0

I need to access resources (via ssh) which require me to connect to their VPN server. They have provided me with a config file to use.
Case 1:
I use sudo openvpn --config path-to-ovpn-config and later on ssh to their server with no issues.
Case 2:
I import the config file to my network manager (GUI) and connect to the VPN server. I need to enter password every time because they use dynamic password based on phone app (So I have set it to ask password each time). I enter the password and it gets connected (I used a wrong password to check if it actually is getting verified and it is getting verified). Now when I ssh to their server I get Could not resolve hostname server-address: Temporary failure in name resolution.
How to make it work with the network manager (GUI) and what is wrong with it in the first place?
Details:
OS - Kubuntu 18.10 with Plasma 5.14
OpenVPN 2.4.6 x86_64-pc-linux-gnu

I tried some answers mentioned here which obviously did not work - OpenVPN connecting but no internet access on Ubuntu 14.04 / 16.04

Update:
Output of ls -al /etc/resolv.conf - 

lrwxrwxrwx 1 root root 39 Dec 18 13:26 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

Output of cat /etc/resolv.conf - 

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
search iitd.ac.in cc.iitd.ac.in

Output of ps auxc | grep -i dns - 

libvirt+  2412  0.0  0.0  27460   344 ?        S    20:50   0:00 dnsmasq
root      2413  0.0  0.0  27432   344 ?        S    20:50   0:00 dnsmasq

Output of ps auxc | grep -i resolv - 

systemd+   777  0.0  0.1  54524  8116 ?        Ss   20:49   0:01 systemd-resolve

Output of host www.ebay.com -
1. Without VPN - 

www.ebay.com is an alias for slot9428.ebay.com.edgekey.net.
slot9428.ebay.com.edgekey.net is an alias for e9428.b.akamaiedge.net.
e9428.b.akamaiedge.net has address 104.65.228.43

2. With VPN (From network manager) - 

;; connection timed out; no servers could be reached

Like I have mentioned previously using VPN with sudo openvpn --config path-to-ovpn-config gives the output same as that without VPN case for host www.ebay.com.

Update 2:
Output of cat /etc/NetworkManager/NetworkManager.conf 

[main]
plugins=ifupdown,keyfile

[ifupdown]
managed=false

[device]
wifi.scan-rand-mac-address=no

Output of cat /etc/resolv.conf 

nameserver 10.10.2.2
nameserver 10.10.1.2
search iitd.ac.in cc.iitd.ac.in

Output of resolvectl 

Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 9 (tun0)
      Current Scopes: none
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

Link 5 (virbr0-nic)
      Current Scopes: none
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

Link 4 (virbr0)
      Current Scopes: none
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

Link 3 (wlo1)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 10.10.2.2
                      10.10.1.2
          DNS Domain: ~.
                      iitd.ac.in
                      cc.iitd.ac.in

Link 2 (eno1)
      Current Scopes: none
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

By Network Manager (GUI) I mean this - enter image description here

Update 3:
.ovpn file 

client
dev tun
proto tcp
remote **** 443
verify-x509-name ****
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher ****
auth ****
comp-lzo 
route-delay 4
verb 3
reneg-sec 0
<ca>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ****
    Signature Algorithm: ****
        Issuer: ****
        Validity
            Not Before: ****
            Not After : ****
        Subject: ****
        Subject Public Key Info:
            Public Key Algorithm: ****
                Public-Key: (2048 bit)
                Modulus:
                    ****
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                ****
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Alternative Name: 
                ****
    Signature Algorithm: ****
         ****
-----BEGIN CERTIFICATE-----
****
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ****
    Signature Algorithm: ****
        Issuer: ****
        Validity
            Not Before: ****
            Not After : ****
        Subject: ****
        Subject Public Key Info:
            Public Key Algorithm: ****
                Public-Key: (2048 bit)
                Modulus:
                    ****
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                ****
            X509v3 Authority Key Identifier: 
                ****

            X509v3 Subject Alternative Name: 
                *****
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                *****
    Signature Algorithm: ****
         *****
-----BEGIN CERTIFICATE-----
******
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
******
-----END PRIVATE KEY-----
</key>
Anoop
  • 53
  • 11
  • In `terminal`, what do you get for `host www.ebay.com` BOTH with and without VPN running. Also `ls -al /etc/resolv.conf` and `cat /etc/resolv.conf` and `ps auxc | grep -i dns` and `ps auxc | grep -i resolv`. Edit this output into your question, not in the comments please. Report back to @heynnema – heynnema Dec 29 '18 at 20:54
  • Check the update, @heynnema – Anoop Dec 30 '18 at 18:01
  • When you run dnsmasq and systemd-resolve at the same time, an adjustment needs to be made so the two don't step on each others toes. Please see my answer and let me know if it helps. – heynnema Dec 30 '18 at 18:49

1 Answers1

0

Regarding dnsmasq and systemd-resolved...

