从Ubuntu 18开始,为什么openvpn的client.ovpn:“dhcp-option DNS xxx.xxx.xxx.xxx”不配置/etc/resolv.conf?

tag-icon tag-icon networking dns openvpn resolv.conf
从Ubuntu 18开始,为什么openvpn的client.ovpn:“dhcp-option DNS xxx.xxx.xxx.xxx”不配置/etc/resolv.conf?

我正在尝试使用 Ubuntu 18 设置 openvpn 客户端。我运行了以下神奇的步骤:

$ sudo apt-get install openvpn 
$ sudo apt-get install openvpn-systemd-resolved 
$ sudo openvpn --client --config ./client.ovpn
Wed Jan  2 16:24:14 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2018
Wed Jan  2 16:24:14 2019 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
...

<14>Jan  2 15:58:07 update-systemd-resolved: Link 'tun0' coming up
<14>Jan  2 15:58:07 update-systemd-resolved: Adding IPv4 DNS Server 172.17.0.1
<14>Jan  2 15:58:07 update-systemd-resolved: Setting DNS Domain mycompany.com
<14>Jan  2 15:58:07 update-systemd-resolved: Adding IPv4 DNS Server 172.17.0.1
<14>Jan  2 15:58:07 update-systemd-resolved: Adding IPv4 DNS Server 8.8.8.8
<14>Jan  2 15:58:07 update-systemd-resolved: Setting DNS Domain mycompany.com
<14>Jan  2 15:58:07 update-systemd-resolved: Setting DNS Domain mycompany.com
<14>Jan  2 15:58:07 update-systemd-resolved: SetLinkDNS(4 3 2 4 172 17 0 1 2 4 172 17 0 1 2 4 8 8 8 8)
<14>Jan  2 15:58:07 update-systemd-resolved: SetLinkDomains(4 1 mycompany.com false)
Wed Jan  2 15:58:12 2019 ROUTE remote_host is NOT LOCAL
Wed Jan  2 15:58:12 2019 /sbin/ip route add 96.78.182.190/32 via 172.20.10.1
Wed Jan  2 15:58:12 2019 /sbin/ip route add 8.8.8.8/32 metric 101 via 172.27.232.1
Wed Jan  2 15:58:12 2019 /sbin/ip route add 172.27.224.0/20 metric 101 via 172.27.232.1
Wed Jan  2 15:58:12 2019 /sbin/ip route add 172.17.0.0/16 metric 101 via 172.27.232.1
Wed Jan  2 15:58:12 2019 Initialization Sequence Completed

在哪里:

$ tail ./client.ovpn  # Recently downloaded from the openvpn server
...   # Appended this magic
....  # from here: https://askubuntu.com/questions/1032476/ubuntu-18-04-no-dns-resolution-when-connected-to-openvpn
script-security 2
dhcp-option DNS 172.17.0.1
dhcp-option DOMAIN mycompany.com
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre

如果我看一下:

$ ls -la /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Nov 21 16:53 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

$ cat /etc/resolv.conf
nameserver 127.0.0.53     <<< SHOULD BE  172.17.0.1
search mycompany.com

因此,似乎 openvpn 客户端没有/etc/resolv.conf像 Ubuntu 14 那样配置。没有这个,如果我“ping git”或“ping git.mycompany.com”来查找我们的内部 git 服务(或任何内部服务),我只需为所有 ping 请求获取电缆调制解调器的 IP 地址。

如果我编辑 /etc/resolv.conf 并将 127.0.0.53 替换为 172.17.0.1 ,正如 client.ovpn 中所要求的那样,那么一切都可以正常工作。

为什么这个 client.ovpn 不会导致 /etc/resolv.conf 在 Ubuntu 18 中更新?

奇怪的是,systemd-resolve不同意/etc/resolv.conf。这是怎么回事?

$ systemd-resolve --status
Global
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      ...
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test


Link 4 (tun0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 172.17.0.1
                      8.8.8.8
          DNS Domain: mycompany.com

Link 2 (wlp2s0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 172.20.10.1
                      fe80::1c71:e8cb:d5ec:89ef

对于 dig 来说,至少,无论systemd-resolve --status报告什么,都会被忽略:

$ dig git

    ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> git
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55917
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 65494
    ;; QUESTION SECTION:
    ;git.               IN  A

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.53#53(127.0.0.53)      <<< Not the DNS I want
    ;; WHEN: Wed Jan 02 15:41:39 PST 2019
    ;; MSG SIZE  rcvd: 32

无帮助的相关问题:

答案1

这不是问题的直接答案(我不知道为什么 /etc/resolv.conf 没有正确更新——但不管为什么,真正的问题是它没有更新),而是根本问题的解决方案。在尝试了很多我在这里和其他地方读到的东西之后,这是唯一对我有用的东西:

在 /etc/systemd/resolved.conf 中,将此行中的“yes”更改为“no”(如果需要,取消注释),以便最终得到:

DNSStubListener=否

我相信这样做的目的是告诉系统不要查看 /etc/resolv.conf(在我的情况下,它只将其定向到 127.0.0.53——它没有 OpenVPN 提供的名称服务器,正如原始问题所提到的)以获取 DNS。我猜想,被禁止依赖 /etc/resolv.conf 会迫使它回退到 OpenVPN 提供的其他(正确的)DNS 设置。

请注意,在 dnsmasq 运行时,此功能不起作用(至少对我来说不起作用),因此,如果您安装了该服务,请停止该服务并将其设置为不运行

请注意,这假设 Ubuntu 18.04,并且也许这里和其他地方提到的其他解决方案已经实施,包括具有openvpn-systemd-resolvedresolvconf安装,以及在文件中包含必要的行.ovpn

script security 2
up /etc/openvpn/update-systemd-resolved
up-restart
down /etc/openvpn/update-systemd-resolved
down-pre

虽然我怀疑这个修复会使所有这些都变得无关紧要,因为它是从 /etc/resolv.conf 之外的某个地方获取 DNS,但我相信这是 update-systemd-resolved 脚本应该修复的内容(但对某些人来说并非如此)。

答案2

下列的: DNS 设置为 systemd 的 127.0.0.53 - 如何永久更改?

如果我安装 resolvconf:

$ sudo apt install resolvconf
$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53

...所以我想127.0.0.53==无论systemd-resolve --status说什么。

无需修改/etc/resolvconf/resolv.conf.d/tail

相关内容