F5 VPN does not play well with split DNS configuration using systemd-resolved
because it insists on trying to rewrite /etc/resolv.conf
. The workaround is to make resolv.conf
immutable, and configure the DNS settings for the tunnel manually. systemd-resolved
does not have a mechanism for persistant per-interface configuration, and it relies on NetworkManager to configure each connection correctly. F5 VPN is not compatible with NetworkManager, and does not make it easy to configure it this way.
NetworkManager-dispatcher allows you to run scripts based on network events. In our case, we will use it to automatically add DNS configurations when the F5 VPN tunnel tun0
is up, and thus provide persistent configuration.
Here is the script:
#!/bin/bash
INTERFACE=$1
STATUS=$2
case "$STATUS" in
'up')
if [ "$INTERFACE" = "tun0" ]; then
# Add your search domains here
SEARCH_DOMAINS="~example.corp ~example.local"
resolvectl domain "$INTERFACE" $SEARCH_DOMAINS
resolvectl dns $INTERFACE 192.168.100.20 192.168.100.22
resolvectl dnsovertls tun0 no
fi
;;
esac
The script checks if the interface is tun0
and if the current action is up
. If so, it uses resolvectl
to configure search domains and local DNS servers. Lastly, DNS over TLS is disabled, as the corporate DNS servers do not support them.
To make this script work, install in the /etc/NetworkManager/dispatcher.d/
directory with the name f5-vpn
. Make sure it’s executable and only writable by root
. NetworkManager-dispatcher will run this script whenever a network interface goes up, automatically setting the DNS configurations for F5 VPN tunnel.