Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
iwd: Using iwd to connect to a wireless network (Part 2 - DNS managers)
393 views
Skip to first unread message
Stella Ashburne
Sep 29, 2021, 9:50:05 AM9/29/21
to
I refer to the sub-section "Select DNS manager" (https://wiki.archlinux.org/title/Iwd), in which the statement reads as follows:
At the moment, iwd supports two DNS managers - systemd-resolved and resolvconf
Question: Which of the above two manages my DNS queries in a default Debian with lxqt-core and lightdm?
In /etc/network/interfaces, my dns-servers are 8.8.8.8 1.1.1.1
[How do I manage to add only these two IP addresses? During installation of Debian 11, I unplugged the LAN cable from my machine. I installed the OS without any internet connection and thus avoided auto configuration of the network.]
I also installed the package resolvconf because I need to use it with openvpn.
At the moment, iwd supports two DNS managers - systemd-resolved and resolvconf
Question: Which of the above two manages my DNS queries in a default Debian with lxqt-core and lightdm?
In /etc/network/interfaces, my dns-servers are 8.8.8.8 1.1.1.1
[How do I manage to add only these two IP addresses? During installation of Debian 11, I unplugged the LAN cable from my machine. I installed the OS without any internet connection and thus avoided auto configuration of the network.]
I also installed the package resolvconf because I need to use it with openvpn.
David Wright
Sep 30, 2021, 1:40:04 AM9/30/21
to
IP address of the router, and configure the router to query 8.8.8.8/1.1.1.1.
It's not ideal if you have a router that doesn't "belong" to you,
ie that you can't configure yourself.
Resolvconf squirrels that original address away in
/etc/resolvconf/resolv.conf.d/original so that it can revert to it
after you have left other networks/VPNs etc. So I guess that, at
worst, you can just write in whatever you want into that file.
Check it is still there after the next boot, and also check
/etc/resolv.conf (which is a symlink) to make sure that it used it ok.
Cheers,
David.
Greg Wooledge
Sep 30, 2021, 7:30:05 AM9/30/21
to
On Thu, Sep 30, 2021 at 12:38:29AM -0500, David Wright wrote:
> My usual strategy is to let the Debian installer set the dns server to
> IP address of the router, and configure the router to query 8.8.8.8/1.1.1.1.
> It's not ideal if you have a router that doesn't "belong" to you,
> ie that you can't configure yourself.
>
> Resolvconf squirrels that original address away in
> /etc/resolvconf/resolv.conf.d/original so that it can revert to it
> after you have left other networks/VPNs etc. So I guess that, at
> worst, you can just write in whatever you want into that file.
> Check it is still there after the next boot, and also check
> /etc/resolv.conf (which is a symlink) to make sure that it used it ok.
/etc/resolv.conf *can* be a symlink, or not. Depends on what you've
> My usual strategy is to let the Debian installer set the dns server to
> IP address of the router, and configure the router to query 8.8.8.8/1.1.1.1.
> It's not ideal if you have a router that doesn't "belong" to you,
> ie that you can't configure yourself.
>
> Resolvconf squirrels that original address away in
> /etc/resolvconf/resolv.conf.d/original so that it can revert to it
> after you have left other networks/VPNs etc. So I guess that, at
> worst, you can just write in whatever you want into that file.
> Check it is still there after the next boot, and also check
> /etc/resolv.conf (which is a symlink) to make sure that it used it ok.
installed.
https://wiki.debian.org/resolv.conf
This page doesn't talk about iwd... partly because I'd never heard of it
at the time I wrote most of the content on that page. I've certainly
never used it, and I don't know how it works, how resolvconf interacts
with it, etc.
It also doesn't talk about systemd-networkd, or network-manager. If
some people out there know how those things work (in *detail*) and
are able to contribute to the wiki page, that would be great.
Anssi Saari
Sep 30, 2021, 8:20:04 AM9/30/21
to
Stella Ashburne <rew...@gmx.com> writes:
> I also installed the package resolvconf because I need to use it with openvpn.
If you mean you want to use the old script update-resolv-conf with
> I also installed the package resolvconf because I need to use it with openvpn.
openvpn, I never got that to do the right thing with any
reliability. With systemd-resolved you can use update-systemd-resolved
which actually seems to work.
