10

How does one use the dns pushed via an openvpn server with systemd-resolved ?

Before I decide to 'upgrade' to systemd-networkd. I could use some variant of openvpn-resolv-conf script to call resolvconf to manage entries in /etc/resolv.conf on successfully establishing a vpn tunnel.

This would allow me to resolve names on the remote end of the vpn tunnel.

Now that systemd-resolved manages /run/systemd/resolved/resolv.conf is it possible to automatically add DNS pushed via a openvpn connection to the list of nameservers used for resolution?

WGH
  • 145
  • 9
sw1nn
  • 161
  • 1
  • 2
  • 7

3 Answers3

6

Use up/down scripts from https://github.com/jonathanio/update-systemd-resolved in your OpenVPN's config file. These use systemd-resolved's DBus interface to update DNS information.

Piotr Dobrogost
  • 371
  • 5
  • 16
3

Edit: as of today, this solution is mostly obsolete. Users of newer systemd versions should refer to the solution given by Piotr Dobrogost.

The trick is to create a temporary network configuration file with DNS settings, and then restart systemd-network so it will apply global DNS settings.

I have written a modified script that does exactly that. You can check it out here: update-systemd-network.sh

WGH
  • 145
  • 9
  • 1
    I find that there's a race condition with creation of routes pushed via the openvpn config on restart of `systemd-networkd`. However, instead of creating a new network config and restarting `systemd-network` it's possible to create a very similar file in `/run/systemd/resolved-conf.d/` and then restart `systemd-resolved` which seems to work – sw1nn Mar 14 '16 at 18:35
  • looks like the above features in systemd-resolved were added in 229 after my original question. – sw1nn Mar 14 '16 at 18:57
  • According to @grawity from #systemd – *the proper way to make it work is to call [`org.freedesktop.resolve1.Manager.SetLinkDNS()`](https://www.freedesktop.org/wiki/Software/systemd/resolved/) via DBus* – Piotr Dobrogost Mar 25 '16 at 08:32
2

For the systemd-resolved solution to work, openvpn must be stopped with SIGTERM, not with SIGKILL (else, the 'down' hook is not called to bring back /etc/resolv.conf to the original configuration).

For example:

  • If you call openvpn on the command line, then CTRL-c out, the 'down' hook is called, because openvpn is killed with SIGTERM
  • If you call openvpn in a screen command and CTRL-c out of the screen, the 'down' hook is not called, because openvpn is killed with SIGKILL, and /etc/resolv.conf ends up still having the VPN DNS servers
Andrei Radulescu-Banu
  • 21
  • 1