Thank you for your bug report, could you perhaps report it upstream on https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/ ?
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1880864 Title: networkmanager IKE VPN connection causes DNS leak Status in network-manager package in Ubuntu: New Bug description: Description: Ubuntu 20.04 LTS Release: 20.04 network-manager: Installé : 1.22.10-1ubuntu1 Candidat : 1.22.10-1ubuntu1 Table de version : *** 1.22.10-1ubuntu1 500 500 http://fr.archive.ubuntu.com/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status Connecting to a IPSEC IKE VPN does not update correctly update systemd-resolve dns parameters: DNS provided by the VPN tunnel is seen by systemd-resolve but not use to resolve dns queries resulting to a DNS leak. I tried to play with network manager priority which as no effect: default setting seems to be fine as the dns provided by the vpn appears on top of dns list provided by "systemd-resolve --status" result bellow. I found out a way to get it working by restarting systemd-resolve service after the vpn connection is established. I think (pure speculation, I don't know how systemd-resolve works) systemd-resolve evaluate which dns use, the one provided by the vpn is the first one then it decide to use it. This evaluation should be triggered when tunnel is bringed up. Bringing up an IPSEC IKE VPN does not create a new interface, it will use the same used by the default network interface where is configured the gateway. I think a fix would be to find out a way to triggered the dns election of systemd-resolve to update the "Current DNS Server". Maybe it is a bug with systemd-resolve but as I don't know how everything work together, I choose to report this here. You will find my network manager config for this particular ipsec tunnel bellow. Before systemctl restart systemd-resolved.service Global LLMNR setting: no MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no DNSSEC NTA: 10.in-addr.arpa 16.172.in-addr.arpa 168.192.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa corp d.f.ip6.arpa home internal intranet lan local private test Link 2 (eno1) Current Scopes: DNS DefaultRoute setting: yes LLMNR setting: yes MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Current DNS Server: 192.168.10.1 DNS Servers: 192.168.1.1 #DNS from VPN 192.168.10.1 #DNS from DHCP DNS Domain: lan ~. after systemctl restart systemd-resolved.service Global LLMNR setting: no MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no DNSSEC NTA: 10.in-addr.arpa 16.172.in-addr.arpa 168.192.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa corp d.f.ip6.arpa home internal intranet lan local private test Link 2 (eno1) Current Scopes: DNS DefaultRoute setting: yes LLMNR setting: yes MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Current DNS Server: 192.168.1.1 DNS Servers: 192.168.1.1 #DNS from VPN 192.168.10.1 #DNS from DHCP DNS Domain: lan ~. Network Manager config [connection] id=SomeNameForThisConnection uuid=XXXXXXXXXXXX type=vpn autoconnect=false permissions=user:someuser:; timestamp=1590573570 [vpn] address=some.vpn.address.com certificate=/some/cert/for/some.vpn.address.com encap=no esp=aes256gcm16-ecp384 ike=aes256-sha256-prfsha256-ecp384 ipcomp=no method=eap password-flags=2 proposal=yes user=some_login virtual=yes service-type=org.freedesktop.NetworkManager.strongswan [ipv4] dns-search=lan; method=auto [ipv6] addr-gen-mode=stable-privacy dns-search= method=ignore [proxy] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1880864/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
