NetworkManager.service resets my resolv.conf configuration

foolnotion · August 18, 2022, 12:55pm

Hi,

I have a fairly standard network configuration:

 networking = {
    useDHCP = false;
    hostName = "jaghut";
    interfaces.enp6s0.useDHCP = true;
    interfaces.enp7s0.useDHCP = true;
    networkmanager = {
      enable = true;
      plugins = with pkgs; [
        networkmanager-openvpn
        networkmanager-openconnect
      ];
    };

    defaultGateway = "10.0.0.138";
    nameservers = [ "1.1.1.1" "8.8.8.8" ];
    firewall.allowedTCPPorts = [ 32400 ]; # Plex
  };

I am using network manager with the protonvpn linux app to connect to VPN.
The problem is that after a fresh reboot, I get the following resolv.conf:

$ cat /etc/resolv.conf 
# Generated by resolvconf
domain home
nameserver ::1
options edns0

This is obviously wrong and domain name resolution is not working for lack of a nameserver.
If I go to the network-manager applet in the system tray and do “disable networking” and then “enable networking”, then the resolv.conf file is populated correctly:

$ cat /etc/resolv.conf 
# Generated by resolvconf
domain home
nameserver 10.0.0.138
nameserver 1.1.1.1
nameserver 8.8.8.8
nameserver fe80::1%enp7s0
options edns0

If, after a fresh reboot, I manually stop the NetworkManager service (systemctl stop NetworkManager.service), then resolv.conf also gets reverted to the correct configuration above.

If I do systemctl restart network-setup.service then resolv.conf gets reverted to the wrong configuration above, and there’s no way to fix it except again doing the “disable networking”/“enable networking” in nm-applet.

This is very annoying particularly because in some cases I just want my PC to wake up at a certain hour and run headless while I connect to it remotely. But after each boot, the network configuration is wrong.

For reference I am using a flake-enabled configuration which follows nixpkgs master.
NixOS version 22.11.20220817.3e43b5e.

I have tried many things to address this issue and nothing works. This is very annoying as after each reboot I need to manually fix the network config.

Any ideas how to address this issue?

Thanks!

ericgundrum · August 18, 2022, 9:49pm

Have you tried your config with nixos stable to see if the problem remains?

Do you see any related messages in journalctl -b? The journal should contain a fair bit of info about network config changes. That could at least help you see what is happening around the time of the changes.

foolnotion · August 18, 2022, 10:34pm

Do you see any related messages in journalctl -b ?

Nothing really suspicious except

 network-local-commands.service: Job network-local-commands.service/start failed with result 'dependency'.

However, looking at the script it tries to run, it’s just empty:

$ bat /nix/store/9f04vxv0a0b69nxgsdn19pc1zykr80mb-unit-script-network-local-commands-start/bin/network-local-commands-start -p
#!/nix/store/3j918i1nbwhby0y38bn2r438rjhh8f4d-bash-5.1-p16/bin/bash
set -e
# Run any user-specified commands.

I’m not sure I can really run stable since my PC components are relatively new (last time I had trouble with AMDGPU).

uep · August 18, 2022, 11:09pm

I don’t know what’s failing here, but you could try using networking.networkmanager.appendNameservers as a workaround?

ericgundrum · August 19, 2022, 3:12pm

I can’t point to anything specifically wrong, but you might try twiddling some settings in the hopes of finding the conflict.

First, do you need to specify defaultGateway? Normally this would come from the DHCP address assignment.

For my own network config, which includes multiple interfaces but no VPN, I use

  networking.enableIPv6 = false;
  systemd.network.wait-online.anyInterface =  true; # block for no more than one interface
  services.resolved = {
    enable = true;
    extraConfig = ''
      LLMNR=no
      ReadEtcHosts=no
      DNS=10.45.42.1:4253%nebula.aux#aux
      Domains=~aux
      DNSSEC=no
    '';
  };

networking.networkmanager.enable = true;
networking.dhcpcd.enable = false; # use network-manager dhcpc

You’ll notice that this uses NetworkManager dhcp instead of dhcpd and it does not specify interfaces for dhcp. It also configures resolved for dns caching, which could be better or worse for you with your VPN config.

foolnotion · August 19, 2022, 6:54pm

For now, somehow the issue resolved itself (after a number of updates and rebuilds), although I did not change anything in the configuration. This issue has been plaguing me on and off for months.

Do you need to specify defaultGateway?

The nix manual seems to think so NixOS Manual

For my own network config, which includes multiple interfaces but no VPN, I use

I did try resolved but it did not fix my issue, and I was also worried about DNS leaks when turning the VPN on/off.

I am just happy that it works for now. I have no idea what changed.

ericgundrum · August 19, 2022, 8:18pm

That bit in the NixOS manual is misleading; it is specifically about configuring static addressing and is not appropriate for dhcp-based addressing (except maybe in some obscure cases).

I would remove defaultGateway; it could break your networking if ever your gateway has a different address (common for a laptop). You have two active interfaces – presumably to different networks (different address ranges) – yet defaultGateway may be applied to both.

If you are concerned about VPN leakage, you might want to look carefully at your overall active network topology for that machine (using ip). When VPN is active, are other interfaces active?

My brief dive into wiki.archlinux.org left me with the impression that properly configuring OpenVPN to not leak is complicated. Other VPNs may be no easier; there are just too many paths to resolve DNS. Maybe you can find good resources online, but be sure you can verify the resulting network.

If you control both ends of the VPN, consider using wireguard; it is more performant and less crufty.

Interestingly, I am about to embark on a similar journey. I want to configure my nixOS laptop to talk to a corporate (Windows) VPN. Probably I’ll know a whole lot more about making this work in a week.

foolnotion · August 21, 2022, 12:30pm

Thanks, I removed the defaultGateway and everything still works fine.

My brief dive into wiki.archlinux.org left me with the impression that properly configuring OpenVPN to not leak is complicated.

ProtonVPN offers a graphical and cli client both based on a python library protonvpn-nm-lib which is in turn based on network manager. Hopefully this library is able to change networks settings on the fly without screwing up my configuration. Anyway that’s basically the only reason i need networkmanager in the first place.

fidgetingbits · August 6, 2023, 1:13pm

I recently ran into what is possibly the same problem and thought I’d comment to share a possible solution. I’m new to NixOS and am also using protonvpn, so thought it might be Nix-specific and happened to stumble across this post before seeing other non-Nix related discussions. Hopefully necro-bumping like this isn’t too frowned upon.

In my case I have a bare-bones network config with IPv6 enabled:

networking.useDHCP = lib.mkDefault true;
networking.networkmanager.enable = true;

The problem started after my host was connected to protonvpn and ran out of batteries.
After reboot my /etc/resolv.conf was constantly reset with nameserver pointing
to localhost.

Eventually, because of seeing an ipv6leakintrf0 interface when running ip addr, I
tracked this down to being related to protonvpn trying to prevent IP leaking when not
shutdown properly.

Seems the way to fix this is to either reconnect to protonvpn and then shut it
down correctly afterwards, or manually delete the following network device
using nmcli:

nmcli connection delete pvpn-ipv6leak-protection

An older (non-NixOS-related) discussion related to this problem can be found here.

Hopefully helpful to anyone else that might see this thread first.