The OpenVPN client in Gnome does not work.  The only way I have found is starting the connection from the CLI, however,  although the connection is successful, the DNS is not updated as it should.  In this article I will show how I did it.

In the latest distros from Fedora and Ubuntu, the OpenVPN configuration trough Gnome Network Manager simply don't work.  I have tried importing the configuration of the .ovpn file and changing every parameter I can think of without success.  The problem seems to be the TLS negotiation, but I could not make it work.

Using the openvpn command from the command line as root works, it stablish the connection, but unfortunately, the DNS resolution is broken.  The remote DNS server(s) are not injected into the local configuration.  This is because the latest distros use a local DNS cache server for resolution (systemd-resolved), so /etc/resolv.conf is not used anymore.

Here is how I solve this issue.

I created a folder on my user home directory called openvpn.  So all my config files will be under /home/user/openvpn.

These are the files inside my folder:

[email protected]:~/openvpn$ ls -la
total 40
drwxrwxr-x  2 user user  4096 Jul  8 14:52 .
drwxr-x--- 31 user user  4096 Jul  5 13:36 ..
-rw-rw-r--  1 user user 14783 Jul  8 14:52 openvpn.ovpn
-rw-r--r--  1 user user    23 Jul  2 20:03 openvpn-user.txt
-rwxrwxr-x  1 user user   160 Jul  5 13:33 start-vpn.sh
-rwxrwxr-x  1 user user   108 Jul  5 13:40 stop-vpn.sh
-rwxr-xr-x  1 user user  1707 Jul  3 19:28 update-resolv.sh

 The first thing to do is add some lines at the end of the ovpn file to tell openvpn to run a script, this script will update network manager with the correct dns entries. The openvpn.ovpn file should look like this:

dev tun
persist-tun
persist-key
data-ciphers AES-256-OFB:AES-192-CBC:AES-128-CBC:AES-128-CFB:AES-128-CFB8:AES-256-GCM
data-ciphers-fallback AES-256-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote 190.88.53.98 1194 udp4
verify-x509-name "VPN Certificate" name
auth-user-pass
remote-cert-tls server
passtos
explicit-exit-notify

<ca>
-----BEGIN CERTIFICATE-----
Df5Lwx8jYMtEH.
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MEvlA82l1zg3CPL..
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
b819c75e9...
-----END OpenVPN Static key V1-----
</tls-auth>

script-security 2
up /home/user/openvpn/update-resolv.sh
down /home/user/openvpn/update-resolv.sh

The new lines are the last 3.  Let's look at the content on update-resolv.sh:

#!/usr/bin/env bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /home/user/openvpn/update-resolv.sh
# down /home/user/openvpn/update-resolv.sh
#
# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
# foreign_option_4='dhcp-option DOMAIN-SEARCH bnc.local'

case $script_type in

up)
    for optionname in ${!foreign_option_*} ; do
        option="${!optionname}"
        echo $option
        part1=$(echo "$option" | cut -d " " -f 1)
        if [ "$part1" == "dhcp-option" ] ; then
            part2=$(echo "$option" | cut -d " " -f 2)
            part3=$(echo "$option" | cut -d " " -f 3)
            if [ "$part2" == "DNS" ] ; then
                IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
            fi
            if [[ "$part2" == "DOMAIN" || "$part2" == "DOMAIN-SEARCH" ]] ; then
                IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
            fi
        fi
    done
    if [ -n "$IF_DNS_SEARCH" ]; then
        nmcli connection modify "${dev}" ipv4.dns-search "$IF_DNS_SEARCH"
    fi
    if [ -n "$IF_DNS_NAMESERVERS" ]; then
        nmcli connection modify "${dev}" ipv4.dns "$IF_DNS_NAMESERVERS"
    fi
    nmcli connection up "${dev}" # Force NM to reevaluate the properties
    ;;
down)
    nmcli connection delete "${dev}"
    ;;
esac

# Workaround / This email address is being protected from spambots. You need JavaScript enabled to view it.
# force exit with no errors. Due to an apparent conflict with the Network Manager
# $RESOLVCONF sometimes exits with error code 6 even though it has performed the
# action correctly and OpenVPN shuts down.
exit 0