Client's DNS settings not setting on Ubuntu 20.04 after update-resolv-conf

[928572]

I'm using the openvpn client command on Ubuntu 20.04 which is working, but the push for DNS settings doesn't seem to be working.

Code: Select all

sudo openvpn --script-security 2 --client --config /home/me/openvpn/client.ovpn

Here is my client configuration file (client.ovpn)

Code: Select all

[oconf=Client Config]
remote x.x.x.x
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
keepalive 10 120
port 1194
proto udp
key-direction 1
verb 3
mute 10
ca /home/me/openvpn/cacert.pem
cert /home/me/openvpn/cert.pem
key /home/me/openvpn/me.key
auth SHA256
;data-ciphers AES-256-GCM:AES-128-GCM
;data-ciphers-fallback AES-256-CBC
redirect-gateway def1
push "dhcp-option DNS 172.22.4.7"
push "dhcp-option DNS 172.25.2.7"
push "dhcp-option DOMAIN mydomain"
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
[/oconf]

and here is the output from the openvpn client command:

Code: Select all

Sun Apr 10 10:59:31 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Sun Apr 10 10:59:31 2022 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Sun Apr 10 10:59:31 2022 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Apr 10 10:59:31 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Apr 10 10:59:31 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Sun Apr 10 10:59:31 2022 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Apr 10 10:59:31 2022 UDP link local: (not bound)
Sun Apr 10 10:59:31 2022 UDP link remote: [AF_INET]x.x.x.x:1194
Sun Apr 10 10:59:31 2022 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=2ff2a1d3 da4fc636
Sun Apr 10 10:59:31 2022 VERIFY OK: depth=1, C= blah blah blah
Sun Apr 10 10:59:31 2022 VERIFY OK: depth=0, C= blah blah blah
Sun Apr 10 10:59:31 2022 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1553', remote='link-mtu 1569'
Sun Apr 10 10:59:31 2022 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
Sun Apr 10 10:59:31 2022 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Sun Apr 10 10:59:31 2022 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Apr 10 10:59:31 2022 [server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Sun Apr 10 10:59:32 2022 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Apr 10 10:59:32 2022 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 172.22.4.7,dhcp-option DNS 172.25.2.7,dhcp-option DOMAIN mydomain,route-gateway 172.22.0.225,topology subnet,ping 10,ping-restart 120,ifconfig 172.22.0.227 255.255.255.224,peer-id 0,cipher AES-256-GCM'
Sun Apr 10 10:59:32 2022 OPTIONS IMPORT: timers and/or timeouts modified
Sun Apr 10 10:59:32 2022 OPTIONS IMPORT: --ifconfig/up options modified
Sun Apr 10 10:59:32 2022 OPTIONS IMPORT: route-related options modified
Sun Apr 10 10:59:32 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Apr 10 10:59:32 2022 OPTIONS IMPORT: peer-id set
Sun Apr 10 10:59:32 2022 OPTIONS IMPORT: adjusting link_mtu to 1624
Sun Apr 10 10:59:32 2022 OPTIONS IMPORT: data channel crypto options modified
Sun Apr 10 10:59:32 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Apr 10 10:59:32 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Apr 10 10:59:32 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Apr 10 10:59:32 2022 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enx00e04c680067 HWADDR=00:e0:4c:68:00:67
Sun Apr 10 10:59:32 2022 TUN/TAP device tun0 opened
Sun Apr 10 10:59:32 2022 TUN/TAP TX queue length set to 100
Sun Apr 10 10:59:32 2022 /sbin/ip link set dev tun0 up mtu 1500
Sun Apr 10 10:59:32 2022 /sbin/ip addr add dev tun0 172.22.0.227/27 broadcast 172.22.0.255
Sun Apr 10 10:59:32 2022 /etc/openvpn/update-resolv-conf tun0 1500 1552 172.22.0.227 255.255.255.224 init
Sun Apr 10 10:59:32 2022 /sbin/ip route add x.x.x.x/32 via 192.168.1.1
Sun Apr 10 10:59:32 2022 /sbin/ip route add 0.0.0.0/1 via 172.22.0.225
Sun Apr 10 10:59:32 2022 /sbin/ip route add 128.0.0.0/1 via 172.22.0.225
Sun Apr 10 10:59:32 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Apr 10 10:59:32 2022 Initialization Sequence Completed

DNS queries using the dig command do not return results, unless I explicitly specify the DNS server IP.

When using resolvectl status to check the resolve status, it shows this for tun0:

Code: Select all

Link 16 (tun0)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

and I am expecting some entries like these:

Code: Select all

  Current DNS Server: 172.22.4.7
         DNS Servers: 172.22.4.7
          DNS Domain: mydomain.

Any suggestions

[TinCanTech]

Sun Apr 10 10:59:31 2022 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

View Originalclient

remote x.x.x.x
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
keepalive 10 120
port 1194
proto udp
key-direction 1
verb 3
mute 10
ca /home/me/openvpn/cacert.pem
cert /home/me/openvpn/cert.pem
key /home/me/openvpn/me.key
auth SHA256
;data-ciphers AES-256-GCM:AES-128-GCM
;data-ciphers-fallback AES-256-CBC
redirect-gateway def1
push "dhcp-option DNS 172.22.4.7"
push "dhcp-option DNS 172.25.2.7"
push "dhcp-option DOMAIN mydomain"
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Wrong config.

[928572]

Sorry I don't have a server config. Only client config.

Line 19-21 in the client config probably doesn't need to be there because the server is pushing them already. I'm just desperately trying things hoping it will work. There are other people with different client computers (like MacOS) who are working OK with DNS, so the server must be OK. Something weird going on with the Ubuntu 20.04 client.

[TinCanTech]

The config you posted does not match the log you posted.

update-resolv-conf is not being called.

[928572]

It's the 6th line from the bottom of the log:

Sun Apr 10 10:59:32 2022 /etc/openvpn/update-resolv-conf tun0 1500 1552 172.22.0.227 255.255.255.224 init

[TinCanTech]

Well, the config file doesn't have --script-security setting ..

[928572]

It's passed on the command line:

Code: Select all

sudo openvpn --script-security 2 --client --config /home/me/openvpn/client.ovpn

[TinCanTech]

Looks like it is working then ..

[928572]

It's not working ... the DNS settings are not being applied in the client computer

[TinCanTech]

Then you need to report a bug to the source of your script.

[300000]

You need add into you config to make it work .just add this one and try it again.

"script-security 4"

[928572]

Still not working. No change in behavior after adding script-security 4 to the first line of the client config.
I also removed --script-security 2 from the command line args, and no change.

[TinCanTech]

Wrong config..?


Or possibly a bug: --script-security 9 also works.

[928572]

Thanks for the replies. --script-security 9 didn't seem to do anything either.

Any other suggestions for determining the root cause / fix?

[TinCanTech]

There is a bug report but not for your problem:
https://community.openvpn.net/openvpn/t ... 463#ticket