Mint + VPN DNS help

[SoreTween]

I'm pretty new on linux but I seem to be muddling through, or I was until I tried setting up a VPN.  Everything went peachy, EarthVPN has a good guide to setup that I felt I could follow so I signed up.  Setup went very smoothly and I connected to my shiny new VPN.  Except I can't browse a thing, absolutely diddly works in the interwebs except the EarthVPN web site.  Since it was stone dead I took a guess at DNS and added googles addresses to the VPN configuration.  Still nothing.

nslookup off and on the VPN confirms that is the issue, it just times out when connected.

I found a page saying dnsmasq might be getting in the way on Mint and following the instructions I confirmed I have dnsmasq (whatever that is). The next instruction is to add server addresses to /etc/dnsmasq.conf, I don't have one of those, just a dnsmasq.d directory.  Checking in Software Manager I kinda half have dnsmasq, dnsmasq-base is installed but dnsmasq is not.

Should I install dnsmasq?  Is that a red herring?  Why does nothing ever just work?

[Afasoas]

My money is on that you have configured your VPN connection so that it is passing all network traffic via your VPN provider, which includes DNS queries. It's possible that any DNS queries sent via your VPN provider not targeted at their DNS servers will simply be dropped, hence the timeouts.  By using other DNS servers, you are partially defeating the object of using a VPN. If you send your DNS queries to Google, you are losing some aspect of privacy as I believe Google will record DNS queries.

Are you using a PPTP or OpenVPN connection?

[vorsprung]

Why does nothing ever just work?

Because it's software

[Plug1n]

You have my sympathies, I had similar issues a while back and never really solved them 100%.

Linux DNS handling with any of the "let's make everything automatic and friendly" distributions has got horribly complex when it comes to VPNs.  My own issues were with Ubuntu but I should imagine Mint has many of the same underlying challenges.

There are a few factors that need to be investigated:

1. What is systemd doing at bootup?  "systemd" has its hooks into many things, there are many people who see this as bad, but YMMV.

2. NetworkManager is (probably) firing up the network connections and configuring DNS lookup.  Its configuration is quite complex and "flexible".

3. GTK applications use a different resolver library to libc applications.  At one stage, I had name resolution working at the command line but not in Firefox.

4. dnsmasq adds another layer of obfuscation and the distribution may alter the NetworkManager behaviour and its configuration.

Also what happens varies significantly if you start the VPN connection as command line (e.g. "openvpn somewhereelse.opvn") or through the nmapplet desktop plugin.

In the end, I finished up forgetting openvpn integration at the network stack layer and using my VPN provider's plugins for Chrome/Chromium and Firefox.  This is mostly OK to access geo-restricted sites but doesn't address privacy issues so well.

Even the browser plugin approach wasted a few hours this weekend past, as a couple of my most used sites decided to (probably) blacklist my VPN's UK endpoint.  Routing Chrome through an openssh socks5 proxy wasn't working because the browser vpn plugin had taken over the proxy api hooks (until the plugin was disabled!).

I'm really thinking of going back to a distribution where a simple edit to /etc/resolv.conf just works and init.d without systemd rules - probably back to gentoo or maybe Alpine linux.

Good luck, you may well need it!

[SoreTween]

EarthVPN responded to my query and apparently they assign google automatically anyway so my adding to the VPN config should have made no difference.  Using DNS through the VPN isn't secure but differentiating my queries from everyone else using the same server would be hard, hide in the crowd. Besides, I don't expect perfect privacy & anonymity yet, I'm still learning.  When I have correct config if I want to go anon I'll bin everything and start from scratch.  You cannot migrate to anonymous, just ask MalwareTech.

I added another VPN, this time PPTP and that works.  I will persist with OpenVPN as it is audited.

This makes the shoulders sink:

At one stage, I had name resolution working at the command line but not in Firefox.

So even if I ask at the command line what DNS is assigned it doesn't necessarily apply to all processes.  Terrific :-(

In a command prompt started fresh each time:
On the Hotel wifi the hotels gateway is in resolv.conf
On the Hotel wifi + working PPTP VPN the hotels gateway is in resolv.conf
On the Hotel wifi + non working OpenVPN without DNS settings in the Network Manager config earthvpn.com then the hotels gateway are in resolv.conf
On the Hotel wifi + non working OpenVPN with DNS settings in the Network Manager config earthvpn.com then the hotels gateway are in resolv.conf

Is there any way to tell from the outside what DNS I'm using?  By 'from the outside' I mean in the same manner that I can ask ip2location.com what my ip is and thus where it thinks I am.

[SoreTween]

Win some lose some 

Back in Pastaland again and so having another look at this.  Since I was last here the Hotel has a Shiny New Network which means a single virtual AP throughout the building rather than <hotel> 3a, <hotel> 4b etc (two SSIDs per floor basically). Great. Except that my PPTP VPN no longer works.  Arseballs.  That's the BN.

GN: EarthVPN suggested a manual edit to resolv.conf after connecting to their OpenVPN service to add the gurgle nameservers.  That works so the theory is proven.  Now all I need is a way to make those nameservers applied when I connect to a defined VPN, the obvious route of specifying them in the NetworkManager VPN config having miserably failed.

