ExpressVPN on Raspberry Pi keeps changing DNS settings (does not revert DNS settings)

So I’ve been playing around with some Raspberry Pi 4’s and on one of them I’ve been using the ARM version of the ExpressVPN client.
What I noticed is that while connected to the VPN I could no longer DNS resolve the names of internal network resources via the DNS server on my router or my internal LAN-based DNS resolving server.
Routing was all fine so it wasn’t to do with the VPN tunnel itself.
Stranger still was that disconnecting the client did not resolve the issue; only a reboot seemed to fix things.

Note that I have configured the client to not use their DNS servers in the first place!!

expressvpn preferences set force_vpn_dns off

Detective-mode: enabled

So I dutifully had a look at my /etc/resolv.conf file and guess what I found?

luis@tor1:~ $ cat /etc/resolv.conf

# Generated by expressvpn

search expressvpn


This makes a little sense since the client, like many others, has a so-called DNS-leak prevention system and so the client is doing here is making sure that your DNS queries can’t get picked up by a third-party (except them of course!). it not honouring the setting to turn it off is another problem….

However, when I disconnect the client then the file stays exactly the same!
It should have reverted to my default/original settings.

Incidentally, my DNS client settings are being managed from:

“/etc/dhcpcd.conf” with a static domain_name_server directive.

A bit more digging and I discovered that there was a symbolic link between a resolv.conf file in the Express VPN directory and “/etc/resolv.conf”

luis@tor1:~ $ ls -l /etc/resolv.conf

lrwxrwxrwx 1 root root 31 Sep 23 20:58 /etc/resolv.conf -> /var/lib/expressvpn/resolv.conf

So I decided to have a looked at this directory with the VPN disconnected:

luis@tor1:~ $ ls -l /var/lib/expressvpn/ 

total 124

drwxr-xr-x 2 root root   4096 Sep 18 23:26 certs

drwx—— 2 root root   4096 Sep 23 21:45 data

drwxr-xr-x 2 root root   4096 Sep 18 23:29 icons

-rw-r–r– 1 root root    106 Sep 23 21:38 resolv.conf

-rw——- 1 root root 102764 Sep 23 21:35 userdata2.dat

The linked file (bold) won’t be very interesting at first because it’s supposed to be in sync but something very interesting happens when the VPN client initiates the connection:

luis@tor1:~ $ ls -l /var/lib/expressvpn/

total 132

drwxr-xr-x 2 root root   4096 Sep 18 23:26 certs

-rw——- 1 root root     32 Sep 23 21:51 config.pass

-rw——- 1 root root     50 Sep 23 21:51 credentials

drwx—— 2 root root   4096 Sep 23 21:51 data

drwxr-xr-x 2 root root   4096 Sep 18 23:29 icons

-rw-r–r– 1 root root     65 Sep 23 21:51 resolv.conf

lrwxrwxrwx 1 root root     31 Sep 23 20:58 resolv.conf.orig -> /var/lib/expressvpn/resolv.conf

-rw——- 1 root root 102764 Sep 23 21:51 userdata2.dat

Here we can see (bold emphasis added) that a soft-link has been created where:

“/var/lib/expressvpn/resolv.conf” is the original file and:
“/var/lib/expressvpn/resolv.conf.orig” is the soft-link.
So the chain of symlinks looks like this:
a. “/var/lib/expressvpn/resolv.conf.orig” is a link to:
b. “/var/lib/expressvpn/resolv.conf””, and
c. “/etc/resolv.conf” is a link to:
d. “/var/lib/expressvpn/resolv.conf” (real/original file) and

There is an obvious problem with this:

Firstly, why would you link a backup file (a) (.orig extension) with the live file (b) in the first place?
…So why do I think that it’s a backup file?
Because if I modify the .orig file while the connection is up, then when the VPN client disconnects then it restores the contents of the .orig file to /etc/resolv.conf and not the other files; then the .orig file is deleted.

So what do you do about it?

Well, I have a ticket open with ExpressVPN support about this and we’ll see how that goes (I’ll update this post with any updates) but for now my workaround is quite simple: reload the DNS resolver.
On Rasbian they use OpenResolv and the command is:

sudo resolvconf -u

It will nag you about “Too few arguments” but it works just fine.
On other distros they will want your to restart resolvd using systemd, e.g.

sudo systemctl restart systemd-resolved.service

Leave a Reply

Your email address will not be published. Required fields are marked *