[Solved] OpenVPN doesn't update /etc/resolv.conf

EnthusioArcher · 2021-02-10 06:02:16

Hi. I've configured OpenVPN and my *.ovpn file with update-resolv-conf as per the wiki says here. But, still it doesn't change resolv.conf accordingly. I have openresolv, networkmanager, dnscrypt-proxy and unbound. Plz somebody help me with this issue.

Last edited by EnthusioArcher (2021-02-13 05:52:02)

rsmarples · 2021-02-10 06:48:24

If you have everything configured correctly .... why should it?

`resovlconf -l` will list everything

/etc/resolv.conf should just list 127.0.0.1 and your unbound configuration will have the actual upstream nameservers.

EnthusioArcher · 2021-02-10 07:02:17

rsmarples wrote:

If you have everything configured correctly .... why should it?
`resovlconf -l` will list everything
/etc/resolv.conf should just list 127.0.0.1 and your unbound configuration will have the actual upstream nameservers.

I'm not asking about configuring Unbound. I'm asking about changing of DNS when OpenVPN is connected. OpenVPN when configured with update-resolv-conf script, it should update /etc/resolv.conf with VPN's DNS servers.

rsmarples · 2021-02-10 07:19:35

Maybe you don't understand the role of the software you claim you have installed - you claimed OpenVPN, openresolv and unbound.

openresolv takes resolv.conf input from many sources, such as OpenVPN or dhcpcd and forms /etc/resolv.conf from this and it's own configuration file.
If you have configured resolvconf.conf for unbound correctly, /etc/resolv.conf will only ever list the nameserver 127.0.0.1

Seeing as I wrote openresolv, I t hink that makes me pretty qualified to talk about it
https://roy.marples.name/projects/openr … iguration/

EnthusioArcher · 2021-02-10 07:25:08

rsmarples wrote:

Maybe you don't understand the role of the software you claim you have installed - you claimed OpenVPN, openresolv and unbound.
openresolv takes resolv.conf input from many sources, such as OpenVPN or dhcpcd and forms /etc/resolv.conf from this and it's own configuration file.
If you have configured resolvconf.conf for unbound correctly, /etc/resolv.conf will only ever list the nameserver 127.0.0.1
Seeing as I wrote openresolv, I t hink that makes me pretty qualified to talk about it
https://roy.marples.name/projects/openr … iguration/

Sure. Actually, there is another script involved called openvpn-update-resolv-conf which takes the role to update resolv.conf with VPN's DNS server addresses via openresolv whenever OpenVPN is connected. I would request you to see this - https://wiki.archlinux.org/index.php/Op … tom_script.

rsmarples · 2021-02-10 07:41:12

Good lord those scripts are bad.

Anyway, my point still stands.

`resolvconf -l` will list all the inputs. If you don't see any from your tuntap interface then either they are not set upstream or there is an issue with that script.
Does `resolvconf -l` list input from your tuntap interface? It might be called tun0.inet for example

EnthusioArcher · 2021-02-10 07:59:28

rsmarples wrote:

Good lord those scripts are bad.
Anyway, my point still stands.
`resolvconf -l` will list all the inputs. If you don't see any from your tuntap interface then either they are not set upstream or there is an issue with that script.
Does `resolvconf -l` list input from your tuntap interface? It might be called tun0.inet for example

I see the following when running resolvconf -l

# resolv.conf from tun0.inet
nameserver 10.18.0.1

# resolv.conf from NetworkManager
# Generated by NetworkManager
nameserver 192.168.0.1

rsmarples · 2021-02-10 08:26:16

Excellent! So you have two nameservers from two different sources.

`resolvconf -v` should list NAMESERVERS=10.18.0.1 only as it was marked exclusive.
The unbound configuration file defined in /etc/resolvconf.conf should also list this as the only forwarder.
/etc/resolv.conf should only show 127.0.0.1

EnthusioArcher · 2021-02-10 08:30:24

rsmarples wrote:

Excellent! So you have two nameservers from two different sources.
`resolvconf -v` should list NAMESERVERS=10.18.0.1 only as it was marked exclusive.
The unbound configuration file defined in /etc/resolvconf.conf should also list this as the only forwarder.
/etc/resolv.conf should only show 127.0.0.1

I want /etc/resolv.conf to show 10.18.0.1 instead of 127.0.0.1 as long as VPN is connected. How can I achieve that? Plz help me. Bcz otherwise my DNS is leaking.

