network manager openvpn use local dns

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP








up vote
1
down vote

favorite
1












When you connect to openvpn from network manager. it does not encrypt dns requests through vpn, the result is that ubuntu uses local goverment dns results.




openvpn




share|improve this question





















  • I have developed method with NetworkManager dispatcher and it works for 16.04 LTS. You can test it on 18.04 LTS.
    – N0rbert
    Jun 11 at 11:18










  • @N0rbert Not solved the problem. This is the profile : ufile.io/l5cvt
    – M-E-Activist
    Jun 11 at 18:01











  • @N0rbert adding these lines script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf and running via openvpn command solve it, but I want to use it by network manager, but even sudo nmcli did not solve problem
    – M-E-Activist
    Jun 11 at 23:09















up vote
1
down vote

favorite
1












When you connect to openvpn from network manager. it does not encrypt dns requests through vpn, the result is that ubuntu uses local goverment dns results.




openvpn




share|improve this question





















  • I have developed method with NetworkManager dispatcher and it works for 16.04 LTS. You can test it on 18.04 LTS.
    – N0rbert
    Jun 11 at 11:18










  • @N0rbert Not solved the problem. This is the profile : ufile.io/l5cvt
    – M-E-Activist
    Jun 11 at 18:01











  • @N0rbert adding these lines script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf and running via openvpn command solve it, but I want to use it by network manager, but even sudo nmcli did not solve problem
    – M-E-Activist
    Jun 11 at 23:09













up vote
1
down vote

favorite
1









up vote
1
down vote

favorite
1






1





When you connect to openvpn from network manager. it does not encrypt dns requests through vpn, the result is that ubuntu uses local goverment dns results.




openvpn




share|improve this question













When you connect to openvpn from network manager. it does not encrypt dns requests through vpn, the result is that ubuntu uses local goverment dns results.





openvpn





share|improve this question












share|improve this question




share|improve this question








edited Jun 14 at 19:19
























asked Jun 11 at 2:03









M-E-Activist

63




63











  • I have developed method with NetworkManager dispatcher and it works for 16.04 LTS. You can test it on 18.04 LTS.
    – N0rbert
    Jun 11 at 11:18










  • @N0rbert Not solved the problem. This is the profile : ufile.io/l5cvt
    – M-E-Activist
    Jun 11 at 18:01











  • @N0rbert adding these lines script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf and running via openvpn command solve it, but I want to use it by network manager, but even sudo nmcli did not solve problem
    – M-E-Activist
    Jun 11 at 23:09

















  • I have developed method with NetworkManager dispatcher and it works for 16.04 LTS. You can test it on 18.04 LTS.
    – N0rbert
    Jun 11 at 11:18










  • @N0rbert Not solved the problem. This is the profile : ufile.io/l5cvt
    – M-E-Activist
    Jun 11 at 18:01











  • @N0rbert adding these lines script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf and running via openvpn command solve it, but I want to use it by network manager, but even sudo nmcli did not solve problem
    – M-E-Activist
    Jun 11 at 23:09
















I have developed method with NetworkManager dispatcher and it works for 16.04 LTS. You can test it on 18.04 LTS.
– N0rbert
Jun 11 at 11:18




I have developed method with NetworkManager dispatcher and it works for 16.04 LTS. You can test it on 18.04 LTS.
– N0rbert
Jun 11 at 11:18












@N0rbert Not solved the problem. This is the profile : ufile.io/l5cvt
– M-E-Activist
Jun 11 at 18:01





@N0rbert Not solved the problem. This is the profile : ufile.io/l5cvt
– M-E-Activist
Jun 11 at 18:01













@N0rbert adding these lines script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf and running via openvpn command solve it, but I want to use it by network manager, but even sudo nmcli did not solve problem
– M-E-Activist
Jun 11 at 23:09





@N0rbert adding these lines script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf and running via openvpn command solve it, but I want to use it by network manager, but even sudo nmcli did not solve problem
– M-E-Activist
Jun 11 at 23:09











1 Answer
1






active

oldest

votes

















up vote
0
down vote













If you have set up your own VPN, you can modify the following line in the openvpn configuration file.



push "redirect-gateway def1 bypass-dhcp bypass-dns"


Change that to



push "redirect-gateway def1 bypass-dhcp"


and change the default configuration:



push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"


to 



push "dhcp-option DNS 10.8.0.1"


Assuming 10.8.0.1 is the gateway you setup for your vpn clients. Note: Normally you don't want DHCP to go over VPN, if you do, remove the bypass-dhcp also.



