Jump to content
Not connected, Your IP: 52.90.49.108
postergus

DNS errors & making Bluetit and Ubuntu NetworkManager play nice with network lock

Recommended Posts

Hi there,

Long time hassle-free AirVPN user with a first troubleshooting request after switching from Eddie-UI to the Bluetit stack (love your work!)

Looks as though the two processes are fighting for `/etc/resolv.conf` and causing issues with DNS. NetworkManager will rewrite the file on a Wi-Fi network change, causing loss of connectivity as local DNS is disallowed by the network lock. Can be worked around by stopping the Bluetit service, toggling Wi-Fi, then re-enabling; but this is tedious to repeat if the network is at marginal signal strength.

Is there a way to configure NetworkManager not to mess with DNS? I think that would largely resolve the issue.
But, in an ideal world I would be able to have NetworkManager still manage the DNS if Bluetit is not active so that I can still operate normally on local networks without routing through AirVPN if I choose to. Seems unlikely to be simple, but worth asking.

Given that I am getting two warnings about DNS, I wonder if `systemd-resolved` could also be interfering and if there are other configuration steps I can take to ensure compatibility with it-

```
bluetit: WARNING: NetworkManager is running on this system and may interfere with DNS management and cause DNS leaks
bluetit: WARNING: systemd-resolved is running on this system and may interfere with DNS management and cause DNS leaks
```

I also wonder whether use of Goldcrest could avoid some of these problems. Personally I have not understood the need for the utility and have been interacting with Bluetit directly via systemctl and `/etc/airvpn/bluetit.rc`. As far as I can tell, Goldcrest just moves configuration stuff out of the `.rc` file into CLI args?

Share this post


Link to post
@postergus

Hello!

Thank you for your great feedback!

Goldcrest offers the option to drive Bluetit with a fine grained access control (typically to any user in the group airvpn), instead of having to gain root privileges. It's a paramount security enhancement which is not underestimated by any serious UNIX administrator.

About the competition for DNS settings between Bluetit, systemd-resolved and Network Manager, there is no easy solution to implement in Bluetit, as each of the hundreds Linux distributions may work differently. Furthermore it would be probably dangerous (if possible at all) that Bluetit tried to block DNS operations by root processes or other daemons.

Just to say, systemd-resolved alone has several working modes: modes which bypass resolv.conf file and modes which don't. It's plausible that the best course of action is that each system administrator, according to her or his needs as well as system status, performs a fine-tuning.

Kind regards
 

Share this post


Link to post

Hrmm, are there any best-practises that folks familiar with these tools can recommend? I'm actually finding Bluetit somewhat unworkable in this mode with the Wi-Fi connection I'm on, have reverted to the old Eddie UI for now.

Share this post


Link to post
11 hours ago, postergus said:

Is there a way to configure NetworkManager not to mess with DNS?


Easiest way without breaking core network manager functionality is to work with its profiles. Create a dedicated profile with the DNS set to the servers in the specs. Switch manually between them before connection and after disconnection from AirVPN. NetworkManager will manage resolv.conf, and you can give Hummingbird/Goldcrest the -i switch.

If you're prepared to deal with divergent behavior, in /etc/NetworkManager/NetworkManager.conf, there in the [main] section, add the line:

dns=none

Restart NetworkManager.service. Then handle DNS by /etc/resolv.conf exclusively, manually. Unless systemd-resolved is also active, then simply stop and disable its service.

# systemctl stop systemd-resolved.service && systemctl disable systemd-resolved.service

.
 

» I am not an AirVPN team member. All opinions are my own and are not official. Refer to Staff postings for the official word.

» These are the community forums, not the support portal. You're writing with other users here.

» New here? LZ1's New User Guide to AirVPN. Use the search function, Luke!

» Tor exits behind a VPN connection are discouraged. Using Tor on the other hand is not.

 

» Privacy is like alcohol: Drink a little and it can help you stay unnoticed. Drink a lot and everyone will notice you.

» I cannot give you the solution to all your issues. But I can guide you to it. The rest is up to you.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...