Issue #2894

Ubuntu strongswan-nm plugin not using server assigned DNS servers

Added by James Dogopoulos over 3 years ago. Updated over 3 years ago.

networkmanager (charon-nm)
Affected version:
No change required


This is another security/privacy issue, DNS resolution still seems to go out of the client's wifi/ethernet instead of using the DNS resolvers pushed by the server.

This is an issue with Windows clients as well but I may be opening separate issue for that soon once I look into it more.


#1 Updated by James Dogopoulos over 3 years ago

I tried disabling systemd-resolvd per [[]] which solves DNS leak issues for openvpn but now name server being written to for strongswan are as follows:

root@jd:~# cat /etc/resolv.conf
# Generated by NetworkManager

No idea where it got these from

#2 Updated by Tobias Brunner over 3 years ago

  • Status changed from New to Feedback

What version are you actually using? There was a bug in 5.6.2 that was subsequently fixed with 5.6.3 (ee8c25516a), which caused invalid DNS servers to be configured via NM.

Also, fixing that DNS leak issue without disabling systemd-resolved requires very current versions of NM and/or systemd-resolved (just search the systemd issue tracker).

#3 Updated by James Dogopoulos over 3 years ago

Yup, you got it, it's an old strongSwan, I saw a strongswan update on Ubuntu 18 but it was just some minor revisions and they aren't updating to latest code. sobs AND looks like the DNS leak issue is finally fixed in a proposed systemd update but hasn't made it into mainline code just yet.

So I guess the only thing left is the nm plugin IPv6 issue.

#4 Updated by Tobias Brunner over 3 years ago

  • Category set to networkmanager (charon-nm)
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Affected version changed from 5.7.2 to 5.6.2
  • Resolution set to No change required

Also available in: Atom PDF