Hi all. I'm having a problem with DNS servers over openvpn. I use NetworkManager to configure (via openvpn config file import) and start/stop the VPN. I'm using Ubuntu GNOME 16.10, with:
network-manager 1.2.6-0ubuntu1 network-manager-openvpn 1.2.6-2ubuntu1 network-manager-openvpn-gnome 1.2.6-2ubuntu1 openvpn 2.3.11-1ubuntu2 I'm using the default Ubuntu configuration: $ cat /etc/NetworkManager/NetworkManager.conf [main] plugins=ifupdown,keyfile,ofono dns=dnsmasq [ifupdown] managed=false FWIW, this is a wired connection. Ubuntu builds NetworkManager with rc- update set to resolvconf and indeed I can see that this is what I have: $ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.1.1 I have a VPN configuration I've been using for years at my company, that's worked just fine. The config is pretty straightforward: client remote <vpnhost> comp-lzo yes dev tap proto udp nobind and a few other things. Now we're moving and our VPN is also changing, so I have a new openvpn configuration which is also straightforward: client dev tun proto udp remote <newvpnhost> and a few other things related to the key. This also connects fine, BUT my DNS doesn't work. Whenever I try to look up a hostname inside my VPN network, I get a REFUSED response: $ host git Host git.my.domain.com not found: 5(REFUSED) $ host git.my.domain.com Host git.my.domain.com not found: 5(REFUSED) One thing that will fix it is if I send a SIGHUP to NetworkManager after I connect the VPN: $ sudo killall -HUP NetworkManager $ host git git.my.domain.com is an alias for server.my.domain.com. server.my.domain.com has address 192.168.1.7 So, I don't think it's a problem with the remote DNS server since just resetting my local NetworkManager fixes it. However, I have to do this every time I connect which of course is bogus. Also this happens for all lookups of all hosts including A records, not just CNAME records as I show in this example. I've used "nmcli -f all device show <dev>" in both the working and non- working setups and compared the two configurations and they look fine to me: I can see the DNS server IP address (they are different VPN servers, different DHCP servers, different DNS servers, etc. of course). In fact if I find the DNS server IP address and use it directly on the host command that lookup works: $ host git 198.168.1.2 git.my.domain.com is an alias for server.my.domain.com. server.my.domain.com has address 192.168.1.7 I've also enabled "nmcli general logging level TRACE" and looked at the journalctl logging when starting / stopping both VPN configurations and it all looks fine to me: for both I can see the IP address for the DNS server added as "50 vpn v4 tun0 : <newIP>" where my default DNS servers are 100. I see dnsmasq messages saying it's adding the new DNS address as the nameserver for all the domains. What does it mean that the local DNS service is returning REFUSED? How can I debug this further? Or, does anyone know how to fix it? _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list