Reco
Sep 30, 2021, 8:30:05 AM9/30/21
to
On Thu, Sep 30, 2021 at 03:15:09PM +0300, Anssi Saari wrote:
> Stella Ashburne <rew...@gmx.com> writes:
>
> > I also installed the package resolvconf because I need to use it with openvpn.
>
> If you mean you want to use the old script update-resolv-conf with
> openvpn, I never got that to do the right thing with any
> reliability.
Works for me since Debian squeeze. The script in question does not do
> Stella Ashburne <rew...@gmx.com> writes:
>
> > I also installed the package resolvconf because I need to use it with openvpn.
>
> If you mean you want to use the old script update-resolv-conf with
> openvpn, I never got that to do the right thing with any
> reliability.
anything more fancy than calling "resolvconf -a" and "resolvconf -d"
anyway.
Of course, if you intend to use openvpn-provided DNS list only, things
will be more complicated.
Reco
Stella Ashburne
Sep 30, 2021, 9:20:05 AM9/30/21
to
Hi David
Happy to hear from you again.
> Sent: Thursday, September 30, 2021 at 1:38 PM
> From: "David Wright" <deb...@lionunicorn.co.uk>
> To: debia...@lists.debian.org
> Subject: Re: iwd: Using iwd to connect to a wireless network (Part 2 - DNS managers)
Nowadays before I launch the Debian installer in commandline (Expert mode), I'll plug the LAN cable out from the RJ45 port and when the installer asks if I wish to have auto networking configuration enabled, I just click No. Thereafter I enter the IP addresses of my preferred DNS resolvers that are hosted by privacy-conscious folks.
> Resolvconf squirrels that original address away in
> /etc/resolvconf/resolv.conf.d/original so that it can revert to it
> after you have left other networks/VPNs etc. So I guess that, at
> worst, you can just write in whatever you want into that file.
> Check it is still there after the next boot, and also check
> /etc/resolv.conf (which is a symlink) to make sure that it used it ok.
>
Thanks for the reminder and last I checked /etc/resolv.conf is still there.
Happy to hear from you again.
> Sent: Thursday, September 30, 2021 at 1:38 PM
> From: "David Wright" <deb...@lionunicorn.co.uk>
> To: debia...@lists.debian.org
> Subject: Re: iwd: Using iwd to connect to a wireless network (Part 2 - DNS managers)
>
>
> My usual strategy is to let the Debian installer set the dns server to
> IP address of the router, and configure the router to query 8.8.8.8/1.1.1.1.
> It's not ideal if you have a router that doesn't "belong" to you,
> ie that you can't configure yourself.
>
In the past I used to let the Debian installer set the DNS resolver for me. But you know what? When I did that, I found out that Debian added 192.163.1.1 as one of the DNS resolvers. This was and is a No!No! for me because of possible DNS leaks when I used a commercial VPN provider.
>
> My usual strategy is to let the Debian installer set the dns server to
> IP address of the router, and configure the router to query 8.8.8.8/1.1.1.1.
> It's not ideal if you have a router that doesn't "belong" to you,
> ie that you can't configure yourself.
>
Nowadays before I launch the Debian installer in commandline (Expert mode), I'll plug the LAN cable out from the RJ45 port and when the installer asks if I wish to have auto networking configuration enabled, I just click No. Thereafter I enter the IP addresses of my preferred DNS resolvers that are hosted by privacy-conscious folks.
> Resolvconf squirrels that original address away in
> /etc/resolvconf/resolv.conf.d/original so that it can revert to it
> after you have left other networks/VPNs etc. So I guess that, at
> worst, you can just write in whatever you want into that file.
> Check it is still there after the next boot, and also check
> /etc/resolv.conf (which is a symlink) to make sure that it used it ok.
>
Stella Ashburne
Sep 30, 2021, 9:50:06 AM9/30/21
to
Hi Reco
I'm happy to hear from you again.
> Sent: Thursday, September 30, 2021 at 8:20 PM
> From: "Reco" <recov...@enotuniq.net>
> Of course, if you intend to use openvpn-provided DNS list only, things
> will be more complicated.
