Improve DNS handling?

[DimitriPapadopoulos]

Rationale

Setting DNS parameters has been raising different issues:

• race condition between openfortivpn itself and pppd in earlier versions of openfortivpn prior to allow to use resolvconf instead of resolv.conf #486 and version 1.12.0
• race condition between openfortivpn and NetworkManager (see for example Setting DNS parameters on Fedora #590)
• mechanisms for setting DNS might be available at build-time but not run-time, or at run-time but not build-time (for example resolvectl from systemd is often available at run-time on Fedora machines but is not available at build-time by default)
• mechanisms for setting DNS might be available but not working (for example resolvconf from systemd does not work as expected on Fedora as seen in openfortivpn 1.12 / DNS configuration problems #555)

Especially Fedora and CentOS have been challenging so far. Short of interacting with NetworkManager directly when NetworkManager is installed and used, I suspect the official way to modify DNS parameters on CentOS >= 8 and Fedora is running resolvectl which has been part of the systemd package since CentOS >= 8 (not CentOS 7 which is probably why busctl is used in #615).

Proposal for setting DNS parameters

Is it worth trying to further improve the DNS configuration mechanism when --set-dns=1? Perhaps using the following mechanisms and other ones you can think of?

1. If NetworkManager is installed and in use (how to detect that?) interact with NetworkManager directly? Perhaps through nmcli?
2. If resolvectl from systemd is available run it to modify DNS parameters.
3. If resolvconf is available and works properly (either openresolv or resolvconf but not resolvectl), run it to modify DNS parameters.
4. Fall back on modifying /etc/resolv.conf directly.

NetworkManager is a special case: I am not sure about supporting NetworkManager because NetworkManager already supports openfortivpn through NetworkManager-fortisslvpn. It's the other way round.

Documentation

Man pages:

• nmcli(1) from NetworkManager
• resolvectl(1) from systemd
• resolvconf(8) from Debian
• resolvconf(8) from openresolv

Hopefully we can get some info from this bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1815605

[DimitriPapadopoulos]

Additionally I believe we need to always support all of resolvectl, resolvconf and modifying /etc/resolv.conf directly. openfortivpn should decide at run-time and not build-time. At least this looks like the only way to support snaps because DNS management is distribution-specific on Linux while snaps are distribution-neutral so they have to support all distributions. See #597 (comment).

[DimitriPapadopoulos]

I have tried to create a list of resolvectl and resolvconf executables on different Linux distributions based on my own experience and pkgs.org:

executables (or lack of)	packages
ALT Linux Sisyphus
shell function resolvectl?	systemd
/sbin/resolvconf	openresolv
Arch Linux
/usr/bin/resolvectl	systemd
/usr/bin/resolvconf	resolvconf
/usr/bin/resolvconf	openresolv
CentOS 8
/usr/bin/resolvectl	systemd
/usr/sbin/resolvconf	systemd
CentOS 7
	systemd
CentOS 6
/sbin/resolvconf	openresolv
Debian 10
/usr/bin/resolvectl	systemd
/sbin/resolvconf	resolvconf
/sbin/resolvconf	openresolv
Debian 9
	systemd
/sbin/resolvconf	resolvconf
/sbin/resolvconf	openresolv
Debian 8
	systemd
/sbin/resolvconf	resolvconf
Fedora 32
/usr/bin/resolvectl	systemd
/usr/sbin/resolvconf	systemd
Fedora 31
/usr/bin/resolvectl	systemd
/usr/sbin/resolvconf	systemd
Fedora 30
/usr/bin/resolvectl	systemd
/usr/sbin/resolvconf	systemd
FreeBSD 13
	systemd
/usr/local/sbin/resolvconf	openresolv
OpenMandriva 4.1
/usr/bin/resolvectl	systemd
/sbin/resolvconf	systemd
OpenMandriva 3.0
	systemd
OpenSuSE Ports Leap 15.2
	systemd
/usr/sbin/resolvconf	resolvconf
OpenSuSE Ports Leap 15.1
	systemd
/usr/sbin/resolvconf	resolvconf
Slackware 14.2
/usr/sbin/resolvconf	openresolv
Slackware 14.1
/usr/sbin/resolvconf	openresolv
PCLinuxOS
/sbin/resolvconf	resolvconf
Solus
/usr/bin/resolvectl	systemd
/usr/sbin/resolvconf	systemd
Ubuntu 20.04
/usr/bin/resolvectl	systemd
/sbin/resolvconf	resolvconf
/sbin/resolvconf	openresolv
Ubuntu 18.04
	systemd
/sbin/resolvconf	resolvconf
/sbin/resolvconf	openresolv
Ubuntu 16.04
	systemd
/sbin/resolvconf	resolvconf
/sbin/resolvconf	openresolv