MGN: Despite resolv.conf being fiddled with by resolvconf or dnsmasq or NetworkManager as you go up the tree each is just a bunch of scripts.  Somewhere.  'All' I have to do is understand how and why each it forking about with my resolv.conf and insert the extra lines I want in the relevant part of a definition file.  Shouldn't take long    Everything being in a text file/script somewhere rather than buried in a unfathomable registry suits my head just fine.  There's just the small matter of the vertiginous learning curve I'm looking at to deal with.

At least I have a new workaround to replace the old one to be going on with.

[Afasoas]

I'll have to have a peak into the openvpn setup on my laptop. I'm using Debian 9 with network manager and the openvpn packages/openvpn network manager plugin and that has been a resounding success. The only times in which it hasn't work have either been when I've let a certificate lapse or when the OpenVPN port has been blocked by a third party's WiFi. I had the latter recently when I was using NHS provided guest WiFi - which I circumvented with SSH tunnel/socks proxy.

I never have issues with the DNS configuration - first resolver is my home DNS server so that I can resolve servers on my home network, which won't do any recursion for VPN clients. Second and third DNS servers are my VPN providers servers. OpenVPN is configured so that it pulls the DNS configuration from my VPN server, rather than being specified client side.

I'll post some more details on actual setup shortly...

[Afasoas]

Code: [Select]

afasoas@moulton:~/tmp$ dpkg -l | grep resolvconf

^^ resolvconf not installed

Code: [Select]

afasoas@moulton:~/tmp$ dpkg -l | grep dnsmasq
ii  dnsmasq-base                                                2.76-5+deb9u1                               amd64        Small caching DNS proxy and DHCP/TFTP server

dnsmasq installed ...

Code: [Select]

afasoas@moulton:~/tmp$ ps aux | grep dnsmasq
afasoas    2866  0.0  0.0  12784   948 pts/0    S+   21:10   0:00 grep dnsmasq

.. but not running.

Code: [Select]

afasoas@moulton:~/tmp$ cat /etc/resolv.conf
# Generated by NetworkManager
search bikeshed.internal
nameserver 172.16.1.51
nameserver 209.222.18.222
nameserver 209.222.18.218

^^ With OpenVPN active, NetworkManager is setting up the correct DNS servers in resolv.conf

Nothing seems particularly special in the NetworkManager configuration file that's been generated for the OpenVPN connection:

Code: [Select]

afasoas@moulton:~/tmp$ sudo cat /etc/NetworkManager/system-connections/abus-udp-1194-afasoas_VPN\ \(openvpn\)
[sudo] password for afasoas:
[connection]
id=abus-udp-1194-afasoas_VPN (openvpn)
uuid=449f8197-4de5-4a0b-b8b6-87d6d5486fb3
type=vpn
timestamp=1489134012

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
ta-dir=1
connection-type=tls
auth=SHA256
remote=blah.blah.co.uk
cipher=AES-128-CBC
cert-pass-flags=1
cert=/home/afasoas/.openvpn/abus-udp-1194-afasoas_VPN.p12
ca=/home/afasoas/.openvpn/abus-udp-1194-afasoas_VPN.p12
key=/home/afasoas/.openvpn/abus-udp-1194-afasoas_VPN.p12
ta=/home/afasoas/.openvpn/abus-udp-1194-afasoas_VPN-tls.key

[ipv6]
method=auto

[ipv4]
method=auto

VPN Server pushes out DNS settings:

[SoreTween]

Thank you Afasoas

From the top:

Code: [Select]

soretween@shaggy ~ $ dpkg -l | grep resolvconf
ii  resolvconf                            1.78ubuntu6                                  all          name server information handler
soretween@shaggy ~ $ ps aux | grep resolvconf
soretween      12288  0.0  0.0  14228   928 pts/0    S+   20:23   0:00 grep --color=auto resolvconf
Installed and running

Code: [Select]

soretween@shaggy ~ $ dpkg -l | grep dnsmasq
ii  dnsmasq-base                          2.75-1ubuntu0.16.04.4                        amd64        Small caching DNS proxy and DHCP/TFTP server
soretween@shaggy ~ $ ps aux | grep dnsmasq
nobody    2059  0.0  0.1  52868  4228 ?        S    20:04   0:00 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 --cache-size=0 --conf-file=/dev/null --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d
soretween      12394  0.0  0.0  14228   928 pts/0    S+   20:31   0:00 grep --color=auto dnsmasq
Ditto

Code: [Select]

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
search earthvpn.com l.certwifi.com
^^ no point moving on to the last step, NetworkManager isn't managing my resolv.conf, resolvconf is.
Next steps suddenly come into clear focus:  What is resolvconf, do I want it, if I disable it does NetworkManager take over resolv.conf, can I make resolvconf do what I need?  Those should keep me busy an evening or two.

Thanks again Afasoas, having a working config to compare to makes it so much easier

[Afasoas]

resolvconf has it's own set of configuration files used for writing out /etc/resolv.conf .. it's possible NetworkManager is writing to them - if I find time later on today I'll boot up my main desktop (which is running Mint) and have a look.
Unfortunately one of the first things I do when I install mint is rip out dnsmasq and avahi so I can't guarantee usefulness.

I think you need to have a dig into the dnsmasq configuration, givien that your resolv.conf nameserver is on local host.