>
What did you mean by "openvpn-provided DNS list only"? I didn't know that OpenVPN provides a list of DNS resolvers?
I'm happy to hear from you again.
> Sent: Thursday, September 30, 2021 at 8:20 PM
> From: "Reco" <recov...@enotuniq.net>
> To: debia...@lists.debian.org
> Subject: Re: iwd: Using iwd to connect to a wireless network (Part 2 - DNS managers)
>
>
> Subject: Re: iwd: Using iwd to connect to a wireless network (Part 2 - DNS managers)
>
>
> Works for me since Debian squeeze. The script in question does not do
> anything more fancy than calling "resolvconf -a" and "resolvconf -d"
> anyway.
>
It worked and still works for me too, since Debian Wheezy.
> anything more fancy than calling "resolvconf -a" and "resolvconf -d"
> anyway.
>
> Of course, if you intend to use openvpn-provided DNS list only, things
> will be more complicated.
>
Stella Ashburne
Sep 30, 2021, 9:50:06 AM9/30/21
to
Hi Greg
> Sent: Thursday, September 30, 2021 at 7:21 PM
> From: "Greg Wooledge" <gr...@wooledge.org>
> It also doesn't talk about systemd-networkd, or network-manager. If
> some people out there know how those things work (in *detail*) and
> are able to contribute to the wiki page, that would be great.
>
Well, if I discover/learn how to make iwd work with systemd-networkd, I shall let you know.
> Sent: Thursday, September 30, 2021 at 7:21 PM
> From: "Greg Wooledge" <gr...@wooledge.org>
> To: debia...@lists.debian.org
> Subject: Re: iwd: Using iwd to connect to a wireless network (Part 2 - DNS managers)
>
>
> Subject: Re: iwd: Using iwd to connect to a wireless network (Part 2 - DNS managers)
>
>
> This page doesn't talk about iwd... partly because I'd never heard of it
> at the time I wrote most of the content on that page.
>
Kudos to you for contributing your time and effort for the benefit of the Debian community.
> at the time I wrote most of the content on that page.
>
> It also doesn't talk about systemd-networkd, or network-manager. If
> some people out there know how those things work (in *detail*) and
> are able to contribute to the wiki page, that would be great.
>
Stella Ashburne
Sep 30, 2021, 9:50:06 AM9/30/21
to
Hi Anssi
Thanks for sharing your experience with me.
> Sent: Thursday, September 30, 2021 at 8:15 PM
> From: "Anssi Saari" <a...@sci.fi>
> I never got that to do the right thing with any
> reliability.
>
Please explain what you meant by your statement.
I've been using update-resolv-conf with OpenVPN without problems for the past four to five years. The dozen or two commercial VPN providers insist that I use update-resolv-conf to prevent DNS and data leaks.
? With systemd-resolved you can use update-systemd-resolved
Thanks for sharing your experience with me.
> Sent: Thursday, September 30, 2021 at 8:15 PM
> From: "Anssi Saari" <a...@sci.fi>
> To: debia...@lists.debian.org
> Subject: Re: iwd: Using iwd to connect to a wireless network (Part 2 - DNS managers)
>
> Subject: Re: iwd: Using iwd to connect to a wireless network (Part 2 - DNS managers)
>
> If you mean you want to use the old script update-resolv-conf with
> openvpn,
>
Yes, I was referring to using the old script update-resolv-conf with OpenVPN.
> openvpn,
>
> I never got that to do the right thing with any
> reliability.
>
I've been using update-resolv-conf with OpenVPN without problems for the past four to five years. The dozen or two commercial VPN providers insist that I use update-resolv-conf to prevent DNS and data leaks.
? With systemd-resolved you can use update-systemd-resolved
> which actually seems to work.
>
Would you like to share with me how to invoke/launch systemd-resolved and update-systemd-resolved in combination with OpenVPN please? Do I need to install packages in order to have systemd-resolved and update-systemd-resolved?
>
Reco
Sep 30, 2021, 10:00:05 AM9/30/21
to
Hi.
On Thu, Sep 30, 2021 at 03:41:27PM +0200, Stella Ashburne wrote:
> > Of course, if you intend to use openvpn-provided DNS list only, things
> > will be more complicated.
