Bug 1281332

Summary: /etc/resolv.conf does not get the information about VPN gateway nameservers.
Product: [Fedora] Fedora Reporter: Thomas Antepoth <ta-rhbugs>
Component: strongswanAssignee: Pavel Šimerda (pavlix) <psimerda>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: avagarwa, jan.doumont, psimerda, ta-rhbugs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-13 14:21:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Antepoth 2015-11-12 10:28:31 UTC 
Description of problem:

After a successful connection the nameservers provided by the VPN gateway are ending up in /etc/strongswan/resolv.conf instead of /etc/resolv.conf. In this way the nameserver information of the vpn gateway gets lost.


Version-Release number of selected component (if applicable):

5.3.2


How reproducible:

Steps to Reproduce:
1. cat /etc/resolv.conf 
2. Create a connection to a VPN gateway which provides some nameserver information for the connection.
3. cat /etc/resolv.conf 
4. cat /etc/strongswan/resolv.conf 


Actual results:

In step 1.) the resolv.conf file contains the initial nameservers for a network connection. The resolv.conf in step 3.) is the same as in step 1.).
The nameservers obtained from the VPN gateway are visible in step 4.)


Expected results:

The nameservers in /etc/strongswan/resolv.conf should prepend the nameservers in step 1.)


Additional info:

This was already reported by Robert Dyck to the upstream.

https://wiki.strongswan.org/issues/1147

There is also a discussion about the bugfix there.


I chose to edit the /etc/strongswan/strongswan.d/charon/resolv.conf file and erased the comment from the "file = ..." option like shown below.

===
resolve {

    # File where to add DNS server entries.
    file = /etc/resolv.conf

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    resolvconf {

        # Prefix used for interface names sent to resolvconf(8).
        # iface_prefix = lo.inet.ipsec.

    }

}
===
Comment 1 Jan Doumont 2016-01-24 03:12:50 UTC 
I noted the same in Fedora 23.
Comment 2 Pavel Šimerda (pavlix) 2016-07-13 14:21:57 UTC 
1) The recommended way to use VPN on Fedora is via NetworkManager. I'm not currently using it myself but strongswan is supported via strongswan-charon-nm package.

2) /etc/strongswan/resolv.conf should work well for you. You can always replace /etc/resolv.conf with a symlink to that file just as other tools do.

3) I see you are already discussing it with upstream which is IMO the best place to come up with a solution.

I'm closing for now as this will be best figured out upstream anyway. You are free to remind me to update when an upstream update is released. Please reopen or start a new bug if you find any Fedora specific issue to be fixed.