Do a ps auxc | grep -i dns and ps auxc | grep -i resolv and look for dnsmasq and systemd-resolved, and if both are running, you need to disable the DNS part of systemd-resolved by editing /etc/systemd/resolved.conf and...

change:

#DNSStubListener=yes

to:

DNSStubListener=no

then restart systemd-resolve and dnsmasq, or reboot.

Update #1:

From the various comments...

  • dns works fine normally
  • dns works fine when using sudo openvpn config_file

  • dns does not work after importing the .ovpn file into NetworkManager and using VPN

  • we updated the symlink /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf to point at ../run/systemd/resolve/resolv.conf

  • we removed mods to /etc/systemd/resolved.conf

  • we removed dnsmsasq* and checked /etc/NetworkManager/NetworkManager.conf for dns=dnsmasq... not found

  • suspect a problem with the original .ovpn file, or NetworkManager not fully importing the .ovpn file for use with NetworkManager

  • we're going to try to add the following three lines to the .ovpn file, re-importing it, and see if dns servers appear on tun0 when we look at resolvectl

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
heynnema
  • 68,647
  • 15
  • 124
  • 180
  • This did not work. Doing this caused time outs both from network manager (GUI) and also from terminal. – Anoop Dec 31 '18 at 21:27
  • Did you reboot after implementing this? With this edit in place, show me `cat /etc/resolv.conf`. With the patch in place, and VPN up, show me `resolvectl`. Please describe more about exactly where/how you saw timeouts from NetworkManager and the terminal. – heynnema Dec 31 '18 at 21:36
  • Also... in `/etc/NetworkManager/NetworkManager.conf` do you see a line that says `dns=dnsmasq`? – heynnema Dec 31 '18 at 22:05
  • Oh! I just noticed that your symlink for `/etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf` is wrong! It should point to resolv.conf, not stub-resolv.conf. – heynnema Dec 31 '18 at 22:14
  • Updating the symlink did not work. And yes I have rebooted after the changes to resolv.conf. – Anoop Jan 01 '19 at 19:35
  • By timeouts I mean, it won't even connect to the VPN in both cases (from terminal and gui). But after changing the symlink to `../run/systemd/resolve/resolv.conf` and changing to `DNSStublistener=no`, the VPN connects. But the same problem remains. I am unable to connect to internet when I use the Network Manager (GUI). I am able to connect to internet when I use the command that I mentioned my question. – Anoop Jan 01 '19 at 20:12
  • Do you really need/use dnsmasq? If so, see my earlier comment about changes to NetworkManager.conf. If not, uninstall dnsmasq*, remove the changes to NetworkManagaer.conf and /etc/systemd/resolved.conf. Good, you've fixed /etc/resolv.conf. If this is confusing, it's because DNS is messed up in 18.xx, and there are workarounds, but it may take some time to fix the right combination, so please be patient. – heynnema Jan 01 '19 at 20:37
  • I don't actually need it. So I have uninstalled it, undone all changes (except /etc/resolv.conf) and rebooted. This also does not solve the problem. I am still unable to access internet after connecting to the VPN from the GUI. – Anoop Jan 02 '19 at 18:29
  • @Anoop OK, good job. Did you remove `dnsmasq` and `dnsmasq-base` and anything else dnsmasq? Do `dpkg -l *dnsmasq* | grep ii` to check. Also make sure that `dns=dnsmasq` is NOT in `/etc/NetworkManager/NetworkManager.conf`. So, just to summarize where we are... dns works fine without VPN, but doesn't work with VPN... BUT if you use `sudo openvpn conf_file` dns also works, yes? Note that the previous `resolvectl` command clearly shows that dns servers WERE getting assigned to wl01, but NOT the tun0. I'm starting to suspect a .ovpn import problem... – heynnema Jan 02 '19 at 19:03
  • @Anoop Edit your question with the text of the .opvn you're importing (make sure to block out any sensitive info), and the connection script for that .ovpn found in /etc/NetworkManager/system-connections (also block out any sensitive info). – heynnema Jan 02 '19 at 19:11
  • Yes. Everything is removed related to dnsmasq. `dpkg -l *dnsmasq* | grep ii` gives nothing. Yes configurations are as you said. Yes `sudo openvpn conf_file` works and I have internet connectivity as well. – Anoop Jan 02 '19 at 19:19
  • I don't know what all constitutes sensitive info other than private/public keys. Can you elaborate if there are particular things that need to be there? I'm updating the question with most of the things with '*****'. Tell me if they are needed. – Anoop Jan 02 '19 at 19:23
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/87764/discussion-between-anoop-and-heynnema). – Anoop Jan 02 '19 at 19:28
  • @Anoop please see my Update #1, and my comments in chat. – heynnema Jan 03 '19 at 02:43
  • @Anoop status please – heynnema Jan 19 '19 at 14:26
  • I gave an update on the chat. Check it once. It still does not work. Thanks for help. I requested them to assist me with this and in the meanwhile I was using command-line method which seems to work. – Anoop Jan 20 '19 at 13:26