How to push my own DNS server to OpenVPN?
I have defined an unbound DNS server on my VPS and it appears to work. I need to use the DNS server instead of public DNS servers because some ISPs have blocked public DNS IPs. My openvpn.conf file is:
dev tun proto tcp # Notice: here I set the listening port to be 80 to avoid possible port blockage port 80 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem user nobody group nogroup server 10.8.0.0 255.255.255.0 persist-key persist-tun #status openvpn-status.log #verb 3 client-to-client push "redirect-gateway def1" #pushing public DNS IPs push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.222.220" comp-lzo
push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.222.220"
push "dhcp-option DNS 11.22.33.44"
In openvpn.conf above. However, after restarting openvpn, I see that my client can still connect to the OpenVPN server but no pages can be rendered anymore. What can be wrong here? How can I solve this problem?
It’s an old question, but to test «push ‘dhcp-option DNS 11.22.33.44″‘ I’d try another Internet DNS server (e.g. Google’s 8.8.8.8) to determine if «dhcp-option DNS» is working. I suspect it will be, and you’ll need to debug (perhaps with tracert) how and why it isn’t working as a DNS server for you Perhaps firewall?
4 Answers 4
On Windows 10 clients, you need add the following directives to client.ovpn :
script-security 2 dhcp-option DNS 10.0.8.1 dhcp-option DOMAIN example.lan
No more directives are required for windows.
On Ubuntu 16.04 clients, you may need add following directives to client.ovpn :
up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
The latest OpenVPN client versions for Windows do not recognize option DOMAIN-SEARCH correctly, and work with DOMAIN .
I think you should use the VPN gateway IP (10.0.8.1), not the router’s local gateway ip address (192.168.1.1). That’s such a common router ip address that likely the untrusted network router they’re directly connected to will be at the 192.168.1.1 address.
You say that the «it appears to work.» How did you verify this? Are you basing it on the fact the server started without any errors or did you actually perform some queries against it?
First thing I would do is use nslookup or dig to connect to the unbound server and perform some queries. I know dig is more in fashion these days but I know nslookup better.
$ nslookup > server 11.22.33.44 Default server: 11.22.33.44 Address: 11.22.33.44#53 > set type=A > www.google.com Server: 11.22.33.44 Address: 11.22.33.44#53 Non-authoritative answer: www.google.com canonical name = www.l.google.com. Name: www.l.google.com Address: 74.125.225.52 Name: www.l.google.com Address: 74.125.225.48 Name: www.l.google.com Address: 74.125.225.49 Name: www.l.google.com Address: 74.125.225.50 Name: www.l.google.com Address: 74.125.225.51
If this does not work then you have to look back at the DNS configuration again.
Is this a primary DNS server or a caching DNS server? Are you trying to query local resources or internet resources? Does it work as expected if you do not push your DNS server to the client?
If you pass all your traffic through your OpenVPN server you should not need to worry about your ISP blocking public DNS servers anymore since as far as your ISP is concerned you are only generating traffic to your VPS; unless the VPS is behind the same ISP.
How to define DNS server in openvpn?
I setup an openvpn server with static key (certificate mode is not usable due to DPI at the national gateway), but I cannot successfully change the DNS automatically after the connection. I searched over the Internet and SE, and every one suggests the use dhcp-option . I tried to add this line to client.ovpn
—dhcp-option type [parm] Set extended TAP-Win32 TCP/IP properties, must be used with —ip-win32 dynamic or —ip-win32 adaptive.
4 Answers 4
On a Linux system, you need to run an external script.
Scripts are found on here or newer Linux version here and you can call them by adding this on the openvpn client configuration:
script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
I’m no expert, but from reading the man page below your quote:
—dhcp-option type [parm]
.
Note that if —dhcp-option is pushed via —push to a non-windows client, the option will be saved in the client’s environment before the up script is called, under the name «foreign_option_».
and under foreign_option_ :
foreign_option_
An option pushed via —push to a client which does not natively support it, such as —dhcp-option on a non-Windows system, will be recorded to this environmental variable sequence prior to —up script execution.
So the command line openvpn client doesn’t automatically modify the DNS setup on your OSX machine after establishing the connection. But since the DNS options are saved to the client’s environment, you can specify a script to append the pushed servers to the system’s current DNS config with the —up option:
—up cmd
Run command cmd after successful TUN/TAP device open (pre —user UID change).
cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single- or double-quoted and/or escaped using a backslash, and should be separated by one or more spaces.
E.g. Tunnelblick also does this by utilizing this script.
Another solution might be a script that was posted to the openvpn mailing list at DNS for OS X clients — the Definitive Guide.
Default DNS Server not switched after connecting to OpenVPN
I’m using a OpenVPN connection between my laptop and my server. The configuration was working until today (i simply ran apt update && apt upgrade ), but since then my DNS settings are «wrong» after connecting to the OpenVPN. After connecting to the OpenVPN Server, i have two «catch all» DNS Domain entries ( DNS Domain: ~. ) in my systemd-resolve configuration. Stripped output of systemd-resolve —status :
Link 11 (tun0) Current Scopes: DNS LLMNR setting: yes MulticastDNS setting: no DNSSEC setting: no DNSSEC supported: no DNS Servers: 192.168.X.Y DNS Domain: ~. Link 2 (enp0s25) Current Scopes: DNS LLMNR setting: yes MulticastDNS setting: no DNSSEC setting: no DNSSEC supported: no DNS Servers: 10.16.X.Y 10.16.X.Y DNS Domain: ~.
Therefore DNS queries now aren’t savely tunneled through the VPN but also may be transfered via the normal network. This leads to a DNSLeak and even worse: VPN-Internal Hostnames aren’t resolved correctly (every now and then). I only know of options to add the DNS Domain: ~. entry to the tun0-Interface for resolved. But how do i remove an already existing one from the real interface? I’m already using this config to update systemd-resolved in my OpenVPN client.conf:
# Upate systemd-resolvd up /etc/openvpn/update-systemd-resolved down /etc/openvpn/update-systemd-resolved down-pre dhcp-option DOMAIN-ROUTE .
Anybody got an idea how to solve this? // Update: Looks like this is a longer known problem with NetworkManager starting to attach the root DNS Domain to links at random. There is an interesting discussion about it in a GitHub Issue in the repo of the developer of the update-systemd-resolved script. // Probably this commit to NetworkManager broke it. Since it introduced the default dns route for all interfaces behavior.