DNS configuration with VPNs and Ubuntu 17.04: working again

I must have hit this bug on the upgrade from 16.10 to 17.04.

Result: DNS queries not working if not using FQDNs for my VPNs.

Time to find a workaround and so here’s my new configuration (note: see the update part at the end of the post).

Before you go on: if you try this, you will lose DNS resolution before you finish this setup. This will break your connections. So, ensure that you are able to roll-back all the changes or don’t do this.

First, I got rid of the systemd-resolved service:

sudo systemctl disable systemd-resolved.service

And resolvconf along with it:

sudo systemctl disable resolvconf.service

Then I installed openresolv:

sudo apt install openresolv

At this point /etc/resolv.conf should not anymore be a link, but a real file. Remove the link so that NetworkManager will recreate a file at /etc/resolv.conf:

sudo unlink /etc/resolv.conf

I then ensured that NetworkManager was using dnsmasq for dns, that is, this line must be uncommented and present in /etc/NetworkManager/NetworkManager.conf:

dns=dnsmasq

Using NetworkManager itself for DNS resolution will also work (dns=default), but then you will hit the limit of resolv.conf (i.e. max. 3 nameservers will work).

Then, restart NetworkManager:

sudo systemctl restart NetworkManager

With this configuration search domains and nameservers work as expected and they can be configured in the NetworkManager GUI.

For more details about NetworkManager: https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html.

UPDATE: 09 Aug 2017

Since one of the VPNs was misconfigured and it was sending wrong nameserver information, I took this even more drastically and decided to manually manage the DNS setup via dnsmaq.

In addition to the above, I then uninstalled openresolve, and set

dns=none

in /etc/NetworkManager/NetworkManager.conf to get full control over /etc/resolv.conf.

I installed dnsmasq and configured the nameservers for the domains there, e.g.:

server=8.8.8.8
server=/example.domain/1.1.1.1

with a plain and simple resolv.conf:

search example.domain
nameserver 127.0.0.1

This setup requires some maintenance if I have to add new VPNs or change the nameservers for the existing ones, but at least it should be stable!

Advertisements

How to setup a VPN server in a FreeNAS jail

This post is not about configuring FreeNAS to connect to a VPN, but about running a VPN server inside FreeNAS, so you will be able to access all your jails and every host on your local (home) network from the outside, using the secure VPN tunnel.

Using a VPN connection is like sending a mail envelope inside another one: the external envelope is addressed to your VPN endpoint (the server), and only the server can extract the internal envelope and process it (i.e., forward it to the specified address) as if it originated locally (thus you can access private addresses on your local network). Replies will be sent back on the tunnel by securely re-encapsulating them in an external envelope.

So, after you are connected to your VPN, you can for example

ssh root@192.168.0.1

(or whatever addresses you are using) through the Internet.

Continue reading “How to setup a VPN server in a FreeNAS jail”