> >
> What did you mean by "openvpn-provided DNS list only"? I didn't know that OpenVPN provides a list of DNS resolvers?
I did not mean the company behind the OpenVPN.
What I meant is a list of DNS servers that can be announced by openvpn
server one's connecting to. I.e. that particular list that can be
processed on a client by /etc/openvpn/update-resolv-conf .
The limitation of update-resolv-conf in its current (as of bullseye)
form is that it does nothing to the list of the resolvers that are
configured already before the openvpn handshake. Which could lead to DNS
leaks, which are considered a bad thing by some.
Back in the day I solved that problem by using a custom dnsmasq config
and a handful of netfilter rules, these days I just use network namespaces.
Reco
On Thu, Sep 30, 2021 at 03:41:27PM +0200, Stella Ashburne wrote:
> > Of course, if you intend to use openvpn-provided DNS list only, things
> > will be more complicated.
> >
> What did you mean by "openvpn-provided DNS list only"? I didn't know that OpenVPN provides a list of DNS resolvers?
What I meant is a list of DNS servers that can be announced by openvpn
server one's connecting to. I.e. that particular list that can be
processed on a client by /etc/openvpn/update-resolv-conf .
The limitation of update-resolv-conf in its current (as of bullseye)
form is that it does nothing to the list of the resolvers that are
configured already before the openvpn handshake. Which could lead to DNS
leaks, which are considered a bad thing by some.
Back in the day I solved that problem by using a custom dnsmasq config
and a handful of netfilter rules, these days I just use network namespaces.
Reco
Stella Ashburne
Sep 30, 2021, 10:10:04 AM9/30/21
to
Hi Reco
Thanks for sharing your experience with me.
> Sent: Thursday, September 30, 2021 at 9:52 PM
The following describes what I've been doing when I used the installer since Debian Jessie:
1. Plug the LAN cable out from its RJ45 port
2. Click "No" when asked if I wish to have auto networking configuration enabled
3. Input my IP address, netmask, default gateway and the IP addresses of my preferred DNS resolvers (my preferred DNS resolvers are hosted/managed by privacy-conscious folks all over the world; none of them are from my country, which is part of the Five-Eyes Alliance.)
Based on the above description, do you think that update-resolv-conf in Bullseye will leak the IP addresses of my ISP's DNS resolvers?
> Back in the day I solved that problem by using a custom dnsmasq config
> and a handful of netfilter rules, these days I just use network namespaces.
>
Would you like to show me how to use network namespaces to solve the problems when using update-resolv-conf?
Thanks for sharing your experience with me.
> From: "Reco" <recov...@enotuniq.net>
> To: debia...@lists.debian.org
> Subject: Re: iwd: Using iwd to connect to a wireless network (Part 2 - DNS managers)
>
>
> To: debia...@lists.debian.org
> Subject: Re: iwd: Using iwd to connect to a wireless network (Part 2 - DNS managers)
>
>
> The limitation of update-resolv-conf in its current (as of bullseye)
> form is that it does nothing to the list of the resolvers that are
> configured already before the openvpn handshake. Which could lead to DNS
> leaks, which are considered a bad thing by some.
>
I see. Thanks for your explanation.
> form is that it does nothing to the list of the resolvers that are
> configured already before the openvpn handshake. Which could lead to DNS
> leaks, which are considered a bad thing by some.
>
The following describes what I've been doing when I used the installer since Debian Jessie:
1. Plug the LAN cable out from its RJ45 port
2. Click "No" when asked if I wish to have auto networking configuration enabled
3. Input my IP address, netmask, default gateway and the IP addresses of my preferred DNS resolvers (my preferred DNS resolvers are hosted/managed by privacy-conscious folks all over the world; none of them are from my country, which is part of the Five-Eyes Alliance.)
Based on the above description, do you think that update-resolv-conf in Bullseye will leak the IP addresses of my ISP's DNS resolvers?
> Back in the day I solved that problem by using a custom dnsmasq config
> and a handful of netfilter rules, these days I just use network namespaces.