Also make sure your server can handle the traffic by adding the following to the firewall rules.



iptables -v -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


If those doesn't fix not your problem, then you need to look at your routing table on your client side to ensure that the gateway route over 10.8.0.1 has lower metric over the gateway configured on client machine (typically 19.168.0.1 or something). You can modify increase the non-vpn gateway to a higher number, lower metric have higher routing priority.



On your client machine after connected to the VPN, check the routing metric.



ip route
default via 10.8.0.1 dev tun0 proto static metric 50 
default via 192.168.0.1 dev enx00 proto dhcp metric 100 
default via 192.168.0.1 dev wlps proto dhcp metric 600 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.4 metric 50 
100.77.34.23 via 192.168.0.1 dev enx00 proto static metric 100
....


As you can see, 10.8.0.1 tunnel have the lowest metric and hence will be tried first. The 192.168.0.1 of the local ISP on ethernet interface will be tried next, and so on.






share|improve this answer























  • My problem is only when you connecting from the network manager. It appears that it change DNS but send dns request unencrypted (not through vpn), which cause the government changes the result to its local DNS server (sink)
    – M-E-Activist
    Jun 14 at 19:38










  • Have you check your routing priority, the 10.8.0.1 dateway needs to have lower metric and also that the gateway can process the dns request (hence the masquerade rule). Try "ip route" to check the metric, it will only traverse down the route when it failed to match or cannot resolve.
    – Bernard Wei
    Jun 14 at 21:17










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1045445%2fnetwork-manager-openvpn-use-local-dns%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
0
down vote













If you have set up your own VPN, you can modify the following line in the openvpn configuration file.



push "redirect-gateway def1 bypass-dhcp bypass-dns"


Change that to



push "redirect-gateway def1 bypass-dhcp"


and change the default configuration:



push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"


to 



push "dhcp-option DNS 10.8.0.1"


Assuming 10.8.0.1 is the gateway you setup for your vpn clients. Note: Normally you don't want DHCP to go over VPN, if you do, remove the bypass-dhcp also.



Also make sure your server can handle the traffic by adding the following to the firewall rules.



iptables -v -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


If those doesn't fix not your problem, then you need to look at your routing table on your client side to ensure that the gateway route over 10.8.0.1 has lower metric over the gateway configured on client machine (typically 19.168.0.1 or something). You can modify increase the non-vpn gateway to a higher number, lower metric have higher routing priority.



On your client machine after connected to the VPN, check the routing metric.



ip route
default via 10.8.0.1 dev tun0 proto static metric 50 
default via 192.168.0.1 dev enx00 proto dhcp metric 100 
default via 192.168.0.1 dev wlps proto dhcp metric 600 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.4 metric 50 
100.77.34.23 via 192.168.0.1 dev enx00 proto static metric 100
....


As you can see, 10.8.0.1 tunnel have the lowest metric and hence will be tried first. The 192.168.0.1 of the local ISP on ethernet interface will be tried next, and so on.






share|improve this answer























  • My problem is only when you connecting from the network manager. It appears that it change DNS but send dns request unencrypted (not through vpn), which cause the government changes the result to its local DNS server (sink)
    – M-E-Activist
    Jun 14 at 19:38










  • Have you check your routing priority, the 10.8.0.1 dateway needs to have lower metric and also that the gateway can process the dns request (hence the masquerade rule). Try "ip route" to check the metric, it will only traverse down the route when it failed to match or cannot resolve.
    – Bernard Wei
    Jun 14 at 21:17














up vote
0
down vote













If you have set up your own VPN, you can modify the following line in the openvpn configuration file.



push "redirect-gateway def1 bypass-dhcp bypass-dns"


Change that to



push "redirect-gateway def1 bypass-dhcp"


and change the default configuration:



push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"


to 



push "dhcp-option DNS 10.8.0.1"


Assuming 10.8.0.1 is the gateway you setup for your vpn clients. Note: Normally you don't want DHCP to go over VPN, if you do, remove the bypass-dhcp also.



Also make sure your server can handle the traffic by adding the following to the firewall rules.



iptables -v -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


If those doesn't fix not your problem, then you need to look at your routing table on your client side to ensure that the gateway route over 10.8.0.1 has lower metric over the gateway configured on client machine (typically 19.168.0.1 or something). You can modify increase the non-vpn gateway to a higher number, lower metric have higher routing priority.