Most notably resolvectl has been gaining momentum on most distributions, especially Debian 10 and Ubuntu 20.04. Hence if --set-dns=1 we should by order of preference:

1. use resolvectl from systemd if available,
2. else use resolvconf if available, the one from resolvconf or openresolv and certainly not the broken resolvectl alias from systemd,
3. else modify /etc/resolv.conf directly.

[mrbaseman]

Supporting resolvectl surely is something which we should integrate somehow in the near future.

I'm a bit hesitating about the movement of the decision from configure time to the runtime. Programs running with elevated privileges should call other programs with an absolute path. If this decision can not be detected at configure time, we may end up with checking several possibilities at runtime and expectations e.g. about how trustworthy directories below /usr or /usr/local are, may also depend on the distribution.

So, shall we check a couple of locations which we think are safe at runtime? Or shall we rely on a mechanism of the OS to locate the right executable (use $PATH and sanitize it somehow), anything else? Whatever we chose, it should also be portable.

One could argue, openfortivpn needs to run as root anyway, so the user who is allowed to use it must be trustworthy in some sense, but I'm sure some admins provide their users with sudo privileges, the privilege to control network manager, or a systemd service that opens the vpn tunnel on request by the otherwise less trusted employee. I feel a bit uncomfortable with the idea of putting too much automatism to runtime.

[DimitriPapadopoulos]

I absolutely agree, we should not let openfortivpn search the PATH or anything else to find a way to modify DNS parameters. Paths need to be hardcoded. That's why I have researched the location of the executables for various distributions. Therefore by default we should attempt to run only the following executables in directories controlled by the system:

1. /usr/bin/resolvectl is the standard location for resolvectl from systemd across distributions.
2. /sbin/resolvconf and /usr/sbin/resolvconf look like standard locations for resolvconf/openresolv across distributions. Perhaps add /usr/bin/resolvconf for Arch Linux and /usr/local/sbin/resolvconf for FreeBSD, but the last one can and should be configured at build-time.

Note that the broken systemd alias /sbin/resolvconf or /usr/sbin/resolvconf seems to be "hidden" by /usr/bin/resolvectl in all cases, provided we attempt to run resolvectl before resolvconf.

We should also allow for additional/alternative paths to these executables at build-time, for obscure distributions that use different paths or end-users who build & install themselves in different locations.

Finally we should examine the exit status of the executables to catch errors. Will have to experiment with exit status values a little bit.

[DimitriPapadopoulos]

A relevant pull request has just appeared: #615

@da-x Can you please help understand the pull request and comment with respect to other solutions above?

• If I understand the pull request correctly, you're calling busctl instead of resolvectl. Can you comment on that? Perhaps because busctl is available on more distributions than resolvectl (Ubuntu 16.04 and 18.04, Debian 8 and 9, CentOS 7)?
• We already link with systemd libraries. I'm wondering whether we could call systemd functions directly from C instead of running the external script.
• I've been struggling to find the "right way" to modify DNS settings from a program such as openfortivpn. Can you confirm that systemd is the way to go on systems with systemd (so all systems listed above except CentOS 6 and SlackWare), whether using resolvectl, busctl or direct systemd function calls from C? Can you point me to some external publication to support that (I'm convinced but I would like to read a little bit about it)?
• All recent distributions that ship some form of resolvconf also ship systemd, see table above. If systemd is the way to go, I suspect the suggestion to support resolvconf (allow to use resolvconf instead of resolv.conf #486) was a bad idea. Your opinion?

[DimitriPapadopoulos]

Here are the services provided by systemd-resolved:
https://www.freedesktop.org/wiki/Software/systemd/resolved/

@da-x You seem to be calling methods SetLinkDNS, SetLinkDomainsand also SetLinkDNSSEC. Is the last one required? I'm not very familiar with DNSSEC

[da-x]

@DimitriPapadopoulos this bash script code is based on code from https://github.com/jonathanio/update-systemd-resolved, which does similar stuff but for OpenVPN. You can check with them. Now, there's also a hidden assumption that systemd-resolved is enabled on the system, and that /etc/nsswitch.conf is configured for it, which I think is not yet true by default for some distribution versions. I, for one, use it, because I have a home DNS server and a work DNS server, and resolving via system-resolved works well when I try to resolve hostnames from either networks.

