DNS not working after VPN disconnected

[eft]

After I disconnect VPN DNS stops working until I restart Network Manager. However, if I start the service with debug sudo /usr/lib/NetworkManager/nm-l2tp-service --debug DNS continues to work after I disconnect the VPN.

I built network-manager-l2tp manually from the master branch but I have also tried the latest tag (1.2.10) and the older version in Ubuntu package repositories.

Per the documentation, xl2tpd is disabled and I am using the workaround for legacy algorithms.

My system settings below

Packages

$ for p in strongswan xl2tpd network-manager network-manager-l2tp networkd-dispatcher; do printf "$p\t"; dpkg -s $p | grep -Po '^Version\: \K.*?(?=$)';echo; done | column -t
dpkg-query: package 'network-manager-l2tp' is not installed and no information is available
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.
strongswan            5.6.2-1ubuntu2.3
xl2tpd                1.3.10-1ubuntu1
network-manager       1.10.6-2ubuntu1
network-manager-l2tp
networkd-dispatcher   1.7-0ubuntu3.3

Ubuntu 18.04

$ lsb_release -a
No LSB modules are available.
Distributor ID: neon
Description:    KDE neon User Edition 5.14
Release:        18.04
Codename:       bionic

$ uname -srvpo
Linux 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 GNU/Linux

[dkosovic]

I've reproduced the issue with KDE neon 5.14.2, but not with stock Ubuntu 18.04.

/etc/resolv.conf is a symlink to /run/systemd/resolve/stub-resolv.conf

Before the VPN connection:

$ ls -l /run/systemd/resolve/stub-resolv.conf
-rw-r--r-- 1 systemd-resolve systemd-resolve 720 Oct 31 10:00 /run/systemd/resolve/stub-resolv.conf

Interesting, although not significant, on stock Ubuntu 18.04 before a VPN connection, the /run/systemd/resolve/stub-resolv.conf file has root ownership and root group, unlike KDE neon which is systemd-resolve.

After the VPN connection, the file is readable only by root :

$ ls -l /run/systemd/resolve/stub-resolv.conf
-rw------- 1 root root 720 Oct 31 10:10 /run/systemd/resolve/stub-resolv.conf

A quick workaround to get DNS working after a VPN connection is:

sudo chmod a+r /run/systemd/resolve/stub-resolv.conf

Sorry I'm not sure why KDE's plasma-nm package doesn't do the right thing with setting the /run/systemd/resolve/stub-resolv.conf file permissions after a VPN connection.

[dkosovic]

I did see someone post the same issue here:

• https://askubuntu.com/questions/1048392/resolv-conf-permissions-ownership-change-after-vpn-disconnect

Anyway, this package doesn't not touch /etc/resolv.conf, but pppd from the ppp package does. xl2tpd starts an instance of pppd. So the bug is either with the plasma-nm package, pppd or systemd-resolve, but as it doesn't exist with the GNOME based packages, I'm suspecting plasma-nm.

[eft]

Hi David,

Thanks so much for investigating this and narrowing down the root cause (forgive the pun).

For a slightly easier workaround I tried the script at https://askubuntu.com/a/1051273 and results look good using the GUI to connect/disconnect VPN.

:/etc/NetworkManager/dispatcher.d$ cat 02-fix-resolv.conf.sh
#!/bin/sh
if [ "$1" = "ppp0" -a "$2" = "vpn-up" ]; then
  echo "VPN activated" > /tmp/see-ask-ubuntu-1048392.txt
  chmod a+r /run/systemd/resolve/stub-resolv.conf.pppd-backup.ppp0
  chown systemd-resolve:systemd-resolve /run/systemd/resolve/stub-resolv.conf.pppd-backup.ppp0
fi

:/etc/NetworkManager/dispatcher.d$ cat /tmp/see-ask-ubuntu-1048392.txt
VPN activated

Thank you for providing this useful tool for those of us having to deal with legacy VPN servers

[dkosovic]

Ubuntu users having DNS issues as a result of /run/systemd/resolve/stub-resolv.conf file permissions, a fix seems to be to issue the following :

sudo apt install resolvconf

See:

• https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1778946