You’ve recently upgraded to Ubuntu 18.04 and found that your OpenVPN connection no longer resolves DNS properly ? This frustrating issue affects many users who upgraded from earlier Ubuntu versions,
particularly those coming from Ubuntu 16.04 where everything worked smoothly. In this article, I’ll walk you through why this happens and provide several tested solutions to get your VPN’s DNS resolution working again.
Understanding the Problem
The core issue stems from how Ubuntu 18.04 handles DNS resolution differently from previous versions. In Ubuntu 16.04, when you connected to a VPN, the /etc/resolv.conf file would be automatically updated with the DNS servers provided by your VPN network. However, in Ubuntu 18.04, this file typically contains only:
nameserver 127.0.0.53 search myprovider.com
This points to a local DNS stub resolver managed by systemd-resolved, which is the default DNS resolution service in Ubuntu 18.04. The problem occurs because the traditional OpenVPN scripts that used to update the DNS settings are no longer compatible with this new approach.
Read: Fixing OpenVPN DNS Issues on Ubuntu 18.04
Why DNS Resolution Fails After Connecting to OpenVPN
When you connect to an OpenVPN server, your system needs to know which DNS servers to use for resolving domain names. In Ubuntu 18.04, the default OpenVPN scripts attempt to update DNS settings using the resolvconf utility, which is no longer the primary DNS management tool. As a result, even though your VPN connection might be established successfully, DNS queries either fail completely or don’t route through the VPN as expected.
Solution 1: Using systemd-resolved Helper for OpenVPN
The most straightforward and recommended solution is to use the systemd-resolved helper script designed specifically for OpenVPN. This approach ensures that DNS settings are properly integrated with Ubuntu 18.04’s DNS resolution system.
Step 1: Install the Required Package
First, install the OpenVPN helper for systemd-resolved:
sudo apt install openvpn-systemd-resolved
I’ve found this package to be a lifesaver when dealing with DNS issues in Ubuntu 18.04. It provides the necessary integration between OpenVPN and systemd-resolved.
Read: How to Troubleshoot and Optimize Ubuntu Startup: Manage Systemd Services for Faster Boot Time
Step 2: Update Your OpenVPN Configuration
Next, modify your OpenVPN client configuration file to use the new helper scripts. If you’re using a .ovpn file, add or modify the following lines:
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
These lines tell OpenVPN to use the systemd-resolved helper scripts when establishing or terminating the connection.
Step 3: Prevent DNS Leakage (Optional but Recommended)
To prevent DNS leakage, which can compromise your privacy when using a VPN, add this line to your configuration:
dhcp-option DOMAIN-ROUTE .
This ensures that all DNS queries are routed through the VPN tunnel.
Read: Troubleshooting Ethernet and DNS Issues in Ubuntu 24.04
Solution 2: Manual Installation of systemd-resolved Scripts
If the package installation doesn’t work for you, or if you prefer a more manual approach, you can download and install the helper scripts directly:
Step 1: Create a Directory for the Scripts
sudo mkdir -p /etc/openvpn/scripts
Step 2: Download the Helper Script
sudo wget https://raw.githubusercontent.com/jonathanio/update-systemd-resolved/master/update-systemd-resolved -P /etc/openvpn/scripts/
Step 3: Make the Script Executable
sudo chmod +x /etc/openvpn/scripts/update-systemd-resolved
Step 4: Update Your OpenVPN Configuration
Edit your OpenVPN client configuration file by adding or modifying the following lines:
script-security 2
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved
I’ve implemented this solution on several client machines, and it works reliably across different OpenVPN server configurations.
Read: How to Install OpenVPN on Ubuntu 16.04 And 18.04
Solution 3: Using NetworkManager for OpenVPN Connections
If you prefer using NetworkManager’s GUI for managing your VPN connections, you can fix the DNS resolution issue by adjusting the DNS priority:
Step 1: Install NetworkManager OpenVPN Plugin (if not already installed)
sudo apt install network-manager-openvpn-gnome
Step 2: Modify DNS Priority for Your VPN Connection
Adjust the DNS priority for your VPN connection to ensure it takes precedence:
sudo nmcli -p connection modify YOUR_VPN_CONNECTION_NAME ipv4.dns-priority -1
Replace YOUR_VPN_CONNECTION_NAME with the actual name of your VPN connection as it appears in NetworkManager.
Step 3: Configure DNS Servers (Optional)
If you want to specify particular DNS servers for your VPN connection:
sudo nmcli connection modify YOUR_VPN_CONNECTION_NAME ipv4.dns "DNS_SERVER_IP"
Replace DNS_SERVER_IP with the IP address of your preferred DNS server.