>
Reco
Sep 30, 2021, 1:40:05 PM9/30/21
to
On Thu, Sep 30, 2021 at 04:06:09PM +0200, Stella Ashburne wrote:
> Based on the above description, do you think that update-resolv-conf in Bullseye will leak the IP addresses of my ISP's DNS resolvers?
It's impossible to tell.
> Based on the above description, do you think that update-resolv-conf in Bullseye will leak the IP addresses of my ISP's DNS resolvers?
DNS is a simple L7 protocol, so DNS queries can be easily routed to any
DNS by whoever controls your network. I know because at my home LAN each
and every device uses *my* DNS regardless of what it want. I don't need
my DNS queries processed by Google and Cloudflare, and every reasonable
person caring about their actual privacy will want the same.
I had a somewhat different concern - how to prevent public/ISP DNS to
see DNS queries that apply to my employer LAN, and direct those to my
employer's DNSes. And, of course, how to direct DNS queries concerning
Internet resources at the proper place - i.e. public/ISP DNS.
I mean, if your concern is to hide your IP from yours ISP - consider
using Tor/I2P instead of some random openvpn server operated by $DEITY
knows who. If you do not trust your ISP whom you're paying to - there's
no reason to trust a random VPN provider. And both Tor and I2P are much
easier to setup than any kind of VPN client.
Even better yet - do some research on FreedomBox project. These guys did
it all for you already.
> > Back in the day I solved that problem by using a custom dnsmasq config
> > and a handful of netfilter rules, these days I just use network namespaces.
> >
> Would you like to show me how to use network namespaces to solve the
> problems when using update-resolv-conf?
The long answer is:
You need a "networkless environment" in any form. LXC container with lo
interface only will do.
You write your own wrapper for iproute, that creates a network interface
(I use macvlan, but YMMV) inside the container once openvpn "connection"
is established, and sets an appropriate IP/route to that interface.
You modify update-resolv-conf (or better yet - write your own) which
runs resolvconf inside the container.
That way you keep your host free from the hassle of modifying
/etc/resolv.conf and IP routing table, and keep whatever openvpn
advertises you inside the container.
It may sound a bit involved, but it's the easiest way for me to deal
with the abforementioned problem.
Before you ask - no, I won't share whatever scripts I wrote for this.
Their contents are private.
Reco
David Wright
Sep 30, 2021, 2:30:05 PM9/30/21
to
On Thu 30 Sep 2021 at 07:21:04 (-0400), Greg Wooledge wrote:
> On Thu, Sep 30, 2021 at 12:38:29AM -0500, David Wright wrote:
> > My usual strategy is to let the Debian installer set the dns server to
> > IP address of the router, and configure the router to query 8.8.8.8/1.1.1.1.
> > It's not ideal if you have a router that doesn't "belong" to you,
> > ie that you can't configure yourself.
> >
> > Resolvconf squirrels that original address away in
> > /etc/resolvconf/resolv.conf.d/original so that it can revert to it
> > after you have left other networks/VPNs etc. So I guess that, at
> > worst, you can just write in whatever you want into that file.
> > Check it is still there after the next boot, and also check
> > /etc/resolv.conf (which is a symlink) to make sure that it used it ok.
>
> /etc/resolv.conf *can* be a symlink, or not. Depends on what you've
> installed.
>
> https://wiki.debian.org/resolv.conf
You snipped the last line that I quoted, which said
> On Thu, Sep 30, 2021 at 12:38:29AM -0500, David Wright wrote:
> > My usual strategy is to let the Debian installer set the dns server to
> > IP address of the router, and configure the router to query 8.8.8.8/1.1.1.1.
> > It's not ideal if you have a router that doesn't "belong" to you,
> > ie that you can't configure yourself.
> >
> > Resolvconf squirrels that original address away in
> > /etc/resolvconf/resolv.conf.d/original so that it can revert to it
> > after you have left other networks/VPNs etc. So I guess that, at
> > worst, you can just write in whatever you want into that file.
> > Check it is still there after the next boot, and also check
> > /etc/resolv.conf (which is a symlink) to make sure that it used it ok.
>
> /etc/resolv.conf *can* be a symlink, or not. Depends on what you've
> installed.
