When using the openvpn nixos module, with updateResolvConf = true;, it is possible to get into a state where
The openvpn connection has failed (openvpn server down, transient network connectivity issue, etc.)
The systemd openvpn-<name>.service is still "active"
/etc/resolv.conf still contains the nameservers to use when connected to the VPN.
In this state, the network cannot connect to the nameservers in resolv.conf, because they aren't accessible unless connected to the VPN. openvpn can't renegotiate the VPN connection, because it can't resolve the address of the server.
Manually editing /etc/resolv.conf to add a public nameserver above the VPN ones allows it to break out of the loop and disconnect or reconnect to the VPN.
Not sure if this is a nixos problem or an upstream issue. Openvpn doesn't appear to integrate very well with systemd (for example, the service will show as successfully started before it actually completes the initialisation sequence), so not sure how easily solvable this will be.
Steps To Reproduce
Steps to reproduce the behavior:
Have access to an openvpn server, either one you're running or someone else's.
Configure an openvpn client using the nixos module, including setting updateResolvConf = true, and run nixos-rebuild switch.
Connect to the vpn by running systemctl start openvpn-<name>.service
Cause the connection to fail in some way (e.g. stop the openvpn server, or disconnect the network for longer than the vpn connection can tolerate)
Run systemctl stop openvpn-<name>.service
Look at the status with systemctl status openvpn-<name>.service or journalctl. You will see a number of errors, "RESOLVE: Cannot resolve host address", and the openvpn service has not stopped, and hasn't run the down script to update resolv.conf.
Expected behaviour
openvpn-<name>.service enters some sort of failed state. I'm not sure that it should immediately update resolv.conf, since silently turning off the VPN and sending info to nameservers outside the VPN is probably a security issue. However, it should be possible for the user to stop or restart the openvpn service without manually editing resolv.conf.
Notify maintainers
@MarcWeber @bennofs
Metadata
Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.
Hi.
How about --ping-restart n option? From the description it seems that using this you can force a restart of the openvpn process, which should trigger up and down scripts dealing with resolv.conf
Describe the bug
When using the openvpn nixos module, with
updateResolvConf = true;
, it is possible to get into a state whereopenvpn-<name>.service
is still "active"/etc/resolv.conf
still contains the nameservers to use when connected to the VPN.In this state, the network cannot connect to the nameservers in
resolv.conf
, because they aren't accessible unless connected to the VPN. openvpn can't renegotiate the VPN connection, because it can't resolve the address of the server.Manually editing
/etc/resolv.conf
to add a public nameserver above the VPN ones allows it to break out of the loop and disconnect or reconnect to the VPN.Not sure if this is a nixos problem or an upstream issue. Openvpn doesn't appear to integrate very well with systemd (for example, the service will show as successfully started before it actually completes the initialisation sequence), so not sure how easily solvable this will be.
Steps To Reproduce
Steps to reproduce the behavior:
updateResolvConf = true
, and runnixos-rebuild switch
.systemctl start openvpn-<name>.service
systemctl stop openvpn-<name>.service
systemctl status openvpn-<name>.service
or journalctl. You will see a number of errors, "RESOLVE: Cannot resolve host address", and the openvpn service has not stopped, and hasn't run the down script to update resolv.conf.Expected behaviour
openvpn-<name>.service
enters some sort of failed state. I'm not sure that it should immediately update resolv.conf, since silently turning off the VPN and sending info to nameservers outside the VPN is probably a security issue. However, it should be possible for the user to stop or restart the openvpn service without manually editing resolv.conf.Notify maintainers
@MarcWeber @bennofs
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result.