openfortivpn 1.16.0 DNS problems

[gustav87]

Hello,

I have looked through issue #824 and #555 but my issue seems a little different. I am new to reporting issus, so please tell me if this question is more suited in another place.

I'm using Manjaro and I recently updated all my packages, and now openfortivpn will set my nameservers in /etc/resolv.conf correctly to the ones I get from the VPN connection, but after a few seconds/minutes, my nameservers are reverted to the original value again.

I was thinking this was due to an openfortivpn update, so I reverted to 1.15.0 first, then 1.41.1, but the issue remains, so I guess the issue is not due to an update in openfortivpn but rather some other part of my system relating to DNS. Sorry for posting this here, but I was hoping you might have a suggestion for me.

If I regularly check my /etc/resolv.conf, at first I see the nameserver generated by resolvconf, which is good, but after some arbitrary time, it seems to get overwritten by NetworkManager:

cat /etc/resolv.conf Generated by resolvconf nameserver 10.10.9.2

cat /etc/resolv.conf Generated by NetworkManager search loc.gstav.se nameserver 192.168.1.5 nameserver 192.168.1.6

I ran openfortivpn with the -v option, but it didn't show any errors relating to DNS.

I also tried running openfortivpn with options --set-dns=0 --pppd-use-peerdns=1, and I tried starting systemd-resolved, but it had no effect on my problem.

Do you have any suggestions for me?

[mrbaseman]

So if nobody else has any hints, I want to reply at least, but it's difficult to tell. If the DNS configuration is what you expect at the beginning we can assume that openfortivpn and probably pppd do the right job. As you have already observed, this is overwritten by NetworkManager at some time. But we don't know why this happens. Maybe it helps letting NetworkManager know abot the vpn connection. The first thing that comes to my mind would be to start the openfortivpn connection out of the NetworkManager applet. Another approach would be to disable NetworkManager at least on the interface that is used for this connection. But if it helps un your case, who knows?

[taten14]

I have problems with name resolution too. We work with an AD that has conditional forwardings to another domains. This forwardings are not working with the app. The official Forticlient app all works without DNS issues on win10 and kde neon. If i cat /etc/resolv.conf with openvpn i have (This does not work) 172.16.10.xxx Primary Domain DNS 172.16.10.yyy Secondary Domain DNS

and when i cat it with the official app i have (This does work) 127.0.0.53

Cheers!

[gustav87]

So if nobody else has any hints, I want to reply at least, but it's difficult to tell. If the DNS configuration is what you expect at the beginning we can assume that openfortivpn and probably pppd do the right job. As you have already observed, this is overwritten by NetworkManager at some time. But we don't know why this happens. Maybe it helps letting NetworkManager know abot the vpn connection. The first thing that comes to my mind would be to start the openfortivpn connection out of the NetworkManager applet. Another approach would be to disable NetworkManager at least on the interface that is used for this connection. But if it helps un your case, who knows?

Thank you for your suggestions. Could you elaborate on how I let Network Manager know about the VPN connection? I ended up changing how NetworkManager writes to resolv.conf, by letting resolvconf handle that instead of NetworkManager.

I created a file in /etc/NetworkManager/conf.d/ and added:

[main]
rc-manager=resolvconf

and then: systemctl restart NetworkManager

This stopped NetworkManager from constantly overwriting my resolv.conf. resolvconf seems to handle the DNS settings I get via DHCP just as well as NetworkManager.

Before this, I "fixed" my problem by doing the following... :)

while true; do
echo "nameserver 10.10.9.2" | sudo tee /etc/resolv.conf;
sleep 2;
done

/Gustav

[mrbaseman]

One way of making NetworkManager aware of the VPN connection would be to use the NetworkManager Applet, another option (but this depends on the distribution) would be to manually configure interfaces as "not managed" by NetworkManager (in CentOS for instance NM_CONTROLLED=no), but if your solution with the rc-manager setting works for you, it's fine as well.

[mrbaseman]

@taten14 I guess you mean openfortivpn, not openvpn - otherwise you would be reporting to the wrong project. If your nameserver actually is 127.0.0.53, i.e. a service on localhost, you could permanently add it to /etc/resolv.conf and start openfortivpn with the --no-dns option, couldn't you? Or is this service something that the official Forticlient starts up in recent versions?

[gustav87]

None of the connections in the NetworkManager applet correspond to the VPN connection. ppp0 is the interface set up by openfortivpn, as displayed by ip a.

[mrbaseman]

@gustav87 are you starting the openfortivpn connection using the NetworkManager-fortisslvpn applet?

[gustav87]

No, I am using openfortivpn from the terminal. I will look into the NetworkManager-fortisslvpn applet.

[DimitriPapadopoulos]

Yes, when using NetworkManager, it's best to let NetworkManager-fortisslvpn handle the VPN too. NetworkManager-fortisslvpn will take over routing and DNS settings - openfortivpn just handles the tunnel itself.

[DimitriPapadopoulos]

That said, we also need to update the Fedora packages to use resolveconf again: https://bugzilla.redhat.com/show_bug.cgi?id=1777935#c29

[DimitriPapadopoulos]

And eventually we need to make openfortivpn aware of NetworkManager and systemd-resolved. However, I currently don't have the resources for that.

[emelenas]

Yes, when using NetworkManager, it's best to let NetworkManager-fortisslvpn handle the VPN too.

Very true, saves a lot of headaches

NetworkManager-fortisslvpn will take over routing and DNS settings - openfortivpn just handles the tunnel itself.

However it lacks setting the domain name, which can be a nuisance sometimes. See https://gitlab.gnome.org/GNOME/NetworkManager-fortisslvpn/-/issues/36

[emelenas]

That said, we also need to update the Fedora packages to use resolveconf again: https://bugzilla.redhat.com/show_bug.cgi?id=1777935#c29

Please, do. It will be much appreciated.

[KoenVanLoo]

Solving this problem would be very usefull for me as well!

[mrbbs]

Would be very useful for us as well. Currently we need to establish vpn via cli.