[root tip] [How To] Make Manjaro compatible with major VPN providers

linux-aarhus · 14 February 2025 06:45

VPN compatibility

Major VPN providers offer a GUI application which handles all aspects of the connection.

Every now and then the topics on troubleshooting a given VPN provider surfaces and a lot of topics boils down to DNS and for good reason.

Whether you are using an app offered by your provider or you are using configuration files it is of utmost importance you ensure correct configuration of DNS.

Manjaro default resolver

Since the dawn of Manjaro, the network has been configured using NetworkManager and resolved provided by openresolv package.

VPN provider expectations

All VPN providers maintains compatibility with Ubuntu, Debian and Fedora and as they all use systemd-resolved as DNS resolver, in fact they expect it to be so.

This makes it a - at times, hairpulling - challenge to get the VPN into an functional state where DNS work both before and after connection.

Provider provisioned apps

There is a helper package systemd-resolvconf which provides a symlink to resolvctl in case you are used to resolvconf on the commandline or an older application expects resolvconf to be a working binary.

However, if the DHCP and VPN clients use the resolvconf program to set name servers and search domains (see openresolv#Users for a list of software that use resolvconf), the additional package systemd-resolvconf is needed to provide the /usr/bin/resolvconf symlink.
– systemd-resolved - ArchWiki

The process is simple

backup your resolv.conf
enable systemd-resolved
create a symlink linking the stub-resolv.conf as resolv.conf
uninstall openresolv
install systemd-resolvconf

Copy and paste these commands and you are done

sudo cp /etc/resolv.conf /etc/resolv.conf.bak
sudo systemctl enable --now systemd-resolved
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
sudo pacman -Rns openresolv
sudo pacman -Syu systemd-resolvconf

If you want to provide custom DNS entries you can do so in /etc/systemd/resolved.conf

OpenVPN

The arch wiki contains the necessary information to correctly deal with DNS issues when using OpenVPN configuration files.

See → https://wiki.archlinux.org/title/OpenVPN#The_update-systemd-resolved_custom_script

Resources

Source: Make Manjaro compatible with VPN providers | root.nix.dk

linux-aarhus · 14 February 2025 07:00

The topic is a wiki entry - improvements are welcome.

cscs · 14 February 2025 07:01

Ok I have some.

This is incomplete, needs the second path.

It should also happen before starting the service.

This should also happen before the service.
It is not required to use systemd-resolved but its main use is to provide backwards compatibility with resolvconf/openresolv … this may be pertinent for various VPNs and other considerations.
(provides symlink for /usr/bin/resolvconf)

Is sudo necessary here? Shouldnt polkit be allowed to handle the permission?

Frede Hundewadt:

sudo cp /etc/resolv.conf /etc/resolv.conf.bak
sudo systemctl enable --now systemd-resolved
sudo ln -sf /run/systemd/resolve/stub-resolv.conf
sudo pacman -Rns openresolv
sudo pacman -Syu systemd-resolvconf

…

sudo pacman -Syu systemd-resolvconf
sudo cp /etc/resolv.conf /etc/resolv.conf.bak
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
systemctl enable --now systemd-resolved
sudo pacman -Rns openresolv

Its been a minute since I did a replacement so I dont recall if restarting NetworkManager or similar would be required. Of course a system reboot would be sure.

Some other info (like using FallbackDNS) are illustrated in some other posts but this bigger one comes to mind;

Oh, and I also am reminded that openvpn-update-systemd-resolved AUR package is handy for anyone using an openvpn connection.

(Pretty much does seamless switching of some tech such as DNS servers before/after VPN connection)

linux-aarhus · 14 February 2025 07:07

well - one could use pkexec - but for consistency in the sequence … sudo is used

The link is coming after enabling the service because you cannot force a link to a non existing file - and the stub only exist after systemd-resolved has been started.

Yes - various helpers exist - but they are only required if one uses openresolv and the whole intent of the topic is to mogrifiy the end-user’s system to use systemd as resolver.

cscs · 14 February 2025 07:19

I think you misunderstand.
The helper script is for openvpn … you know the thing that the majority of VPN providers run on until wireguard became more widely adopted?
Nothing to do with openresolv - the backwards compatibility for that is systemd-resolvconf as covered above.
I have a feeling openvpn-update-systemd-resolved is still useful for many many VPN providers.
Its also related directly to issues such as ‘my DNS servers wont update or change back while or after using VPN.’

linux-aarhus · 14 February 2025 07:22

Yes - they are are required if one is using OVPN - I have added a section TODO - perhaps you can assist - I haven’t been using ovpn configs for a long time …

cscs · 14 February 2025 07:26

Invitation received.

I didnt wanna swoop in with edits … commenting felt less presumptive.

(Unless something is dangerous then it becomes a responsibility… but I digress…)