On your client machine after connected to the VPN, check the routing metric.



ip route
default via 10.8.0.1 dev tun0 proto static metric 50 
default via 192.168.0.1 dev enx00 proto dhcp metric 100 
default via 192.168.0.1 dev wlps proto dhcp metric 600 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.4 metric 50 
100.77.34.23 via 192.168.0.1 dev enx00 proto static metric 100
....


As you can see, 10.8.0.1 tunnel have the lowest metric and hence will be tried first. The 192.168.0.1 of the local ISP on ethernet interface will be tried next, and so on.






share|improve this answer























  • My problem is only when you connecting from the network manager. It appears that it change DNS but send dns request unencrypted (not through vpn), which cause the government changes the result to its local DNS server (sink)
    – M-E-Activist
    Jun 14 at 19:38










  • Have you check your routing priority, the 10.8.0.1 dateway needs to have lower metric and also that the gateway can process the dns request (hence the masquerade rule). Try "ip route" to check the metric, it will only traverse down the route when it failed to match or cannot resolve.
    – Bernard Wei
    Jun 14 at 21:17












up vote
0
down vote










up vote
0
down vote









If you have set up your own VPN, you can modify the following line in the openvpn configuration file.



push "redirect-gateway def1 bypass-dhcp bypass-dns"


Change that to



push "redirect-gateway def1 bypass-dhcp"


and change the default configuration:



push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"


to 



push "dhcp-option DNS 10.8.0.1"


Assuming 10.8.0.1 is the gateway you setup for your vpn clients. Note: Normally you don't want DHCP to go over VPN, if you do, remove the bypass-dhcp also.



Also make sure your server can handle the traffic by adding the following to the firewall rules.



iptables -v -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


If those doesn't fix not your problem, then you need to look at your routing table on your client side to ensure that the gateway route over 10.8.0.1 has lower metric over the gateway configured on client machine (typically 19.168.0.1 or something). You can modify increase the non-vpn gateway to a higher number, lower metric have higher routing priority.



On your client machine after connected to the VPN, check the routing metric.



ip route
default via 10.8.0.1 dev tun0 proto static metric 50 
default via 192.168.0.1 dev enx00 proto dhcp metric 100 
default via 192.168.0.1 dev wlps proto dhcp metric 600 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.4 metric 50 
100.77.34.23 via 192.168.0.1 dev enx00 proto static metric 100
....


As you can see, 10.8.0.1 tunnel have the lowest metric and hence will be tried first. The 192.168.0.1 of the local ISP on ethernet interface will be tried next, and so on.






share|improve this answer















If you have set up your own VPN, you can modify the following line in the openvpn configuration file.



push "redirect-gateway def1 bypass-dhcp bypass-dns"


Change that to



push "redirect-gateway def1 bypass-dhcp"


and change the default configuration:



push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"


to 



push "dhcp-option DNS 10.8.0.1"


Assuming 10.8.0.1 is the gateway you setup for your vpn clients. Note: Normally you don't want DHCP to go over VPN, if you do, remove the bypass-dhcp also.



Also make sure your server can handle the traffic by adding the following to the firewall rules.



iptables -v -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


If those doesn't fix not your problem, then you need to look at your routing table on your client side to ensure that the gateway route over 10.8.0.1 has lower metric over the gateway configured on client machine (typically 19.168.0.1 or something). You can modify increase the non-vpn gateway to a higher number, lower metric have higher routing priority.



On your client machine after connected to the VPN, check the routing metric.



ip route
default via 10.8.0.1 dev tun0 proto static metric 50 
default via 192.168.0.1 dev enx00 proto dhcp metric 100 
default via 192.168.0.1 dev wlps proto dhcp metric 600 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.4 metric 50 
100.77.34.23 via 192.168.0.1 dev enx00 proto static metric 100
....


