On Fri, 2014-10-10 at 21:17 +0200, Olav Morken wrote: > Hi, > > I am trying to set up Network Manager to connect to an OpenVPN server, > and have trouble understanding how it applies the DNS settings it > receives from the server.
Sorry for the late reply... Which version of NM do you have, and what distro? > Basically, as far as I can tell, it automatically assumes that I want > to use split dns, and limits the DNS servers it receives from the > OpenVPN servers to the domains it assumes "belongs to" this > configuration. However, it also ignores the existing DNS servers it > has configured. By default, NM will not do split DNS, which means when the VPN is connected, the VPN nameservers replace the existing nameservers. This is required to ensure that if for some reason the VPN nameservers cannot be contacted, that your queries don't fall back to the non-VPN nameservers and return bogus (and potentially malicious) results. But, if you add "dns=dnsmasq" to the /etc/NetworkManager/NetworkManager.conf file and install 'dnsmasq', then NM will run in split DNS mode. Here, NM will spawn a private copy of dnsmasq and send it configuration to direct any queries ending in the domain passed back from the openvpn server (or entered into the NM configuration for that VPN connection) to the VPN nameservers, and everything else to the non-VPN nameservers. > That leaves us with a dnsmasq configured with two nameservers it will > query for two specific subdomains, and no nameservers it will use for > other domains. The result is that dnsmasq is only willing to respond > to DNS queries for those subdomains, and respond with "REFUSED" for > every other domain. > > I assume that this is not the way it is supposed to work, since that > would mean that everyone connecting to a VPN would be unable to access > most of the Internet. I therefore assume that there is something wrong > with my configuration. That sounds like a bug; do you know if you have any custom dnsmasq configuration on that system? Also check two thigns: 1) /etc/resolv.conf should have "127.0.0.1" as the only namesever 2) Look in /var/run/NetworkManager (or /run/NetworkManager) for the 'dnsmasq.conf' file which is what NM sends to dnsmasq (the only caveat here is that if you run Ubuntu, this procedure may not apply as the info is sent to dnsmasq over D-Bus) Let us know what the results are! Dan > I am however unable to tell what makes it choose this behavior. I > tried to look at the code, and found the location where it adds the > domains[1], but I was unable to find a way to override this behavior. > > Does anyone have any suggestions for what may trigger this behavior, > and what I can do to avoid it? > > (Configuration details and logs from network manager included below.) > > Best regards, > Olav Morken > > > [1] > http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/dns-manager/nm-dns-dnsmasq.c?id=60cce4004284242f0891160e21979a3027da6e0e#n234 > > > Configuration: > > Both the client and server have IPv6 enabled. > > The VPN configuration on the client side doesn't contain anything too > exiting. It uses a TCP connection to port 443, a TUN device, and > username+password authentication. Both the IPv4 and the IPv6 settings > are set to "Automatic(VPN)" > > The OpenVPN server is configured with a TUN device and topology > subnet. It pushes the following (slightly anonymized) options to the > client: > > push "dhcp-option DNS 198.51.100.57" > push "dhcp-option DNS 198.51.100.168" > push "dhcp-option DOMAIN example.org" > push "redirect-gateway def1 bypass-dhcp" > push "route-ipv6 2000::/3" > > > Software versions: > XUbuntu 14.04 > network-manager 0.9.8.8-0ubuntu7 > network-manager-openvpn 0.9.8.2-1ubuntu4 > openvpn 2.3.2-7ubuntu3 > > Log from connection: > NetworkManager[924]: <info> IPv4 configuration: > NetworkManager[924]: <info> Internal Gateway: 192.0.2.1 > NetworkManager[924]: <info> Internal Address: 192.0.2.2 > NetworkManager[924]: <info> Internal Prefix: 25 > NetworkManager[924]: <info> Internal Point-to-Point Address: 0.0.0.0 > NetworkManager[924]: <info> Maximum Segment Size (MSS): 0 > NetworkManager[924]: <info> Forbid Default Route: no > NetworkManager[924]: <info> Internal DNS: 198.51.100.57 > NetworkManager[924]: <info> Internal DNS: 198.51.100.168 > NetworkManager[924]: <info> DNS Domain: 'example.org' > NetworkManager[924]: <info> IPv6 configuration: > NetworkManager[924]: <info> Internal Address: 2001:db81:4561::1000 > NetworkManager[924]: <info> Internal Prefix: 64 > NetworkManager[924]: <info> Internal Point-to-Point Address: > 2001:db81:4561::1 > NetworkManager[924]: <info> Maximum Segment Size (MSS): 0 > NetworkManager[924]: <info> Static Route: 2000::/3 Next Hop: 2000:: > NetworkManager[924]: <info> Forbid Default Route: no > NetworkManager[924]: <info> DNS Domain: 'example.org' > NetworkManager[924]: <info> VPN connection 'example-openvpn-config' (IP > Config Get) complete. > NetworkManager[924]: <info> Policy set 'example-openvpn-config' (tun0) as > default for IPv4 routing and DNS. > NetworkManager[924]: <info> Policy set 'example-openvpn-config' (tun0) as > default for IPv6 routing and DNS. > NetworkManager[924]: <info> Writing DNS information to /sbin/resolvconf > dnsmasq[1464]: setting upstream servers from DBus > dnsmasq[1464]: using nameserver 198.51.100.168#53 for domain > 0.192.in-addr.arpa > dnsmasq[1464]: using nameserver 198.51.100.168#53 for domain example.org > dnsmasq[1464]: using nameserver 198.51.100.57#53 for domain > 0.192.in-addr.arpa > dnsmasq[1464]: using nameserver 198.51.100.57#53 for domain example.org > _______________________________________________ > networkmanager-list mailing list > networkmanager-list@gnome.org > https://mail.gnome.org/mailman/listinfo/networkmanager-list _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