[DimitriPapadopoulos]

@da-x Right, on Fedora systemd-resolved is not enabled by default as far as I can tell. Is your script able to detect that?

[da-x]

@DimitriPapadopoulos No, there's an assumption that it's enabled and /etc/nsswitch.conf is configured for it.

[DimitriPapadopoulos]

@da-x Then I suspect it might be much better to rewrite the script directly in C (since openfortivpn is already linked with systemd). Then:

1. Hopefully the C systemd function calls will return an error status if systemd-resolved is not enabled. By the way, if the C function calls fail, I suspect running resolvectl is useless since systemd-resolved is the only supported backend, isn't it?
2. If systemd is not linked in, or the C function calls fail, then we can fall back on resolvconf on systems that have the script (the real resolvconf/openresolve resolvconf script and not the systemd resolveclt alias).
3. If all else fail we fall back on directly modifying /etc/resolv.conf (for example on CentOS 6).

[da-x]

If systemd-resolved is not enabled, then /etc/nsswitch.conf configuration can be made to fallback to resolveconf. Order matters in how backends are specified in nsswitch.conf. In other words, it depends on whether you have:

hosts: files dns resolve

Or:

hosts: files resolve dns

Where files mean direct resolve from /etc/hosts, resolve is for systemd-resolved, and dns is for /etc/resolv.conf.

Also, I used the script as a stop-gap. I'm not sure I can dedicate the time now to implement it in C. So feel free to close that PR for now, or go about implementing it in C.

[DimitriPapadopoulos]

On Ubuntu 18.04:

hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname

On Fedora 31:

hosts:      files mdns4_minimal [NOTFOUND=return] dns myhostname

The order you are referring to is for DNS resolution which is not really relevant here. What we are after is the order of the tools to try to modify the parameters of DNS resolution. I believe these are two different things.

[DimitriPapadopoulos]

Interesting link:
https://systemd-devel.freedesktop.narkive.com/ghlVQMfi/sd-bus-example-code-for-setlinkdns

[da-x]

Important to note is that if resolve does not appear in /etc/hosts, then most programs, which do not resolve directly via systemd-resolved will not benefit from the update, even if the service is installed and enabled.

[DimitriPapadopoulos]

It's getting more and more complicated:

• Different subsystems co-exist and can be used for name resolution. Of interest are the C library and the Name Service Switch (NSS), and systemd.
• Updating one of the subsystems doesn't necessarily update other subsystems. For example on Fedora 31 updating systemd has no effect on nslookup which is using the C library and NSS. Therefore we might have to update one subsystem and the others, not one subsystem or the other.
• Yet it really depends not on the current Linux distribution but also one the local setup of the distribution. For example it is expected that systemd will be the default name resolution subsystem in Fedora 33 - but only the default! Another example is Fedora 31 where systemd-resolved is installed but is not enabled by default.
• It will probably remain quite complicated to infer which name resolution subsystem needs updating and which doesn't for years to come.

Still investigating...

[DimitriPapadopoulos]

Note that resolvconf (either from openresolv or resolvconf) does not seem to be available by default on Ubuntu 20.04.

[DimitriPapadopoulos]

This ArchWiki OpenVPN page is quite interesting:

For Linux, the OpenVPN client can receive DNS host information from the server, but the client expects an external command to act on this information. No such commands are configured by default. They must be specified with the up and down config options. There are a few alternatives for what scripts to use, but none are officially recognised by OpenVPN [...]

[da-x]

This ArchWiki OpenVPN page is quite interesting:

For Linux, the OpenVPN client can receive DNS host information from the server, but the client expects an external command to act on this information. No such commands are configured by default. They must be specified with the up and down config options. There are a few alternatives for what scripts to use, but none are officially recognised by OpenVPN [...]

That's why I implemented that same approach for openfortivpn - running an external user-configured script. Looking at this I got the feel that the variety of DNS configurations and methods may be too wide for openfortivpn to guess what's preferred for the current system, especially if you want to support old systems. There isn't yet a widespread acceptable default across all distributions.