As you can see, 10.8.0.1 tunnel have the lowest metric and hence will be tried first. The 192.168.0.1 of the local ISP on ethernet interface will be tried next, and so on.







share|improve this answer















share|improve this answer



share|improve this answer








edited Jun 14 at 21:21


























answered Jun 13 at 22:01









Bernard Wei

677313




677313











  • My problem is only when you connecting from the network manager. It appears that it change DNS but send dns request unencrypted (not through vpn), which cause the government changes the result to its local DNS server (sink)
    – M-E-Activist
    Jun 14 at 19:38










  • Have you check your routing priority, the 10.8.0.1 dateway needs to have lower metric and also that the gateway can process the dns request (hence the masquerade rule). Try "ip route" to check the metric, it will only traverse down the route when it failed to match or cannot resolve.
    – Bernard Wei
    Jun 14 at 21:17
















  • My problem is only when you connecting from the network manager. It appears that it change DNS but send dns request unencrypted (not through vpn), which cause the government changes the result to its local DNS server (sink)
    – M-E-Activist
    Jun 14 at 19:38










  • Have you check your routing priority, the 10.8.0.1 dateway needs to have lower metric and also that the gateway can process the dns request (hence the masquerade rule). Try "ip route" to check the metric, it will only traverse down the route when it failed to match or cannot resolve.
    – Bernard Wei
    Jun 14 at 21:17















My problem is only when you connecting from the network manager. It appears that it change DNS but send dns request unencrypted (not through vpn), which cause the government changes the result to its local DNS server (sink)
– M-E-Activist
Jun 14 at 19:38




My problem is only when you connecting from the network manager. It appears that it change DNS but send dns request unencrypted (not through vpn), which cause the government changes the result to its local DNS server (sink)
– M-E-Activist
Jun 14 at 19:38












Have you check your routing priority, the 10.8.0.1 dateway needs to have lower metric and also that the gateway can process the dns request (hence the masquerade rule). Try "ip route" to check the metric, it will only traverse down the route when it failed to match or cannot resolve.
– Bernard Wei
Jun 14 at 21:17




Have you check your routing priority, the 10.8.0.1 dateway needs to have lower metric and also that the gateway can process the dns request (hence the masquerade rule). Try "ip route" to check the metric, it will only traverse down the route when it failed to match or cannot resolve.
– Bernard Wei
Jun 14 at 21:17












 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1045445%2fnetwork-manager-openvpn-use-local-dns%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

pylint3 and pip3 broken

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I have tried sudo apt remove --purge on various packages. I get the same when I reinstall. I have also tried reinstall using aptitude. This does not work. My current workaround is to run pylint3 as root, which works, but is bad practice. pip3 $ pip3 Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pip/_vendor/__init__.py", line 33, in vendored __import__(vendored_name, globals(), locals(), level=0) ImportError: No module named 'pip._vendor.pkg_resources' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/bin/pip3", line 9, in <module> from pip import main File "/usr/lib/python3/dist-packages/pip/__init__.py", line 13, in <module> from pip.exceptions import InstallationError, CommandError, PipError File "/usr/lib/python3/dist-packages/pip/exceptions.py", line 6, ...
Read more

Missing snmpget and snmpwalk

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I have installed Zabbix appliance, directly preinstalled and found that there is missing snmpwalk and snmpget commands. I tried to install it with: apt-get install net-snmp-utils but I have error message: Unable to locate package. I have also check what from SNMP is preinstalled and there is: libsnmp-base libsnmp30:amd64 snmp-mibs-downloader snmpd snmptrapd snmptrapfmt How can I install snmpget and snmpwalk ? snmp zabbix share | improve this question edited Jan 29 at 10:10 Yaron 8,552 7 18 38 asked Jan 29 at 9:51 Alfista 1 apt install snmp perhaps ? If named differently - apt cache snmp – fugitive Jan 29 at 10:00 add a comment  |  up vote 0 down vote favorite I have installed Zabbix appliance, directly preinstalled and found that there is missing snmpwalk and snmpget commands. I tried...
Read more

How to enroll fingerprints to Ubuntu 17.10 with VFS491

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I decided to switch from Windows to Ubuntu 17.10, I meet it like 8 years ago and I didn't decided to switch until now (haha). Well, my actual device is an HP Probook 4540s with a Validity fingerprint sensor (VFS491). The fingerprint sensor worked fine on Windows but I can't get it to work in Ubuntu. The device is recognized as 138a:003d but is not detected as a fingerprint scanner by some apps like Fingerprint GUI. I want to use the fingerprint scanner to log in into my user account in Ubuntu but it doesn't supports fingerprints without special software and the drivers of the fingerprint scanner are available for Windows but not for any Linux distribution. I found something on GitHub (https://github.com/eekpie/libfprint) about the integration of the VFS491 in libfprint and I think it can help but I don't know what to do with it, so that's why I need the help of the community to do it since I am...
Read more