DNS server resolution broken after disconnecting from Windscribe VPN

[Nuc1eoN]

I don't know if this an issue with the packaging of windscribe-cli or if it is some other issue, but my problem is that after disconnecting from windscribe my resolv.conf is empty and DNS resolution obviously fails. I have openresolv installed but there is also systemd-resolved, maybe it's needed? The wiki also mentiones some script to update resolv.conf (https://wiki.archlinux.org/index.php/OpenVPN#Update_resolv-conf_script), but I don't see why I should need some script workaround to get this simple thing working.

[hkuchampudi]

Hmm...

First, systemd-resolved is part of the systemd package and is installed by default in Arch systems (see https://wiki.archlinux.org/index.php/Systemd-resolved).

What are you using to connect to your network? NetworkManager? Are you using DHCP? Do you have DNS resolution and Internet connectivity before connecting to Windscribe?

Can you post the contents of your /etc/resolv.conf:

• before connecting to Windscribe
• after connecting to Windscribe
• after disconnecting from Windscribe

Is there any relevant information in the debug log?

I just tested this on a clean installation of Arch. After disconnecting from Windscribe, the original contents of my /etc/resolv.conf are restored.

[Nuc1eoN]

Yes I am sorry, I've actually meant core/systemd-resolvconf. I am using networkd and I think it's using DHCP, how can I find out? I simply connected via LAN cable to the router and it worked.

Do you have DNS resolution and Internet connectivity before connecting to Windscribe?

No I don't. From the moment I have installed and used windscribe I am only able to connect over windscribe.

/etc/resolv.conf before Windscribe connection:

# Resolver configuration file.
# See resolv.conf(5) for details.

during:

# Generated by resolvconf
nameserver 10.255.255.2

after:

# Resolver configuration file.
# See resolv.conf(5) for details.

When I search for windscribe viewlog | grep -i resolv there are many entries like [INFO] running openvpn command: /usr/bin/openvpn --verb 4 --daemon --management /etc/windscribe/openvpn.sock unix --management-hold --config /etc/windscribe/client.ovpn --log /var/log/windscribe/ovpn_log.txt --up /etc/windscribe/update-resolv.sh --down /etc/windscribe/update-resolv.sh

So there actually seems to be some script inplace to update resolv.conf

[hkuchampudi]

Ok,

Unless you remember configuring a static IP for your computer, you are probably getting your IP address via DHCP. Since you say that, before, you were able to connect your computer via LAN cable without any additional IP configuration also suggests that you are probably using DHCP.

So, you are using systemd-networkd to manage your network configuration? In which case, if you want to get your DNS from your router and DHCP (instead of hard-coding a DNS), please make sure you have done the following (see https://wiki.archlinux.org/index.php/systemd-networkd#Basic_DHCP_network):

• Enable the systemd-resolved.service
• Symlink /run/systemd/resolve/resolv.conf to /etc/resolv.conf using the command: ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

So, the logic behind this is that systemd-resolved provides the DNS service so it should be enabled. systemd-resolved then creates the file /run/systemd/resolve/resolv.conf which it uses to manage DNS settings. However, to my knowledge, windscribe-cli and other VPN clients rely on making changes to /etc/resolv.conf. Therefore, we need to bridge the gap and create the aforementioned symlink. If your /etc/resolv.conf is not already symlinked, systemd-resolved will use /etc/resolv.conf as the master DNS configuration and, since it is empty, you won't be able to resolve anything. This explains why you only have an Internet connection when connected to Windscribe.

If you already have enabled the systemd-resolved.service and have the symlink as per the instructions above, then there might be an issue somewhere else in the networking setup.

So there actually seems to be some script inplace to update resolv.conf

Yes there is, it is located in /etc/windscribe/update-resolv.sh and it is responsible for restoring /etc/resolv.conf.

Please give the above a try, and let me know if this leads anywhere.

[Nuc1eoN]

• Enable the systemd-resolved.service
• Symlink /run/systemd/resolve/resolv.conf to /etc/resolv.conf using the command: ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Hey @hkuchampudi thank you for your patience that really fixed my issue! :) Feeling dumb right now for not having my system properly set-up. Thank you very much!

[Xavion]

@hkuchampudi

According to this section of the systemd-resolved article (on the ArchWiki), it is currently susceptible to man-in-the-middle attacks.

Do you still recommend that we use it with Windscribe?

[hkuchampudi]

@Xavion

Do you still recommend that we use it with Windscribe?

I don't believe that I have ever recommended users to use any specific DNS resolution service. In the above case, that was what the user was already using on their system. Users should be aware of the limitations and issues affecting the services on their systems and make their own decisions based on that.

That being said, the warning you cited does not apply in this case. To my knowledge, Windscribe does not provide a DNS server that utilizes DNS over TLS. The client application (which uses OpenVPN) mitigates against MitM attacks by using embedded certs and credentials in the configuration file to verify that the user is actually connecting to a legitimate Windscribe server; otherwise the connection would fail. Once connected, traffic moves through the encrypted tunnel established by OpenVPN.

If you have any follow-up concerns, please open a new issue. Thanks!

[Xavion]

@hkuchampudi

OK, thanks for clearing that up. By telling him how to use systemd-resolved, I thought you were more or less endorsing it (for use with Windscribe).

[moeindev]

I'm done with this issue! After disconnecting from Windscribe, the entire network goes down! Here is the fix that I got from This website's comment section:

add exit 0 before line: [ -x /sbin/resolvconf ] || exit 0 inside the file: /etc/windscribe/update-resolv.sh So that windscribe wont update my DNS!