How to push my own DNS server to OpenVPN?

openvpn dns-server

I have defined an unbound DNS server on my VPS and it appears to work. I need to use the DNS server instead of public DNS servers because some ISPs have blocked public DNS IPs. My openvpn.conf file is:

    dev tun
    proto tcp

    # Notice: here I set the listening port to be 80 to avoid possible port blockage
    port 80

    ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
    cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
    key /etc/openvpn/easy-rsa/2.0/keys/server.key
    dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

    user nobody
    group nogroup
    server 10.8.0.0 255.255.255.0

    persist-key
    persist-tun

    #status openvpn-status.log
    #verb 3
    client-to-client

    push "redirect-gateway def1"

    #pushing public DNS IPs

    push "dhcp-option DNS 208.67.222.222"
    push "dhcp-option DNS 208.67.222.220"

    comp-lzo

As it is suggested here, I tried to use my server's IPs (say 11.22.33.44). So instead of 

    push "dhcp-option DNS 208.67.222.222"
    push "dhcp-option DNS 208.67.222.220"

I just put 

push "dhcp-option DNS 11.22.33.44"

In openvpn.conf above. However, after restarting openvpn, I see that my client can still connect to the OpenVPN server but no pages can be rendered anymore.

What can be wrong here? How can I solve this problem?


On Windows 10 clients, you need add the following directives to client.ovpn:

script-security 2                                                                                                       
dhcp-option DNS 10.0.8.1                                                                                           
dhcp-option DOMAIN example.lan

No more directives are required for windows.

On Ubuntu 16.04 clients, you may need add following directives to client.ovpn:

up /etc/openvpn/update-resolv-conf                                                                                      
down /etc/openvpn/update-resolv-conf

The latest OpenVPN client versions for Windows do not recognize option DOMAIN-SEARCH correctly, and work with DOMAIN.


You say that the "it appears to work." How did you verify this? Are you basing it on the fact the server started without any errors or did you actually perform some queries against it?

First thing I would do is use nslookup or dig to connect to the unbound server and perform some queries. I know dig is more in fashion these days but I know nslookup better. 


$ nslookup
> server 11.22.33.44
Default server: 11.22.33.44
Address: 11.22.33.44#53
> set type=A
> www.google.com
Server:     11.22.33.44
Address:    11.22.33.44#53

Non-authoritative answer:
www.google.com  canonical name = www.l.google.com.
Name:   www.l.google.com
Address: 74.125.225.52
Name:   www.l.google.com
Address: 74.125.225.48
Name:   www.l.google.com
Address: 74.125.225.49
Name:   www.l.google.com
Address: 74.125.225.50
Name:   www.l.google.com
Address: 74.125.225.51

If this does not work then you have to look back at the DNS configuration again.

Is this a primary DNS server or a caching DNS server? Are you trying to query local resources or internet resources? Does it work as expected if you do not push your DNS server to the client?

If you pass all your traffic through your OpenVPN server you should not need to worry about your ISP blocking public DNS servers anymore since as far as your ISP is concerned you are only generating traffic to your VPS; unless the VPS is behind the same ISP.


It turns out that if you are trying to connect from a non-Windows client, you need to do a couple of extra steps:

On Linux

Put this line on your client configuration (client.conf or xxxx.ovpnfile)

dhcp-option DNS 11.22.33.44

Call the OpenVPN client in this way:

$ openvpn --script-security 2 --config xxxx.ovpn

That worked for me.


Tested on Ubuntu 18.04 at 13 Sep 2018

There is another useful commands to setup what you need via command line. But in my case you can control your VPN connection both with command line and GUI.

sudo nmcli connection add type vpn vpn-type openvpn con-name la.vpn.contoso.com ifname --

ifname -- is the required by default, but does not affect anything

sudo nmcli connection modify la.vpn.contoso.com ipv4.dns 172.16.27.1 sudo nmcli connection modify la.vpn.contoso.com ipv4.dns-search int.contoso.com sudo nmcli connection modify la.vpn.contoso.com ipv4.never-default yes

never-default should not use remote gateway as default route

And much more interested final touch:

nmcli connection modify la.vpn.contoso.com vpn.data 'ca = /tmp/la.vpn.contoso.com/you/ca.crt, key = /tmp/you.key, dev = tun, cert = /tmp/you.crt, cert-pass-flags = 1, comp-lzo = adaptive, remote = la.vpn.contoso.com:1194, connection-type = tls'

Afterwards you can control vpn with GUI or use following commands:

sudo nmcli --ask connection up la.vpn.contoso.com sudo nmcli connection down la.vpn.contoso.com

Related

Key Things to look for in a Data Center
What does SMART testing do and how does it work?
Difference between 2Rx4 vs 2Rx8 RAM
What is a typical method to scale out a software load balancer?
Can't log in via SSH to any accounts using /bin/bash shell on Synology NAS
What does a DNS request look like?
How can I save the counters’ setup in windows performance monitor
How beneficial are self-healing filesystems for general usage?
Is there a security risk to disclosing your SSH known_hosts file?
Where does Amazon publish the range of IP addresses used for EC2 instances by region?
How to enable TLS 1.1, 1.2 in IIS 7.5
How to fix corrupted opencl.dll in Windows 10, if SFC and DISM are failing?