DNS from VPN not being added properly to resolv.conf on Ubuntu 22.04 about openfortivpn HOT 9 OPEN

Ideally you should build openfortivpn 1.21 from sources, although I doubt that would change anything on Ubuntu 22.04.

As explained elsewhere, there are 3 ways openfortivpn handles DNS settings:

1. With --set-dns=1 openfortivpn may try to directly modify /etc/resolv.conf which is a bad idea on contemporary Linux distributions but still works, more or less.
2. With --set-dns=1 and /usr/sbin/resolvconf will let resolvconf handle DNS settings.
3. With --pppd-use-peerdns=1 openfortivpn will let pppd handle DNS settings.

I understand you're in case 1. Verbose logs would help confirm such details. What is the output of the following?

ls -l /usr/sbin/resolvconf
dpkg -S /usr/sbin/resolvconf

I would recommend case 2, in which case it's up to resolvconf to set DNS properly. Actually, 3 different versions of resolvconf exist:
a. Usually systemd-resolved provides its own version of resolvconf, as a symlink to resolvectl. I believe it is not available on Debian and Ubuntu.
b. Debian and Ubuntu have their own version of resolvconf, packaged as resolvconf.
c. An alternative available on all or most Linux distributions is openresolv.

On Ubuntu, I would recommend you try case 2, with resolvconf provided by resolvconf (b) or openresolv (c).

from openfortivpn.

With that said, what is wrong with adding the following at the top of /etc/resolv.conf?

nameserver 192.168.xxx.xxx
nameserver 192.168.yyy.yyy
search xxxxxxxxx.com 168.192.in-addr.arpa

In theory, we only add what the the FortiGate instructs us to. A verbose log, redacted if needed, as suggested in Reporting issues, would show the XML configuration sent by the FortiGate. Chances are the FortiGate is not properly configured.

from openfortivpn.

Oh, the lines that are being added to my resolv.conf by openfortivpn are fine themselves. The problem is that nothing else is being done to the file, which ends up having two lines with a search.

See, when I was using FortiClient, it replaced the default search line with the new one upon connecting, which made everything work for me out of the box. The behaviour I'm observing here after having switched to openfortivpn is a different one and I've confirmed that getting rid of the old search line fixes the VPN DNS.

The only way I'm currently able to connect to my servers via openfortivpn is by manually editing resolv.conf (replacing the last line with the 3rd one) every time after connecting to the VPN.

All I'm asking you is to please consider this scenario. If you think emulating the FortiClient behaviour by properly replacing the existing search line on resolv.conf would be a good addition to openfortivpn, it will save me having to manually edit the file everyday 🙏

from openfortivpn.

Oh, I'm sorry, I didn't notice your previous comment and only read the latest one.

I actually tried the snap version from the latest/edge channel, which seemed to be the most updated of them all (1.21.0), but it was giving me permission errors when trying to access any file (not only /etc/resolv.conf but also /etc/openfortivpn/config) so I gave up with that one. If push comes to shove, I'll look into building the thing from the latest source myself.

I'm indeed in case 1. Getting the resolvconf package sounds interesting. I'll definitely give that a try and report back.

Thanks!

from openfortivpn.

It looks like the last and previous line:

search .

takes precedence over the new one:

search xxxxxxxxx.com 168.192.in-addr.arpa

Does that sound right? Not sure why this is not a problem on my own Ubuntu 22.04 machine. I will have to compare.

Do not use openfortivpn snaps. It's impossible to package software so tightly coupled to the OS this way. I have given up and https://snapcraft.io/openfortivpn is completely obsolete.

from openfortivpn.

I just did some quick testing and it seems like you're completely right.

If I leave both search lines in the file but I move the new one down below the old one, everything works.

Strangely enough though, it seems to be the other way around for the nameserver lines. My DNS only works by having the new nameserver lines up above the old ones.

This file is such a mess. I'm gonna try getting resolvconf and see if that makes it easier.

from openfortivpn.

Installing resolvconf worked like a charm! (I also had to add "use-resolvconf = 1" to my openfortivpn config file)

The VPN entries are now being properly added and removed into the resolv.conf file (now on foreign mode).

Thanks again for your suggestion!

from openfortivpn.

@Shadowfury22 @DimitriPapadopoulos
I have a similar problem. running resolvectl

Link 21 (ppp0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Also added "use-resolvconf = 1" to the config
On successful connection I get the following message
WARN: Ignoring option "use-resolvconf".
But I still can't connect to my working applications.

Can you please tell me if I missed something?

from openfortivpn.

@sleepmac Did you install resolvconf?

from openfortivpn.