| Has nothing to do with VPN or OpenVPN (almost). “You can’t trust” “Linux” in this case. Its network stack is still not mouse-friendly in general and requires some thought. Quoting key points from TFA: - (DNS leak happens) - The DNS changes are not automatically applied by the OpenVPN client on Linux. - You need to configure up and down scripts for managing the DNS updates. - The recommended script is update-resolv-conf, which modifies DNS settings when the VPN connects and restores them upon disconnection. - That script consists of a bunch of arcane bash commands that I don't understand. Iow, OpenVPN decided to not mess with system scripting. For Linux, the OpenVPN client can receive DNS host information from the server, but the client expects an external command to act on this information. No such commands are configured by default. They must be specified with the up and down options. There are a few alternatives for what scripts to use, but none are officially recognised by OpenVPN, so in order for any of them to work, script-security must be set to 2. The down-root plugin can be used instead of the down option if running as an unprivileged user. Otoh, it could at least signal that somehow in the ui/cli. Does it not? I’m pretty sure there’s no dns leaks on my kubuntu boxes with ovpn profiles, but can’t test right now. If so, it’s probably an even narrower Arch + network manager problem. |
They have two options: a) use the mouse-friendly way in NetworkManager to configure their VPN client (yes, it handles VPN DNS too; if you have systemd-resolved, it can also do split-horizon DNS over specific links) or b) funble around with tools and scripts they have no idea how they work, complain how complicated it is, and either get lucky so it works somehow or break their system entirely.
With a current desktop linux system, they should take the option a). They can use command line if they insist, nmcli is also here.