[DimitriPapadopoulos]

A few links of interest:

• How exactly are NetworkManager, networkd, netplan, ifupdown2, and iproute2 interacting?
• Ubuntu Network Manager: Enabling and disabling NetworkManager on Ubuntu
• Netplan
• Netplan Design
• Have a Plan for Netplan

[MauroMombelli]

hi,
without going too deep, seems like systemd-resoved is quite common, so it would make sense to start implement it.
For NetworkManager should be relatively easy to check if the service is running and ask the user to use the proper plugin instead.
Also the interface could show the list of dns setup so if someone has a special need he can easily find the information and apply; this is also why i like the idea of the external script to set it up, it could be very nice if it look in the user default directory ($XDG_CONFIG_HOME)for a script with the name of the conf, so multiple script can coexist.

This would make extremely easy to share script with friend and colleague

[DimitriPapadopoulos]

Also the interface could show the list of dns setup so if someone has a special need he can easily find the information and apply; this is also why i like the idea of the external script to set it up, it could be very nice if it look in the user default directory ($XDG_CONFIG_HOME)for a script with the name of the conf, so multiple script can coexist.

On the other hand such scripts usually need to run with root privileges. It seems wrong to allow that for random scripts.

[MauroMombelli]

yes permission should be dropped to user if run from user folder, is a problem of the admin to give right permission to user (i believe some systemd stuff will ask for password if a GUI is running, at least systemctl does)

[angystardust]

Since Fedora33 went GA, we now have systemd-resolved enabled by default so we need to find a proper way to manage this DNS mess in a sane way. Actually, one needs to manually call resolvconf to inject the search-dns and dns-address parameters so imho it's far from being a nice end-user experience.
Maybe the work done in #615 can be a first step to improve this issue, isn't it?

[peterhoeg]

Actually, one needs to manually call resolvconf to inject the search-dns

I presume you meant to say resolvectl instead. As in case somebody else needs this, the exact invocation is: resolvectl dns ppp0 1.2.3.4 resolvectl domain ppp0 example.com

[angystardust]

@peterhoeg on fedora you can also inject them using resolvconf -a ppp0 < ~/you-own-personal-resolv.confso passing the parameters defined in a custom resolv.conf

[DimitriPapadopoulos]

The problem with systemd-resolve is that it can be available but not functional on the majority of systems older than Fedora 33. I still don't know how to distinguish between systems where systemd-resolve is functional and calling it is sufficient, and systems where systemd-resolve is not functional and we have to modify /etc/resolv.conf or talk to NetworkManager. For this very reason it is difficult to work out a global solution that works on all Linux distributions. Hence the idea of moving routing/DNS changes to a shell script called by the openfortivpn C core that could be modified by each distribution maintainer.

As far as I know resolvectl is an alias or the successor of systemd-resolve.

At the same time we need to modify openfortivpn so that NetworkManager can use it more efficiently as a plugin.

[peterhoeg]

Another option is to simply make it configurable and remove the guess-work.

[DimitriPapadopoulos]

@peterhoeg That's an excellent idea.

While that's of course orthogonal to your suggestion, note that there are additional benefits to moving routing/DNS to a shell script outside of the C core:

• openfortivpn will not have to be run as root anymore - except to spawn pppd but then PPP support should probably be reintegrated into openfortivpn,
• IPv6 support would be straightforward.

Do you have suggestions which DNS configurations are required to support all Linux distributions? I have been struggling for years to find a clear explanation of the different DNS configurations. Here my current understanding:

• systemd-resolve enabled
  I understand calling resolvctl (or systemd-resolve on older versions) should be enough. Should openforitvpn talk to NetworkManager in addition to or instead of systemd-resolve, or should it talk only to systemd-resolve?
• NetworkManager available
  Should openfortivpn call nmcli if run from the command line as a standalone program? Or some D-Bus API?
• modify /etc/resolv.conf
  That would fit older Linux distributions.
• no DNS configuration
  Useful when run as a NetworkManager plugin.

[peterhoeg]

"Just" have an option for DNS handling with one of the following: - systemd-resolve (I will suggest doing a dbus call instead of calling a binary, but I obviously don't know how keen you are on adding dependencies) - network-manager (again, dbus would be preferred or nmcli alternatively) - modify resolv.conf - none - custom (pass a binary/script to run on up/down) As for routing, openvpn recently gained support for setting up routing via netlink: https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst That really is a separate issue though, but an approach similar to DNS might be worth considering. And thank you for openfortivpn. It works brilliantly!

[DimitriPapadopoulos]

@peterhoeg Thanks for the list. I think it's OK to have a D-Bus dependency nowadays, isn't it?