Solution 4: Using Command Line to Set Up OpenVPN via NetworkManager
For those who prefer a command-line approach but still want to use NetworkManager, you can set up your VPN connection completely via the terminal:
sudo nmcli connection add type vpn vpn-type openvpn con-name YOUR_VPN_NAME ifname --
sudo nmcli connection modify YOUR_VPN_NAME ipv4.dns DNS_SERVER_IP
sudo nmcli connection modify YOUR_VPN_NAME ipv4.dns-search YOUR_DOMAIN_SEARCH
sudo nmcli connection modify YOUR_VPN_NAME ipv4.never-default yes
Then, set the VPN data including certificates and connection details:
sudo nmcli connection modify YOUR_VPN_NAME vpn.data 'ca = /path/to/ca.crt, key = /path/to/client.key, dev = tun, cert = /path/to/client.crt, cert-pass-flags = 1, comp-lzo = adaptive, remote = your.vpn.server:1194, connection-type = tls'
This approach gives you fine-grained control over your VPN configuration while still benefiting from NetworkManager’s integration with the system.
Troubleshooting Common Issues
Issue 1: “Authenticate/Decrypt packet error: cipher final failed”
If you encounter this error, it’s likely related to the compression settings. Check that your client configuration matches the server’s compression settings. If the server uses LZO compression, ensure your client configuration includes:
comp-lzo yes
Issue 2: DNS Resolution Works Intermittently
This can happen if your system is still caching DNS responses from before the VPN connection. Try flushing your DNS cache:
sudo systemd-resolve --flush-caches
Issue 3: Helper Scripts Not Found
If you get an error about the scripts not being found, double-check the paths in your configuration file. The paths should be absolute and point to the correct location of the scripts.
Verifying DNS Resolution Is Working Correctly
After applying one of the solutions above, you can verify that DNS resolution is working correctly through your VPN by using the following commands:
- Check the current DNS settings:
resolvectl status - Test DNS resolution for a specific domain:
nslookup example.com - Check which DNS server is being used:
dig example.com | grep SERVER
If these commands show that your queries are being resolved by the VPN’s DNS servers, then your configuration is working correctly.
Understanding the Technical Background
The shift from the traditional resolvconf utility to systemd-resolved in Ubuntu 18.04 is part of a broader move toward systemd integration. The systemd-resolved service provides a DNS stub resolver that listens on 127.0.0.53 and manages DNS settings in a centralized way.
When you connect to a VPN, the OpenVPN client needs to inform systemd-resolved about the DNS servers provided by the VPN server. The helper scripts we’ve discussed establish this communication, ensuring that DNS queries are properly routed through the VPN tunnel when needed.
Conclusion
DNS resolution issues with OpenVPN on Ubuntu 18.04 can be frustrating, but they’re solvable with the right approach. The most reliable solution is to use the openvpn-systemd-resolved package, which provides the necessary integration between OpenVPN and Ubuntu’s DNS resolution system.
By following the steps outlined in this guide, you should be able to get your VPN’s DNS resolution working correctly, allowing you to access resources both inside and outside your VPN network without issues.
Remember that the specific solution you need may depend on your exact setup and requirements. Don’t hesitate to try different approaches if the first one doesn’t work for your situation.
FAQs
Why did DNS resolution with OpenVPN work in Ubuntu 16.04 but not in 18.04?
Ubuntu 18.04 switched to using systemd-resolved as the default DNS resolver, which handles DNS resolution differently from the resolvconf utility used in Ubuntu 16.04. The traditional OpenVPN scripts that worked with resolvconf are not compatible with systemd-resolved.
Can I still use resolvconf in Ubuntu 18.04?
Yes, you can install resolvconf in Ubuntu 18.04, but it’s not recommended as it may conflict with systemd-resolved. It’s better to use the solutions described in this article that work with systemd-resolved.
Does this issue affect all VPN services on Ubuntu 18.04?
This issue primarily affects OpenVPN connections. Other VPN protocols may have different integration methods with systemd-resolved.
Will these solutions work on Ubuntu 20.04 or newer versions?
Most of these solutions should work on Ubuntu 20.04 and newer versions, as they also use systemd-resolved. However, there might be slight differences in implementation details.
How can I tell if my DNS queries are leaking outside the VPN?
You can use online DNS leak test services or check which DNS servers are being used with the resolvectl status command. If your DNS queries are being resolved by servers other than those provided by your VPN, you might have a DNS leak.
What if I’m using a custom DNS server with my VPN?
If you want to use a custom DNS server with your VPN, you can specify it in your OpenVPN configuration using the dhcp-option DNS directive or configure it in NetworkManager.
Can I use these solutions with other Debian-based distributions?
These solutions should work on other Debian-based distributions that use systemd-resolved, though the exact paths and package names might differ slightly.
What if I’m connecting to multiple VPNs?
If you’re connecting to multiple VPNs, you might need to adjust the DNS priority for each connection or use more advanced routing configurations to ensure that DNS queries are sent to the appropriate servers.
The post How to fix DNS Resolution Issues with OpenVPN on Ubuntu 18.04 appeared first on net2.
Discover more from Ubuntu-Server.com
Subscribe to get the latest posts sent to your email.
