OpenVPN3 doesn't set back previous DNS after disconnect using systemd-resolved in stub mode

[savely-krasovsky]

I am using the latest Arch Linux with systemd-resolved. I am dealing with rather two problems, but the most annoying is the case in stub resolve.conf mode.

So in foreign mode (with usual /etc/resolv.conf mode) OpenVPN3 just adds VPN's DNS server to the list, but it doesn't make it primary even if I am overriding with dns-scope: global:

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
  Current DNS Server: 10.25.1.3
         DNS Servers: 10.25.1.3 192.168.88.1
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
          DNS Domain: EXAMPLE example.org example.com

#
# Generated by OpenVPN 3 Linux (NetCfg::DNS::ResolvConfFile)
# Last updated: 2024-03-22 18:33:46 
#
search EXAMPLE example.org example.com

# OpenVPN defined name servers
nameserver 10.25.1.3

# System defined name servers
nameserver 192.168.88.1

192.168.88.1 is my home network cache server. In that case corporate services with domain other than from DNS Domain list resolves to external IP (dns-scope: global was here to fix it or I missed something?). The reason for this problem probably missing ~. in domains.

But in stub mode situation is even more weird. So OpenVPN finally detects stub mode and sets only one DNS:

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
  Current DNS Server: 10.25.1.3
         DNS Servers: 10.25.1.3
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
          DNS Domain: EXAMPLE example.org example.com ~.

#
# Generated by OpenVPN 3 Linux (NetCfg::DNS::ResolvConfFile)
# Last updated: 2024-03-22 18:41:29 
#
search EXAMPLE example.org example.com .

# OpenVPN defined name servers
nameserver 10.25.1.3

# System defined name servers
nameserver 127.0.0.53

# Other system settings
options edns0 trust-ad

Finally even corporate resources with domain other than from Domain list resolving, but after proper disconnecting it leaves the corporate DNS installed for systemd-resolved:

resolvectl                                                                                                                                                               in bash at 18:44:13
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 10.25.1.3
         DNS Servers: 10.25.1.3
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
          DNS Domain: EXAMPLE example.org example.com ~.

So basically network breaks and until I will manually do systemctl restart systemd-resolved.service it won't recover. For me it looks at least strange and probably broken.

[dsommers]

Can you please run this command as root?

  # openvpn3-admin init-config

If the output here doesn't look too concerning to you, you can add the --write-config option to store it. Existing settings will not be modified, unless you add the --force argument in addition.

I expect this command to detect systemd-resolved and configure OpenVPN 3 Linux to integrate with it directly instead of modifying /etc/resolv.conf. That's required for the --dns-scope setting to work.

Before starting a new VPN session, please ensure that openvpn3-service-netcfg is stopped (a simple kill -INT is enough). That's needed for the network config service to pick up this configuration change.

[dsommers]

Please retest with the latest v22_dev release, which got updated in the AUR packaging today - just to see if this issue is still present in that release.

[savely-krasovsky]

Unforturnately I have exactly the same problem: in stub mode after disconnecting from VPN I still have corporate DNS and domains set which leads to internet basically not working. sudo systemctl restart systemd-resolved.service helps to fix the system.

Version:

$ openvpn3 version
openvpn3-linux v22:dev (openvpn3)
OpenVPN core 3.git:HEAD:03236ed7 linux x86_64 64-bit
Copyright (C) 2012-2022 OpenVPN Inc. All rights reserved.

[savely-krasovsky]

In foreign mode corporate network works, but OpenVPN3 sets only one DNS server (but we are using two), leaves for some reason my home DNS server, overall I would say it behaves the same:

$ resolvectl 
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
  Current DNS Server: 10.25.1.3
         DNS Servers: 10.25.1.3 192.168.88.1
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com
                      2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
          DNS Domain: EXAMPLE example.org example.com

I need to admit that this is completely new PC which I setup from scratch using arch-install. So basically I retest everything with new, clean OS.