I wasn't really aware of Netlink - just had noticed AF_NETLINK. I understand it's an IPC mechanism. Do you suggest we split openfortivpn into multiple processes, one for the tunnel without root privileges and the other for routing/DNS with root privileges? Or would openfortivpn talk to NetworkManager-fortisslvpn or equivalent software using Netlink?

[skoehler]

It's getting more and more complicated:

• Different subsystems co-exist and can be used for name resolution. Of interest are the C library and the Name Service Switch (NSS), and systemd.
• Updating one of the subsystems doesn't necessarily update other subsystems. For example on Fedora 31 updating systemd has no effect on nslookup which is using the C library and NSS. Therefore we might have to update one subsystem and the others, not one subsystem or the other.

I tend to disagree. It is the distro's (or on Arch the user's) responsibility to have a consistent system configuration. For example, when using systemd-resolved, /etc/nsswitch.conf and /etc/resolv.conf should be changed to use systemd-resolved. So updating one system should be enough in most cases.

Also, you haven't mentioned yet that dnsmasq can be used as a local DNS cache. That's also supported by NetworkManager (dns=dnsmasq in NetworkManager.conf). In that case, NetworkManager dynamically updates dnsmasq's configuration.

Please provide some mechanism to pass the DNS information to NetworkManager so that it can pass the information on to whatever is configured in NetworkManager.conf (/etc/resolv.conf, dnsmasq, systemd-resolved, maybe more?). This should cover most desktop users these days, and IMHO has high priority.

Adding a parameter so that a custom script is called instead of /etc/pppd/ip-up and ip-down seems like a good idea. A custom script also covers the case, where multiple systems must be updated. But isn't that what /etc/pppd/ip-up and ip-down are for?

I vaguely recall writing a script that passed DNS information to NetworkManager via dbus. But I fail to remember the details or why I actually needed it. I assume it was for my Gentoo system, which I deleted. I am using Arch now.

[skoehler]

Can't you copy what networkmanager-pptp is doing? That's another PPP-based VPN. I have setup a PPTP server real quick, and Networkmanager is informed about the DNS servers that my server sends. Also, /etc/ppp/ip-up is not called.

https://gitlab.gnome.org/GNOME/NetworkManager-pptp/-/blob/master/src/nm-pptp-pppd-plugin.c#L209
Does this have something to do with passing the DNS information to NetworkManager?

[DimitriPapadopoulos]

Pull requests are welcome.

[DimitriPapadopoulos]

In the very short term, we need to re-enable resolvctl support on Fedora >= 33, because systemd-resolved is enabled the resolvctl from systemd works well with it:
https://bugzilla.redhat.com/show_bug.cgi?id=1777935

Also read this document:
https://github.com/systemd/systemd/blob/main/docs/RESOLVED-VPNS.md

[mhagnumdw]

Is there any workaround for Fedora 36?

[peterhoeg]

My workaround is a manual_dns script that I run after connecting, which takes one argument which is the configuration to apply. It's not great, but at least it works for now.

[mhagnumdw]

Tks @peterhoeg ! It's like I've been doing.

For those using Fedora 36 and close, this should work:

# start vpn
sudo openfortivpn vpn.mydomain.com:443 --username=MY_USER --set-dns=0 -v

# get VPN network interface name
resolvectl dns
# or
ip -br -c a

# manually add dns in interface
sudo resolvectl dns ppp0 10.41.1.1 10.41.1.2

# manually add search domain
sudo resolvectl domain ppp0 mydomain.com

Now the name resolution should work.

ps: for those who have NetworkManager-fortisslvpn and NetworkManager-fortisslvpn-gnome, you can connect to VPN through the Gnome interface and use the resolvectl steps above.

[Hount]

Fedora 36 and issues with this.
This is somewhat frustrating that updating something, maybe Networkmanager, could have been resolvectl or who know's what. But now my openfortivpn stopped updating the OS's DNS's.
When connected to VPN resolv.conf get's three new lines at the beginning
/etc/resolv.conf

nameserver y.y.y.y #new line added when connected to vpn
search company.tld #new line added when connected to vpn
# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
# rest of the jargon
nameserver a.a.a.a #my location's dns server most likely populated dynamically by Networkmanager?
search my-home.tld #my location's domain most likely populated dynamically by Networkmanager?

And the new lines added to resolv.conf are not picked up by OS.

[peterhoeg]

If you’re using resolved, I will strongly recommend running `openfortivpn' with `--set-dns=0' and then manually call `resolvectl' in order to set search domain and dns servers on the given connection.

