting to access internal resources within the VPN network by their hostnames.
  • Attempting to browse external websites on the public internet.

If both succeed while the VPN connection is active, the DNS configuration is likely correct.

Potential Considerations

  • Using custom up/down scripts in the .ovpn file requires the script-security 2 directive for OpenVPN to execute them.
  • Most configuration changes involving system files or services (apt, sysctl.conf, nmcli modifications) require administrative privileges (sudo).
  • If using NetworkManager and modifying an underlying .ovpn file manually (e.g., to add script directives), you may need to delete the existing connection profile in NetworkManager and re-import the modified .ovpn file for the changes to take effect.
  • Ensure VPN configuration details like cipher (e.g., cipher AES-256-CBC) and compression (e.g., comp-lzo yes) match the server settings to avoid connection errors unrelated to DNS.

Conclusion

DNS resolution failures with OpenVPN on Ubuntu 18.04 are typically caused by the transition to systemd-resolved and the resulting incompatibility with older DNS update methods relying on resolvconf.

By implementing solutions that correctly integrate OpenVPN’s DNS settings with systemd-resolved, such as using dedicated helper scripts or configuring NetworkManager appropriately via nmcli, proper DNS functionality can be restored, enabling seamless access to both internal VPN resources and the wider internet.

 

If you like the content, we would appreciate your support by buying us a coffee. Thank you so much for your visit and support.

 

Nikolaus Oosterhof

Nikolaus holds a degree in software development and has a strong passion for all things tech-related, especially gadgets with screens. Though he is nostalgic for older phone models, he's a retired gamer and continues to enjoy programming in open-source environments. Additionally, Nikolaus enjoys writing about Linux, macOS and Windows and has experience designing web pages.

Leave a Reply