Hello, I have some issue with joining an agent to an existing cluster over an existing OpenVPN network. I have a server (10.9.9.3) with a DNS URL kcp.home.mydomain, which can be resolved by the nameserver running on 10.9.9.1. Both the k3s server and k3s agent to join are already connected to the VPN. When I try to connect via the URL i get the following error output from the k3s agent executable: k3s agent -s 'https://kcp.home.mydomain:6443' --token '<omitted here>' --node-ip '10.9.9.4' --disable-apiserver-lb --resolv-conf=/etc/resolv.conf Failed to validate connection to cluster at https://kcp.home.mydomain:6443: failed to get CA certs: Get "https://kcp.home.mydomain:6443/cacerts": dial tcp: lookup kcp.home.mydomain: no such host However I can resolve the hostname on the Linux where the agent runs through the /etc/resolv.conf perfectly to 10.9.9.3. Connecting to the server using the IP https://10.9.9.3:6433 works (--tls-san contains both IP and DNS). I also can see that k3s doesnt connect to the k3s server by using tcpdump on the interface and filtering for any traffic from the agent host interface. Has anyone an idea what could be the reason for this?

Check the k3s logs for a message like this:

Host resolv.conf includes loopback, multicast, or link-local nameservers - kubelet will use autogenerated resolv.conf with nameserver 8.8.8.8

If you see that, then its using google DNS instead of your private nameserver. Make sure /etc/resolv.conf or /run/systemd/resolve/resolv.conf do not contain any invalid upstream resolvers, or create a valid resolv.conf for K3s and specify its path with the --resolv-conf option.

I have simplified my /etc/resolv.conf to only nameserver 10.9.9.1 nameserver 8.8.8.8 and tried again. I just get the output time="2025-11-04T214820+01:00" level=info msg="Starting k3s agent v1.33.5+k3s1 (fab4a5c3)" time="2025-11-04T214820+01:00" level=error msg="Failed to validate connection to cluster at without any other output

try just

nameserver 10.9.9.1

without 8.8.8.8

That did work 🙂 But shouldn't it work with both entries as well?

not if it can’t be resolved by one of the nameservers, no

Ah I didn't know that. Thank you very much for your help!