OpenVPN3 doesn't set back previous DNS after disconnect using systemd-resolved in stub mode

[savely-krasovsky]

I am using the latest Arch Linux with systemd-resolved. I am dealing with rather two problems, but the most annoying is the case in stub resolve.conf mode.

So in foreign mode (with usual /etc/resolv.conf mode) OpenVPN3 just adds VPN's DNS server to the list, but it doesn't make it primary even if I am overriding with dns-scope: global:

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
  Current DNS Server: 10.25.1.3
         DNS Servers: 10.25.1.3 192.168.88.1
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
          DNS Domain: EXAMPLE example.org example.com

#
# Generated by OpenVPN 3 Linux (NetCfg::DNS::ResolvConfFile)
# Last updated: 2024-03-22 18:33:46 
#
search EXAMPLE example.org example.com

# OpenVPN defined name servers
nameserver 10.25.1.3

# System defined name servers
nameserver 192.168.88.1

192.168.88.1 is my home network cache server. In that case corporate services with domain other than from DNS Domain list resolves to external IP (dns-scope: global was here to fix it or I missed something?). The reason for this problem probably missing ~. in domains.

But in stub mode situation is even more weird. So OpenVPN finally detects stub mode and sets only one DNS:

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
  Current DNS Server: 10.25.1.3
         DNS Servers: 10.25.1.3
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
          DNS Domain: EXAMPLE example.org example.com ~.

#
# Generated by OpenVPN 3 Linux (NetCfg::DNS::ResolvConfFile)
# Last updated: 2024-03-22 18:41:29 
#
search EXAMPLE example.org example.com .

# OpenVPN defined name servers
nameserver 10.25.1.3

# System defined name servers
nameserver 127.0.0.53

# Other system settings
options edns0 trust-ad

Finally even corporate resources with domain other than from Domain list resolving, but after proper disconnecting it leaves the corporate DNS installed for systemd-resolved:

resolvectl                                                                                                                                                               in bash at 18:44:13
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 10.25.1.3
         DNS Servers: 10.25.1.3
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
          DNS Domain: EXAMPLE example.org example.com ~.

So basically network breaks and until I will manually do systemctl restart systemd-resolved.service it won't recover. For me it looks at least strange and probably broken.

[dsommers]

Can you please run this command as root?

  # openvpn3-admin init-config

If the output here doesn't look too concerning to you, you can add the --write-config option to store it. Existing settings will not be modified, unless you add the --force argument in addition.

I expect this command to detect systemd-resolved and configure OpenVPN 3 Linux to integrate with it directly instead of modifying /etc/resolv.conf. That's required for the --dns-scope setting to work.

Before starting a new VPN session, please ensure that openvpn3-service-netcfg is stopped (a simple kill -INT is enough). That's needed for the network config service to pick up this configuration change.