>
> https://wiki.debian.org/resolv.conf
"I also installed the package resolvconf because I need to
use it with openvpn." Resolvconf is the subject of my paragraph.
> This page doesn't talk about iwd... partly because I'd never heard of it
> at the time I wrote most of the content on that page. I've certainly
> never used it, and I don't know how it works, how resolvconf interacts
> with it, etc.
that Arch wiki page. It (iwd) is in buster, but then, so is wicd,
and I've been using wicd/wpa_supplicant for some years with no need
to change. I'm somewhat surprised that there's been no reply from
an iwd user.
> It [wiki resolv.conf] also doesn't talk about systemd-networkd, or network-manager. If
> some people out there know how those things work (in *detail*) and
> are able to contribute to the wiki page, that would be great.
I haven't used either of those, nor ConnMan, but at the moment,
> are able to contribute to the wiki page, that would be great.
I was treating resolvconf as a side dish, the main course being
to get to ping something using iwd.
Cheers,
David.
David Wright
Sep 30, 2021, 2:40:05 PM9/30/21
to
On Thu 30 Sep 2021 at 15:17:03 (+0200), Stella Ashburne wrote:
> > Sent: Thursday, September 30, 2021 at 1:38 PM
> > From: "David Wright" <deb...@lionunicorn.co.uk>
> >
> > Sent: Thursday, September 30, 2021 at 1:38 PM
> > From: "David Wright" <deb...@lionunicorn.co.uk>
> >
> > My usual strategy is to let the Debian installer set the dns server to
> > IP address of the router, and configure the router to query 8.8.8.8/1.1.1.1.
> > It's not ideal if you have a router that doesn't "belong" to you,
> > ie that you can't configure yourself.
> >
> In the past I used to let the Debian installer set the DNS resolver for me. But you know what? When I did that, I found out that Debian added 192.163.1.1 as one of the DNS resolvers. This was and is a No!No! for me because of possible DNS leaks when I used a commercial VPN provider.
Is 192.163.1.1 a typo for 192.168.1.1? Or do you really mean that you
> > IP address of the router, and configure the router to query 8.8.8.8/1.1.1.1.
> > It's not ideal if you have a router that doesn't "belong" to you,
> > ie that you can't configure yourself.
> >
> In the past I used to let the Debian installer set the DNS resolver for me. But you know what? When I did that, I found out that Debian added 192.163.1.1 as one of the DNS resolvers. This was and is a No!No! for me because of possible DNS leaks when I used a commercial VPN provider.
were using a resolver at Texas Instruments? Let's assume the former.
192.168.1.1 looks like the d-i ran a DHCP client to get an address
for your PC, and that the DHCP server that responded was probably
your router, address 192.168.1.1, and so the d-i figured that your
router would be able to resolve DNS. If it couldn't, it would pass
the request through to whichever resolvers were set up in the router
(by you). This is all standard practice. As I said, you are free to
override it, and I gave one possible hack. (Hack because I haven't
tried to keep up with the proper commands since it was mingled with
systemd, and sprouted resolvctl.)
The idea behind resolvconf is that when you connect to a different
network (say, in a hotel), or to a VPN, it can update the resolver
addresses in /etc/resolv.conf to suit, and reverse them when you
disconnect. If you only ever want a fixed set of DNS resolvers,
then I don't think you need resolvconf at all. Some people even
make /etc/resolv.conf immutable.
Cheers,
David.
Greg Wooledge
Sep 30, 2021, 2:50:06 PM9/30/21
to
On Thu, Sep 30, 2021 at 01:30:20PM -0500, David Wright wrote:
> 192.168.1.1 looks like the d-i ran a DHCP client to get an address
> for your PC, and that the DHCP server that responded was probably
> your router, address 192.168.1.1, and so the d-i figured that your
> router would be able to resolve DNS.
The DHCP server actually sends nameserver addresses to the DHCP client.
> 192.168.1.1 looks like the d-i ran a DHCP client to get an address
> for your PC, and that the DHCP server that responded was probably
> your router, address 192.168.1.1, and so the d-i figured that your
> router would be able to resolve DNS.
In the case of a home router, the nameserver address will typically
be the router's internal IP address, which is often 192.168.1.1.