[Hount]

I believe I'm using resolved? I use whatever ships with the distro and try not to do anything custom. :)
i.e. joined wlan with Networkmanager from Gnome. That populates dns's what it receives from the dhcp of the network. And resolvectl reports them correctly.

But out of the blue openfortivpn stopped working - well stopped giving the correct DNS's to the system.

Without vpn
resolvectl dns

Link 2 (enp2s0f0):
Link 3 (enp5s0):
Link 4 (wlp3s0): 8.8.4.4 8.8.8.8
Link 7 (ip_vti0):

With openfortivpn connected with set-dns = 0

Link 2 (enp2s0f0):
Link 3 (enp5s0):
Link 4 (wlp3s0): 8.8.4.4 8.8.8.8
Link 7 (ip_vti0):
Link 30 (ppp0):

With openfortivpn connected with set-dns = 0 and pppd-use-peerdns = 1

Global:
Link 2 (enp2s0f0):
Link 3 (enp5s0):
Link 4 (wlp3s0): 8.8.4.4 8.8.8.8
Link 7 (ip_vti0):
Link 33 (ppp0):

With ipsec connected

Link 2 (enp2s0f0):
Link 3 (enp5s0):
Link 4 (wlp3s0): 
Link 7 (ip_vti0):
Link 31 (ppp0): 10.77.88.99

[peterhoeg]

With `set-dns = 0', you need to manually assign the search domains and dns servers on the link. So something like this: ┌──── │ sudo resolvectl dns ppp0 1.2.3.4 │ sudo resolvectl domain ppp0 some.domain.tld └──── Obviously only until `openfortivpn' gets native support.

[DimitriPapadopoulos]

Perhaps #1092 (previously #615) can help with systems based on systemd-resolved. I haven't tested yet, but you can start testing the systemd-resolved branch.

[DimitriPapadopoulos]

I tend to disagree. It is the distro's (or on Arch the user's) responsibility to have a consistent system configuration. For example, when using systemd-resolved, /etc/nsswitch.conf and /etc/resolv.conf should be changed to use systemd-resolved. So updating one system should be enough in most cases.

@skoehler I am not claiming we need to take care of all subsystems on a given machine. But we do need to support all kinds of subsystems to support different machines: those based on /etc/resolv.conf, those based on systemd-resolved, etc.

As I said, pull requests are welcome. Maintainers usually do not lack good ideas, but time to implement them. You could start by looking into #1092 (previously #615), testing and improving.

[Hount]

With set-dns = 0', you need to manually assign the search domains and dns servers on the link. So something like this: ┌──── │ sudo resolvectl dns ppp0 1.2.3.4 │ sudo resolvectl domain ppp0 some.domain.tld └──── Obviously only until openfortivpn' gets native support.

I'm not sure what have happened. But everything worked perfectly some time ago. Actually it have worked perfectly for the last 7 months (atleast, that's how long I've had this workstation and OS install)
Now it just stopped automatically setting the DNS records.

So I have to disagree. One does not have to manually set the dns records. Or atleast should not have to. Now I must, but previously I did not have to.

The set-dns=0 was my testing as I felt that setting the resolv.conf -file may not be the wanted behaviour. I also tested all combinations of set-dns & pppd-use-peerdns with no luck.

[DimitriPapadopoulos]

@Hount By modifying /etc/resolv.conf, openfortivpn is not doing the right thing on systems based on systemd-resoved. While modifying /etc/resolv.conf might have worked (more or less) for such systems, the approach is fragile. More robust approaches include:

• setting DNS parameters manually outside openfortivpn,
• trying patch Add support for systemd-resolved #1092 (previously Add support for systemd-resolved #615).

[DimitriPapadopoulos]

We should probably let vpnc-scripts handle routing and DNS, see #678.

[jacobgarbercalian]

I've had success on Ubuntu using a pppd ip-up script to configure the DNS automatically (see man 8 pppd). Copy the following script to /etc/ppp/ip-up.d/vpn-dns and make it executable:

#!/usr/bin/bash -eu

resolvectl default-route "$IFNAME" false
resolvectl domain "$IFNAME" '~your.company.com'
resolvectl dns "$IFNAME" "$DNS1" "$DNS2"

And then when connecting use openfortivpn --set-dns=0 --pppd-use-peerdns=1 etc. (this will disable modifying /etc/resolv.conf but still get pppd to ask for the DNS servers).