Block outside dns openvpn linux

OpenVPN Support Forum

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.

block-outside-dns for linux

Post by TommyKL » Sun Nov 04, 2018 5:20 pm

Wasn’t sure how to ask my question in the subject but here I will explain.

In my client-template.txt file, I have
setenv opt block-outside-dns

The clients are only Linux however and I have read the man page which says this option is only for windows clients.
However, it then says
>You may want to use —setenv opt

The clients all get the error when connecting. It doesn’t seem to affect anything but wanted to know what is the correct method of preventing Linux clients from using the vpn servers DNS. I want the clients to use their own local DNS server.

On the client, it is using the local DNS but the vpn server DNS show in the client vpn log.

Sun Nov 4 17:27:38 2018 PUSH: Received control message: ‘PUSH_REPLY,dhcp-option DNS x.x.x.16,dhcp-option DNS x.x.x.15,route-gateway 172.16.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.0.3 255.255.248.0,peer-id 0,cipher AES-256-GCM’

In the server.conf I have
push «dhcp-option DNS x.x.x.16»
push «dhcp-option DNS x.x.x.15»
#push «redirect-gateway def1 bypass-dhcp»

Re: block-outside-dns for linux

Post by TinCanTech » Sun Nov 04, 2018 5:38 pm

what is the correct method of preventing Linux clients from using the vpn servers DNS. I want the clients to use their own local DNS server

Re: block-outside-dns for linux

Post by TommyKL » Sun Nov 04, 2018 10:32 pm

As mentioned, they are in fact using the local DNS servers (I tested this) which is why I am asking the question.
I inherited the setup, don’t know much about it and this seemed odd to me when looking at it.

Re: block-outside-dns for linux

Post by TinCanTech » Sun Nov 04, 2018 11:01 pm

Re: block-outside-dns for linux

Post by TommyKL » Tue Nov 06, 2018 4:25 pm

Read the doc is a childish response. I said I’ve been searching and reading. I also said I inherited this and am just learning as I go.
If you don’t want to help, just move on, don’t help.

Re: block-outside-dns for linux

Post by TinCanTech » Tue Nov 06, 2018 8:44 pm

Re: block-outside-dns for linux

Post by TommyKL » Wed Nov 07, 2018 1:57 pm

Again, a childish response. Why even bother?

As I clearly show in one of my responses, I have been reading manuals, docs, posts etc. Don’t bother reading that I’ve done that and instead, keep wasting my post with your childish responses. As this gets indexed, others will find this and wonder why these forums aren’t very friendly or useful to someone new. Only the elite helping the elite it seems.

Re: block-outside-dns for linux

Post by TinCanTech » Wed Nov 07, 2018 10:56 pm

.. I will expand on this later.

Focus on the Howto and the manual for the best results. (In that order)

Wasn’t sure how to ask my question in the subject but here I will explain.

In my client-template.txt file, I have
setenv opt block-outside-dns

The clients are only Linux however and I have read the man page which says this option is only for windows clients.
However, it then says
>You may want to use —setenv opt

The clients all get the error when connecting. It doesn’t seem to affect anything but

You have .. read the man page about this option and understand how it works,

what is the correct method of preventing Linux clients from using the vpn servers DNS. I want the clients to use their own local DNS server

I have answered all the questions accurately ..

And, for the record, Openvpn does not have anything to do with DNS.
All Openvpn does is push a string to the client which the client can use or not.

Re: block-outside-dns for linux

Post by TommyKL » Thu Nov 08, 2018 6:06 pm

Sorry but you are just trying to pick on me for no good reason what so ever. Sorry that I am not as knowledgeable as you are. Maybe I will become more knowledgeable if you don’t insult me to the pointy where I never want to post on this site again.

I’m not interested in arguing or breaking down comments so that we can nit pick.

>In the server.conf I have
>push «dhcp-option DNS x.x.x.16»
>push «dhcp-option DNS x.x.x.15»
>#push «redirect-gateway def1 bypass-dhcp»

Your answer was that the config is pushing the DNS to the clients. Yet I also answered that by telling you that no, it’s not working that way.

>As mentioned, they are in fact using the local DNS servers (I tested this) which is why I am asking the question.
>I inherited the setup, don’t know much about it and this seemed odd to me when looking at it.

Pretty simple question. I’m not asking about DNS either, I’m asking very specifically about the configuration contents that I have read about but do not understand enough so thought I would ask here.

Re: block-outside-dns for linux

Post by TinCanTech » Thu Nov 08, 2018 11:25 pm

No, I am not .. but this post is meant to help avoid this sort of confusion.

I do not understand what your question is ..

But . I’ll give this a shot!