It's *not* d-i deciding to try using the router as a nameserver on a whim.
David Wright
Sep 30, 2021, 4:10:09 PM9/30/21
to
Though it does appear that the syslog also expresses this less than clearly:
netcfg[5552]: WARNING **: Started DHCP client; PID is 5581
udhcpc: Got IP 192.168.1.14 (using enp3s0) and routing through 192.168.1.1
netcfg[5552]: DEBUG: Reading domain name returned via DHCP
→
netcfg[5552]: DEBUG: Reading nameservers from /etc/resolv.conf
netcfg[5552]: DEBUG: Read nameserver 192.168.1.1
Might one assume that the nameservers are written into
/etc/resolv.conf by the DHCP client at →, so that they
can immediately be read again in order to attempt (and
fail) to ascertain the hostname from the nameserver.
Cheers,
David.
Anssi Saari
Oct 1, 2021, 2:00:06 AM10/1/21
to
Stella Ashburne <rew...@gmx.com> writes:
> Yes, I was referring to using the old script update-resolv-conf with OpenVPN.
>
>> I never got that to do the right thing with any
>> reliability.
>>
> Please explain what you meant by your statement.
>
> I've been using update-resolv-conf with OpenVPN without problems for
> the past four to five years. The dozen or two commercial VPN providers
> insist that I use update-resolv-conf to prevent DNS and data leaks.
If it works for you, great. My problem was that I usually ended up with
> Yes, I was referring to using the old script update-resolv-conf with OpenVPN.
>
>> I never got that to do the right thing with any
>> reliability.
>>
> Please explain what you meant by your statement.
>
> I've been using update-resolv-conf with OpenVPN without problems for
> the past four to five years. The dozen or two commercial VPN providers
> insist that I use update-resolv-conf to prevent DNS and data leaks.
the VPN's DNS and my router in resolv.conf so DNS leak was
automatic. Also it didn't always remove the VPN DNS from resolv.conf
when the VPN went down, with the end result that nothing could be
resolved and openvpn couldn't reconnect. I think I mangled the script a
little which helped but update-systemd-resolved just works. For me.
> ? With systemd-resolved you can use update-systemd-resolved
>> which actually seems to work.
>>
> Would you like to share with me how to invoke/launch systemd-resolved
> and update-systemd-resolved in combination with OpenVPN please? Do I
> need to install packages in order to have systemd-resolved and
> update-systemd-resolved?
systemctl, the service name is systemd-resolved.service. It also has the
benefit that you can configure interface specific DNS so you can still
use a local DNS for local names. Brilliant feature if you use VPNs but
still want to use your LAN too.
Systemd-resolved's usual config is to use it as stub resolver so you
have nameserver 127.0.0.53 in /etc/resolv.conf and actual resolving
config can be shown by resolvectl status. It definitely doesn't make
life simpler but for me it works.
update-systemd-resolved is in Debian package
openvpn-systemd-resolved. To use it with openvpn and systemd-resolved it
just needs a few options in openvpn's config like this:
script-security 2
up /etc/openvpn/update-systemd-resolved
up-restart
down /etc/openvpn/update-systemd-resolved
down-pre
Andrei POPESCU
Oct 3, 2021, 8:50:05 AM10/3/21
to
On Jo, 30 sep 21, 13:24:46, David Wright wrote:
>
> Nor I, but I certainly intend to try it out, and have read through
> that Arch wiki page. It (iwd) is in buster, but then, so is wicd,
> and I've been using wicd/wpa_supplicant for some years with no need
> to change. I'm somewhat surprised that there's been no reply from
> an iwd user.
Following some post on -devel I tried using iwd with Network Manager[1],
>
> Nor I, but I certainly intend to try it out, and have read through
> that Arch wiki page. It (iwd) is in buster, but then, so is wicd,
> and I've been using wicd/wpa_supplicant for some years with no need
> to change. I'm somewhat surprised that there's been no reply from
> an iwd user.
purely as a replacement for wpasupplicant.
The connection was less stable for me so I went back to wpasupplicant. I
might try it again if I ever upgrade this laptop to bullseye.
[1] as far as I recall the method is pretty simple and well documented
on the 'net.
Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser
0 new messages