DNS fails when 'Use this connection only for resources on its network' is checked

Question

It seems I can only have DNS or Routing working. Not both.

I imported my client's ovpn file and when I connect (with the defaults) I can access resources behind their firewall, their DNS servers take over, and all is good. Only problem: I can't access anything that's not on their server:

host onvpn.com 123.45.67.89
host npr.org 216.35.221.76
ping 123.45.67.89 SUCCEEDS
ping 216.35.221.76 FAILS

When I check off 'Use this connection only for resources on its network' I can still ping ips behind their server, but DNS on the server dies:

host onvpn.com NOT FOUND
host npr.org 216.35.221.76
ping 123.45.67.89 SUCCEEDS
ping 216.35.221.76 SUCCEEDS

If I uncheck Automatic for DNS (while still leaving "only resources on its network" checked off), and manually enter the addresses for the DNS servers I'm supposed to be using I get the same results.

Can I really only get Routing or DNS, pick one?

I'm on Zesty. I am using the network-manager-openvpn-gnome package to manage the connection. It works fine on my windows machine and Mac (with TunnelBlick) using default settings from the ovpn file.

== EDIT ==

I've run systemd-resolve --status in both states and it looks identical except a tilde in front of the domain when I have "Use this connection..." checked. I'm not sure how else to debug. I really don't want to use Windows or manually editing my hosts file...there's a lot of machines behind the VPN...

@colin no dice. Just wrote a handful of scripts to use openvpn easily from the command line. — Chris Pfohl, Sep 13 '17 at 15:29

aross · Answer 1 · 2020-11-28T16:22:49.327

0

I got this working as follows:

Add another LAN connection profile, which has the IP address of the DNS server within the VPN
Now if you use this profile, DNS is broken until you connect to VPN
Therefore, change the VPN config to connect to a static IP address instead of a hostname (or put the IP address in your hosts file)

Done! It's not a workaround that makes me very happy, but hey, it works.

edited Nov 28 '20 at 16:22

answered Nov 27 '20 at 15:06

aross

111

score 0 · Answer 2 · answered Apr 14 '21 at 12:54

I just increased the route metric for the VPN, so a default gateway + DNS is added but the old default GW has higher priority. Then I added additional routes into the VPN network.

nmcli connection modify MYVPN ipv4.route-metric 101

Result: DNS servers from VPN, routing of VPN network (including DNS) through VPN, local network and internet via local gateway still available.

DNS fails when 'Use this connection only for resources on its network' is checked

2 Answers2