>In the server.conf I have
>push «dhcp-option DNS x.x.x.16»
>push «dhcp-option DNS x.x.x.15»
>#push «redirect-gateway def1 bypass-dhcp»

Your answer was that the config is pushing the DNS to the clients.

>As mentioned, they are in fact using the local DNS servers (I tested this) which is why I am asking the question.

Openvpn looks odd to everybody when they first see it which is why you have to read the docs.

If you really get stuck then you can contact me : tincanteksup gmail

Following your second post, I said this:

Because everybody has to read the docs.

Being advised to read the docs is not childish ..

But calling other people names .. .. ..

Re: block-outside-dns for linux

Post by TinCanTech » Fri Nov 09, 2018 12:45 am

I believe you can request this entire thread be deleted — By Order of: GDPR

It is an option which you can exercise.

Re: block-outside-dns for linux

Post by TommyKL » Fri Nov 09, 2018 3:12 pm

Look, first, I appreciate any help that is offered in forums and fully understand that no one is being forced to respond.
Second, I’ve been around forums long enough to understand that you don’t bother posting unless you’ve already done some research, already tried to understand but need more help. I understand that many people come to forums expecting help without bothering to read docs and information.

However, I’ve said in this thread that I HAVE searched, I have read and that I am now at the point where I cannot help myself since I simply do not yet have that knowledge and so need help. Hence, this is why I posted the question so to immediately get a RTM really really sucks, especially from what appears to be an elder on this site no less.

If I asked the question it is because I have to ask a human being at this point, docs are not helping me, a person that doesn’t fully understand OVPN but certainly am trying to as I continue trying to solve some problems. I didn’t post all of the things that I have no idea about yet, only this which is confusing me.

You finally answered after telling me I’ve not asked a question yet or at least have not clearly defined it yet I’ve posted all that I know at this time and happy to post more if someone that actually cares to help another human being comes along asking me to supply more information.

So no, I’m not here to play games, I’m not here to get into flame wars or any other nonsense, I am here because there are some things I have not been able to solve on my own. You finally said ‘something is not configured right on the client’, great, there’s a lead now, something I can dig into it. Of course, since I don’t yet know openvpn yet, I’m not even sure where to start since that is a very broad statement.

I do have other questions, things I’ve been struggling with for weeks but now am nervous asking asking anything in these forums because I feel that I am now on your radar and each time I post, you’ll come back in this way, always telling me to read the manual, learn the software and generally wasting any thread I start.

I hope that will not be the case especially since I mentioned it but I have no idea since I am new here and my first experience was this.

You tell me, how the heck am I supposed to learn if you won’t bother helping people like myself who ARE trying to learn?

Источник

OpenVPN DNSLeak prevention (боремся с утечкой DNS)

Даже несмотря на то, что сервер OpenVPN пушит клиенту список DNS серверов для использования, клиент OpenVPN все равно может пытаться использовать DNS провайдера (или другие, заданные в системе).

Для минимизации риска использования не тех DNS, которые задаются сервером OpenVPN, в конфиг клиента добавляют опцию:

Можете проверить сначала до включения опции — откройте https://dnsleaktest.com. Высока вероятность того, что вы все еще используете DNS вашего провайдера.

Теперь включите вышеуказанную опцию и перезапустите клиент. Вы должны увидеть разницу.

Для Windows 8 и 10

это не совсем так (а что вы хотели?). В этих ОС Microsoft заботится о своих неразумных пользователях, которые, очевидно, не желают использовать именно те настройки, которые они настроили 🙂 А именно, Windows 8 и 10 рассылают dns-запросы по всем возможным интерфейсам в системе и используют самый быстрый ответ, в результате чего вероятность незапланированного использования dns вашего провайдера вместо dns openvpn-сервера весьма высока. Этот момент описан здесь (автор ValdikSS).

Отследить проблему (и возможные варианты решения) можно согласно инструкции так:

Определяем интересующий нас подключенный интерфейс (в данном примере по-английски, на момент написания русской версии не было):

> netsh interface show interface

Очищаем кеш резолвера dns:

Запрещаем dns сервер на этом интерфейсе:

> netsh interface IPv4 set dnsserver «Local Area Connection» static 0.0.0.0 both

Проверяем (например, на https://dnsleaktest.com).

После отсоединения возвращаем настройки dns обратно:

> netsh interface IPv4 set dnsserver «Local Area Connection» dhcp

Снова чистим кеш резолвера:

По крайней мере, это позволит протестировать, в чем проблема и принять соответствующие меры.

Как вы понимаете, аналогичные проблемы могут быть и при использовании VPN других вендоров. Просто на это можно обращать внимание. А можно и не обращать 🙂

Авторизуйтесь для добавления комментариев!

Источник