On 29/09/2020 17:21, Paul Wouters wrote: > > For the VPN scenario, it is just a little bit more complicated. > > For those with proper standards, such as "Cisco IPsec", L2TP/IPsec", > the VPN confiuration is dictated by the server to either send all or > some traffic to the VPN server. If it is not "everything", then these > VPNs convey 1 domain name and one or more IP's of DNS servers to use > to resolve that domain. > > For IKEv2 IPsec based VPNs, any number of domain names can be specified > by the server to be used by the client. When doing split-DNS with DNSSEC > trust anchors, these can be conveyed and there are strict rules on when > to allow these to override public DNSSEC trust anchors as per RFC 8598. > > For VPN protocols with no real standard, things are more complicated. > > OpenVPN can do custom things. It all depends on the provisioning. As an OpenVPN developer, I can't resist giving a few details here :) OpenVPN 2.x using the openvpn-client@.service unit files depends entirely on the OpenVPN configuration. So you are right here. OpenVPN 2.x using NetworkManager, will let NetworkManager pick up changes and apply them accordingly to the abilities of the NetworkManager-openvpn plugin. OpenVPN 3 Linux can be enabled with systemd-resolved support [0], but out-of-the-box it will modify /etc/resolv.conf directly. Enabling systemd-resolved support, you will get fairly close to a split-DNS setup but not completely - but this integration is still considered tech-preview and we're using the v10_beta release to gain more experience with systemd-resolved across various distributions. Ubuntu 20.04 has also enabled systemd-resolved by default, but it seems it has not gone as far as Fedora 33. Common to all of these alternatives, the VPN server must push DNS options or the client configuration file must include the appropriate --dhcp-options. [0] <https://www.mail-archive.com/openvpn-devel@xxxxxxxxxxxxxxxxxxxxx/msg20607.html> -- kind regards, David Sommerseth OpenVPN Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx