@egor-tensin you are awesome! I think there might be a few related
problems (like https://github.com/systemd/systemd/issues/7182) but this
seems to actually work. I actually saw this bug but didn't click that
your fix would work until having wasted a huge amount of time.
Some one from Ubuntu should DEFINITELY put this in the NetworkManager
FAQ. And it should obviously be a GUI option - it is rather shameful
that we still have to generate our configs with code because the GUI is
so broken...
** Bug watch added: github.com/systemd/systemd/issues #7182
https://github.com/systemd/systemd/issues/7182
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1688018
Title:
DNS server from vpn connection is not being used after network-manager
upgrade to 1.2.6
Status in network-manager package in Ubuntu:
Triaged
Status in network-manager source package in Xenial:
In Progress
Status in network-manager source package in Yakkety:
Triaged
Bug description:
This was initially opened as #1671606 then later duped to #1639776.
Discussion in #1639776 indicate that we need new bug for this so I am
opening one ... Please don't mark this as duplicate to #1639776 or
other similar bug report. We already lost several months and we are
again at beginning ...
TL;DR; -> network-manager-1.2.2-0ubuntu0.16.04.4 use DNS defined by
VPN (correct). network-manager-1.2.6-0ubuntu0.16.04.1 use DNS from
DHCP instead of one defined by VPN (wrong).
DNS resolver should query only DNS servers defined by VPN while
connection is active.
=
Test steps / result:
- upgraded network-manager to 1.2.6-0ubuntu0.16.04.1
(dnsmasq-base-2.75-1ubuntu0.16.04.2)
- restated my laptop to ensure clean start
- connected to VPN using openconnect / network-manager-openconnect-gnome
Observed results -> DNS queries are forwarded only to DNS servers
defined by LAN connection (this is wrong / connection not working at
all)
- "killall dnsmasq"
- dnsmasq get automatically restarted by system
Observed results -> most of the the queries are forwarded to DNS
servers defined by VPN, but lot of queries get forwarded to DNS
servers defined by LAN connection (this is still wrong / DNS leaks,
attacker can hijack connection even if VPN is enabled)
- I downgraded back network-manager to 1.2.2-0ubuntu0.16.04.4 (dnsmasq-base
stay same)
- restated my laptop to ensure clean test
- connected to same VPN using openconnect
Observed results -> DNS queries are forwarded only to DNS servers
defined by VPN connection. There are no leaks to LAN DNS server (this
is correct behavior).
=
Paul Smith requested additional details in #1639776. Here are:
* If you're using IPv4 vs. IPv6
-> IPv4 only. I have IPv6 set to ignore on all network definition (lan / wifi
/vpn)
* If you have checked or unchecked the "Use this connection only for
resources on its network"
-> unchecked on all nw definition
* If you have this checked, try unchecking it and see if that makes a
difference
-> no change if I toggle this option. Behavior is same.
* When you say "DNS lookups" please be clear about whether the hostnames
being looked up are public (e.g., www.google.com or whatever), on your local
LAN, or in the network accessed via the VPN. Does it make a difference which
one you choose?
-> No difference.
* Are you using fully-qualified hostnames, or relying on the DNS domain
search path? Does it make a difference if you do it differently?
-> I normaly use FQDN due to nature of HTTPs cert validation. I don't see
difference when I try same using hostname + domain search.
=
I am using openconnect (cisco) and openvpn. Test result are by using
openconnect but I saw same behaviour also while using openvpn.
=
Thanks
Lukas
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1688018/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
