How to push my own DNS server to OpenVPN?
I have defined an unbound DNS server on my VPS and it appears to work. I need to use the DNS server instead of public DNS servers because some ISPs have blocked public DNS IPs. My openvpn.conf file is:
dev tun
proto tcp
# Notice: here I set the listening port to be 80 to avoid possible port blockage
port 80
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client
push "redirect-gateway def1"
#pushing public DNS IPs
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.222.220"
comp-lzo
As it is suggested here, I tried to use my server's IPs (say 11.22.33.44). So instead of
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.222.220"
I just put
push "dhcp-option DNS 11.22.33.44"
In openvpn.conf above. However, after restarting openvpn, I see that my client can still connect to the OpenVPN server but no pages can be rendered anymore.
What can be wrong here? How can I solve this problem?
On Windows 10
clients, you need add the following directives to client.ovpn
:
script-security 2
dhcp-option DNS 10.0.8.1
dhcp-option DOMAIN example.lan
No more directives are required for windows.
On Ubuntu 16.04
clients, you may need add following directives to client.ovpn
:
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
The latest OpenVPN client versions for Windows do not recognize option DOMAIN-SEARCH
correctly, and work with DOMAIN
.
You say that the "it appears to work." How did you verify this? Are you basing it on the fact the server started without any errors or did you actually perform some queries against it?
First thing I would do is use nslookup or dig to connect to the unbound server and perform some queries. I know dig is more in fashion these days but I know nslookup better.
$ nslookup
> server 11.22.33.44
Default server: 11.22.33.44
Address: 11.22.33.44#53
> set type=A
> www.google.com
Server: 11.22.33.44
Address: 11.22.33.44#53
Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 74.125.225.52
Name: www.l.google.com
Address: 74.125.225.48
Name: www.l.google.com
Address: 74.125.225.49
Name: www.l.google.com
Address: 74.125.225.50
Name: www.l.google.com
Address: 74.125.225.51
If this does not work then you have to look back at the DNS configuration again.
Is this a primary DNS server or a caching DNS server? Are you trying to query local resources or internet resources? Does it work as expected if you do not push your DNS server to the client?
If you pass all your traffic through your OpenVPN server you should not need to worry about your ISP blocking public DNS servers anymore since as far as your ISP is concerned you are only generating traffic to your VPS; unless the VPS is behind the same ISP.
It turns out that if you are trying to connect from a non-Windows client, you need to do a couple of extra steps:
On Linux
Put this line on your client configuration (client.conf
or xxxx.ovpn
file)
dhcp-option DNS 11.22.33.44
Call the OpenVPN client in this way:
$ openvpn --script-security 2 --config xxxx.ovpn
That worked for me.
Tested on Ubuntu 18.04 at 13 Sep 2018
There is another useful commands to setup what you need via command line. But in my case you can control your VPN connection both with command line and GUI.
sudo nmcli connection add type vpn vpn-type openvpn con-name la.vpn.contoso.com ifname --
ifname --
is the required by default, but does not affect anything
sudo nmcli connection modify la.vpn.contoso.com ipv4.dns 172.16.27.1
sudo nmcli connection modify la.vpn.contoso.com ipv4.dns-search int.contoso.com
sudo nmcli connection modify la.vpn.contoso.com ipv4.never-default yes
never-default
should not use remote gateway as default route
And much more interested final touch:
nmcli connection modify la.vpn.contoso.com vpn.data 'ca = /tmp/la.vpn.contoso.com/you/ca.crt, key = /tmp/you.key, dev = tun, cert = /tmp/you.crt, cert-pass-flags = 1, comp-lzo = adaptive, remote = la.vpn.contoso.com:1194, connection-type = tls'
Afterwards you can control vpn with GUI or use following commands:
sudo nmcli --ask connection up la.vpn.contoso.com
sudo nmcli connection down la.vpn.contoso.com