Domain based routing not working

[HarryVolek]

My organization switched to domain based routing, where the VPN is split tunnel and routing through the VPN for specific domains.

This appears to not work well with Linux, basically not working at all, traffic going around the VPN including the specific domains.

I am on ubuntu 20.04, using openvpn3 version 20

[dsommers]

Can you please provide the output of:

• $ openvpn3 config-manage --show --config CONFIG_NAME (only works if you used openvpn3 config-import for your VPN profile)
• # openvpn3-admin version --services
• # cat /etc/resolv.conf
• # openvpn3-admin init-config (this does not change anything; it's a dryrun)
• # openvpn3-admin netcfg-service --config-show

[HarryVolek]

openvpn3 config-manage --show --config CONFIG_NAME - did not use config import

openvpn3-admin version --services

OpenVPN 3 D-Bus services:

  - Client backend starter service
     openvpn3-service-backendstart: v20

  - Configuration Service
     openvpn3-service-configmgr:    v20

  - Log Service
     openvpn3-service-logger:       v20

  - Network Configuration Service
     openvpn3-service-netcfg:       v20

  - Session Manager Service
     openvpn3-service-sessionmgr:   v20

cat /etc/resolv.conf

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search hsd1.pa.comcast.net

openvpn3-admin init-config

- Detected settings will be saved to disk? No

* Checking for OpenVPN user and group accounts
    Found:  openvpn user - uid 127
    Found:  openvpn group - gid 134

* Checking OpenVPN 3 Linux state/configuration directory
    Using directory: /var/lib/openvpn3
    Directory found

* Logger Configuration
    Configuration file: /var/lib/openvpn3/log-service.json
    systemd-journald active state: active
    :: Result ::  Will use systemd journald for logging
    !! Configuration UNCHANGED

* Network Configuration
    Configuration file: /var/lib/openvpn3/netcfg.json
    Found systemd-resolved
    Found accessible /etc/resolv.conf
    :: Result :: Will use systemd-resolved
    !! Configuration UNCHANGED

* Ensuring SELinux file labels are correct
    - Could not retrieve SELinux status; skipping

openvpn3-admin netcfg-service --config-show

Loading configuration file: /var/lib/openvpn3/netcfg.json
Configuration file error in /var/lib/openvpn3/netcfg.json: Could not open file

[dsommers]

Okay, so initially this looks as expected. Good to have that ruled out.

Can you try to manually set the default-route for the interface you want your DNS queries to go through? I believe this is the proper syntax for Ubuntu 20.04:

 # resolvectl default-route INTERFACE yes

You might also need to change the yes to no on those devices you do not want the DNS queries to go via.

The upcoming v21 release will set some of these values explicitly, where the systemd-resovled service supports this. But more testing is needed to see if this is enough. I will try to prepare some side-channel test releases if you're willing to test that.

[cesarmagazord]

Same situation here, but with Ubuntu 22.02. In the Windows operating system it works correctly with the "allow-pull-fqdn" option in the client configuration file. All the pushed routes with the domain in server conf are resolved on the client, but in Linux don't works.