[Solved] OpenVPN client.up script and DNS resolution with resolvconf

greyseal96 · 2016-11-24 12:52:40

Hi all,

I've noticed something odd with the way that the client.up script supplied with OpenVPN is working. In its default setup, it assembles the resolv.conf file from the dhcp options pushed by the server and then calls resolvconf like this (I've interpreted/filled in what would normally be supplied by variables):

resolvconf -p -a tun0 <resolv.conf from std in>

The result of this is that it makes the resolv.conf file (with its domain, search and DNS server IP addresses) private to the tun0 interface. When I issue

$ resolvconf -l

it shows each of the separate resolvconf files correctly. However, if I open up the actual /etc/resolv.conf file, I don't see any of the domain suffixes or DNS servers in the /etc/resolv.conf file. Consequently, I believe, when I try to ping a host name on the remote network (either a plain host name or a fully qualified name), the ping fails because the name can't get resolved to an IP address. If I ping directly to an address on the remote network, that works just fine so that tells me that the ip route config is working; it's just DNS resolution that's not working.

If I change the call in the client.up script to

resolvconf -a tun0 <resolv.conf from std in>

that seems to get the dhcp options from the VPN merged in correctly to the /etc/resolv.conf file and then the name resolution starts working correctly. I understand that the "-p" option for resolvconf is supposed to make the resolv.conf private for a particular interface but what good does that do if that makes name resolution not work. Am I doing something wrong?

BTW, I also tried the client.up script which is in the AUR. It does things a little differently. Instead of using the "-p" option, it uses the "-x" option which then causes the /etc/resolv.conf file to get completely overwritten with the dhcp options from the server; my existing nameservers end up getting removed.

Neither the "-p" or the "-x" option seem like the help very much, at least in my situation for getting name resolution to work. Am I doing something wrong? What are those options meant to do? Why are the causing name resolution to stop working correctly? Any insight or clarification would be really helpful.

Last edited by greyseal96 (2016-12-09 09:13:19)

umyscoog · 2016-11-25 13:09:26

I had same issues and ended up writing vpn dns by hand in resolv.conf along others dns. Alternatively you can try systemd-resolved:
https://github.com/jonathanio/update-systemd-resolved

greyseal96 · 2016-11-26 22:21:04

Hi! Thanks for the response. I'm glad to hear that I'm not the only one having this problem. Makes me feel like I'm not so far off track as I was starting to think.

Your post got me thinking that I ought to look around for some other client.up scripts that people have written. I found a lot of examples where people were using

resolvconf -a

instead of

resolvconf -p -a

In fact, I even took a look at the page history for the OpenVPN page on the Arch Wiki and it looks like about three years ago (not sure when it was removed) there was a suggested script that used

resolveconf -a

instead of both the -p and -a options. So that pretty much seals it for me. I'm just going to go ahead and use only the -a option. I'm still curious as to why the newer script from OpenVPN and also the script up on the AUR use options like -p and -x. If anybody comes across this post and knows the answer to that, I'd love to know. Also, if the -p and/or the -x options are working for you, I'd love to hear about that, too. I'm curious to find out when those options should be used and in what circumstances it works correctly with DNS host name resolution.

rsmarples · 2016-11-29 10:52:39

-p means mark this resolv.conf as private.
As such, it cannot go in /etc/resov.conf because that's for public nameservers only.

The idea being using -p is that you integrate a resolver other than libc to handle the private zone mapping for you.
dnsmasq and unbound are good choices for this and openresolv has good scripts to handle them.

-x means only use DNS from this interface.

This is all clearly explain in resolvconf(8) with a fuller configuration described in resolvconf.conf(5).

Now for a VPN connection, -p is a good idea but does it require something other than libc to work for name resolution.
-x is not a good idea by default.

rsmarples · 2016-11-29 11:00:08

Hmmm, maybe it would be an idea to add a new option so that scripts using -p don't have to be modified.

public_interfaces="*"

for example, to cancel out pirvate interfaces.

rsmarples · 2016-11-29 11:23:41

Added public_interfaces to next openresolv release:
http://roy.marples.name/projects/openre … c4af?sbs=0

greyseal96 · 2016-12-05 17:12:01

Sorry it's been so long since your response. I had a couple of times read through each of those man pages that you listed but I didn't quite get what they were saying. This sounds kind of silly, but after reading your response about the different resolvers, things just clicked and it makes more sense now. I didn't fully understand how name resolution works in Linux. I didn't know that libc was what does the resolution by default. I've been reading a ton about how all this works so that I can make a more informed decision about whether I want/need to add a resolver and, if so, which one to add. From what I've learned, with my current configuration, editing the script to take out the "-p" option was the only correct option.

Also, thanks a ton for adding that new feature. With the speed that Arch moves I'll probably get that soon and try that out. Another reason why Arch and FOSS are so great. I think that the public_interfaces="*" feature would be really helpful in this situation. I think I might also add something to the OpenVPN page on the wiki explaining a little bit about this for people who are ignorant of all this like me. Thanks!

rsmarples · 2016-12-05 21:20:16

Glad you like it.

If you feel that the openresolv man pages can be improved, please submit a patch to help out!
I do the best I can

greyseal96 · 2016-12-07 16:32:05

The man pages are great. Once things clicked and I filled in my knowledge gaps, they made perfect sense. The disconnect was totally on my side. Thanks for all the work that you've done with openresolv and dhcpcd.

Arch Linux

#1 2016-11-24 12:52:40

[Solved] OpenVPN client.up script and DNS resolution with resolvconf

#2 2016-11-25 13:09:26

Re: [Solved] OpenVPN client.up script and DNS resolution with resolvconf

#3 2016-11-26 22:21:04

Re: [Solved] OpenVPN client.up script and DNS resolution with resolvconf

#4 2016-11-29 10:52:39

Re: [Solved] OpenVPN client.up script and DNS resolution with resolvconf

#5 2016-11-29 11:00:08

Re: [Solved] OpenVPN client.up script and DNS resolution with resolvconf

#6 2016-11-29 11:23:41

Re: [Solved] OpenVPN client.up script and DNS resolution with resolvconf

#7 2016-12-05 17:12:01

Re: [Solved] OpenVPN client.up script and DNS resolution with resolvconf

#8 2016-12-05 21:20:16

Re: [Solved] OpenVPN client.up script and DNS resolution with resolvconf

#9 2016-12-07 16:32:05

Re: [Solved] OpenVPN client.up script and DNS resolution with resolvconf

Board footer