Last edited by EnthusioArcher (2021-02-10 08:36:40)

progandy · 2021-02-10 08:40:35

Why? In your setup all queries should be answered by unbound. unbound gets its nameservers from openresolv. You should be able to tell which nameservers are configured in unbound with

unbound-control list_forwards
# or maybe 
unbound-control forward

Last edited by progandy (2021-02-10 08:42:07)

EnthusioArcher · 2021-02-10 08:42:18

progandy wrote:

Why? In your setup all queries should be answered by unbound. unbound gets its nameservers from openresolv. You should be able to tell which nameservers are configured in unbound with
unbound-control list_forwards

Bcz, when connected to VPN, I want to only use the VPN's DNS server.

rsmarples · 2021-02-10 11:24:53

I feel that you're not fully grasping how it works.

Using unbound here sets your DNS server up a DNS cache.
Without it, each DNS request will go over the VPN.

For example
resolve foo.bar -> unbound -> VPN -> unbound -> resolved
resolve foo.bar again -> unbound -> resolved

Because unbound only has a forwarder to the VPN there is no leak.

EnthusioArcher · 2021-02-11 05:23:23

rsmarples wrote:

I feel that you're not fully grasping how it works.
Using unbound here sets your DNS server up a DNS cache.
Without it, each DNS request will go over the VPN.
For example
resolve foo.bar -> unbound -> VPN -> unbound -> resolved
resolve foo.bar again -> unbound -> resolved
Because unbound only has a forwarder to the VPN there is no leak.

Oh, I see. Now, i realized the matter. Actually, I quite forgot Unbound's role. ? But, suppose, if I still want to modify resolv.conf with that nameserver, what should I do?

rsmarples · 2021-02-11 08:53:50

Edit /etc/resolvconf.conf and ensure name_servers="127.0.0.1" is commented out.
May as well comment out any unbound config file bits too.

Check `resolvconf -l` output and ensure that no local nameserver is listed there either.

Finally do `resolvconf -u` and you'll get what you want.

progandy · 2021-02-11 09:26:55

Or possibly keep resolvconf configured for unbound and write your own openvpn hook to change resolv.conf directly.

EnthusioArcher · 2021-02-11 09:52:49

progandy wrote:

Or possibly keep resolvconf configured for unbound and write your own openvpn hook to change resolv.conf directly.

How can I do that?

rsmarples · 2021-02-11 10:41:09

progandy wrote:

Or possibly keep resolvconf configured for unbound and write your own openvpn hook to change resolv.conf directly.

Then he'll have a confusing state vs any DHCP he's running.
Let resolvconf do it's job.

EnthusioArcher · 2021-02-11 12:01:36

rsmarples wrote:

Edit /etc/resolvconf.conf and ensure name_servers="127.0.0.1" is commented out.
May as well comment out any unbound config file bits too.
Check `resolvconf -l` output and ensure that no local nameserver is listed there either.
Finally do `resolvconf -u` and you'll get what you want.

I want OpenVPN to edit resolv.conf automatically with Nameservers. Is it possible?

rsmarples · 2021-02-11 22:42:11

EnthusioArcher wrote:

rsmarples wrote:
Edit /etc/resolvconf.conf and ensure name_servers="127.0.0.1" is commented out.
May as well comment out any unbound config file bits too.
Check `resolvconf -l` output and ensure that no local nameserver is listed there either.
Finally do `resolvconf -u` and you'll get what you want.
I want OpenVPN to edit resolv.conf automatically with Nameservers. Is it possible?

Yes.

All the information you need is already stated here.

EnthusioArcher · 2021-02-13 05:51:05

rsmarples wrote:

EnthusioArcher wrote:
rsmarples wrote:
Edit /etc/resolvconf.conf and ensure name_servers="127.0.0.1" is commented out.
May as well comment out any unbound config file bits too.
Check `resolvconf -l` output and ensure that no local nameserver is listed there either.
Finally do `resolvconf -u` and you'll get what you want.
I want OpenVPN to edit resolv.conf automatically with Nameservers. Is it possible?
Yes.
All the information you need is already stated here.

Ok. Thx for helping me so far.

Arch Linux

#1 2021-02-10 06:02:16

[Solved] OpenVPN doesn't update /etc/resolv.conf

#2 2021-02-10 06:48:24

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#3 2021-02-10 07:02:17

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#4 2021-02-10 07:19:35

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#5 2021-02-10 07:25:08

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#6 2021-02-10 07:41:12

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#7 2021-02-10 07:59:28

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#8 2021-02-10 08:26:16

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#9 2021-02-10 08:30:24

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#10 2021-02-10 08:40:35

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#11 2021-02-10 08:42:18

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#12 2021-02-10 11:24:53

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#13 2021-02-11 05:23:23

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#14 2021-02-11 08:53:50

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#15 2021-02-11 09:26:55

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#16 2021-02-11 09:52:49

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#17 2021-02-11 10:41:09

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#18 2021-02-11 12:01:36

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#19 2021-02-11 22:42:11

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

#20 2021-02-13 05:51:05

Re: [Solved] OpenVPN doesn't update /etc/resolv.conf

Board footer