Ubuntu 20.04 Networkmanager OpenVPN: accept pushed DNS but don't route all traffic to tun interface

Question

I am trying to get some Ubuntu 20.04 clients at work to connect to a new OpenVPN server provided by our new server provider.

The goal is to route only certain traffic into the tunnel (the corresponding routes are pushed by the OpenVPN server) and make the clients use the DNS server pushed by the OpenVPN server as well.

This works with Windows 10 clients and OpenVPN GUI 2.5 out of the box. It works as well using openvpn (2.4.7) from terminal like this: sudo openvpn --config config.ovpn and the following client config file config.ovpn:

dev tun
tun-ipv6
persist-tun
persist-key
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote <ipadressOfProvider> <port> udp4
verify-x509-name "<name>" name
auth-user-pass
remote-cert-tls server
compress 
# The following is added only in the config for Ubuntu 20.04 
dhcp-option DOMAIN <domainToResolveWithRemoteSiteDNS>
script-security 2
up /etc/openvpn/update-systemd-resolved
up-restart
down /etc/openvpn/update-systemd-resolved
down-pre

The problems start when using network-manager-openvpn (1.8.12) and the above config file. The connection is established and the pushed DNS server is updated in systemd-resolved (even without the additional up and down scripts in the openvpn config) correctly.

However, all traffic is routed into the tun0 interface, even public traffic. The result is that I can access ressources at the remote site even using internal domain names, but can not access internet because the OpenVPN subnet does not have direct internet access.

Changing the option Use this connection only for resources on its network in the network manager openvpn config (which corresponds with the option ipv4.neverdefault displayed via nmcli c show config) solves the routing problem: Now, only traffic concerning the pushed routes is directed into the tunnel. However, it also prevents that the pushed DNS server is applied to /run/systemd/resolve/resolv.conf.

Until now I haven't found an option to accept the pushed DNS and route only traffic which concerns the pushed routes simultaneously with network manager.

Some maybe interesting observations so far:

1. Routes

Network Manager with ipv4.neverdefault=no creates a second default gateway with lower metric in addition to the pushed routes:

$ ip route
default via 10.*.*.* dev tun0 proto static metric 50 
default via 192.168.***.** dev wlp3s0 proto dhcp metric 600 
10.*.*.*/24 dev tun0 proto kernel scope link src 10.*.*.* metric 50 
158.***.**.** via 192.168.***.** dev wlp3s0 proto static metric 600 
169.254.0.0/16 dev wlp3s0 scope link metric 1000 
172.**.***.*/24 via 10.*.*.* dev tun0 proto static metric 50 
192.168.*.*/24 via 10.*.*.* dev tun0 proto static metric 50 
192.168.*.*/24 via 10.*.*.* dev tun0 proto static metric 50 
192.168.***.*/24 dev wlp3s0 proto kernel scope link src 192.168.***.*** metric 600 
192.168.***.** dev wlp3s0 proto static scope link metric 600 

Network Manager with ipv4.neverdefault=yes creates no second default gateway in addition to the pushed routes (same as above, without first line).

openvpn in terminal creates no secondary default gateway in addition to the pushed routes:

default via 192.168.***.** dev wlp3s0 proto dhcp metric 600 
10.*.*.*/24 dev tun0 proto kernel scope link src 10.*.*.* 
169.254.0.0/16 dev wlp3s0 scope link metric 1000 
172.**.***.*/24 via 10.*.*.* dev tun0 
192.168.*.*/24 via 10.*.*.* dev tun0 
192.168.*.*/24 via 10.*.*.* dev tun0 
192.168.***.*/24 dev wlp3s0 proto kernel scope link src 192.168.***.*** metric 600 

2. DNS server

Network Manager with ipv4.neverdefault=no does overwrite /run/systemd/resolve/resolv.conf:

nameserver 172.**.***.**

Network Manager with ipv4.neverdefault=yes does not:

nameserver 192.168.***.**
nameserver ****:***:****:****::**

openvpn in terminal adds the dns server to the existing ones and adds the domain name served by remote dns server as defined in the config.ovpn:

nameserver 192.168.***.**
nameserver ****:***:****:****::**
nameserver 172.**.***.***
search <domainToResolveWithRemoteSiteDNS>

If you have any idea which options could be changed in network manager to process the config.ovpn as the openvpn terminal client does, I will be happy to hear your thoughts.

Thanks, Valentin

Answer 1

After some additional "research" (mainly trial and error) I was able to successfully connect to the remote site via network manager while only routing traffic of the pushed routes and using the pushed dns server.

1. Setting the vpn connection in network manager to neverdefault (as already discussed in OP):

   nmcli c modify <connectionname> ipv4.never-default yes

2. Setting the connection dns-search to the internal domains of the remote site:

   nmcli c modify <connectionname> ipv4.dns-search <domainname>

This option makes networkmanager somehow add the DNS server in run/systemd/resolve/resolv.conf again (adds, not overwrites), despite of ipv4.never-default being active.

Alternatively, <domainname> can be replaced with ~. which will lead to an overwrite of run/systemd/resolve/resolv.conf and thus makes the pushed DNS server the only one answering all dns requests.

Answer 2

Thank you @Valentin!
Your solution is spot on!
In my case using Ubuntu 20.04 client connecting to 20.04 server also using the gnome-network-manager openvpn options it was not necessary to set dns-search - only the never-default option.
To allow for folder/network (samba) connectivity I also had to edit the "interfaces" option under the "Networking" directive of the smb.conf file on my server as follows

interfaces = 127.0.0.0/8 eth0
interfaces = 127.0.0.0/8 enp2s0
interfaces = X.X.X.X/XX enp2s0

Where the last line was added with X.X.X.X/XX being the CIDR notation of the IP address range that will be assigned by the same openvpn server.