Allow OpenVPN client to push it's own DNS servers, regardless of OpenVPN server's pushed dns?

Solution 1:

As of 2017 (OpenVPN 2.4) this is now possible. Add this line to your client config file:

pull-filter ignore "dhcp-option DNS"

and it will ignore all pushed config lines that start with the quoted text.

Options are matched top-down, so the first match is used. You can use this to allow some routes and reject others, if it suits your needs.

The three action keywords are accept, ignore, and reject. I have not discovered a use case for reject.

Solution 2:

In the official OpenVPN documentation you can find:

[...]
--route-nopull
  When used with --client or --pull, accept options pushed by server EXCEPT for routes and 
  dhcp options like DNS servers.
  When used on the client, this option effectively bars the server from adding routes to the 
  client's routing table, however note that this option still allows the server to set the 
  TCP/IP properties of the client's TUN/TAP interface.
[...]

Unfortunately, in addition to what you're asking, this has the side effect of disabling also the redirect-gateway provided by your configuration and this can represent an issue, for your case.

What I suggest is a completely different approach.

As you explicitely mentioned: "My goal is to automatically apply a default DNS server to not-technically-skilled users, while also allow skilled computer users to set their own DNS servers." it looks like you know exactly which users you want to provide a DNS-config and which users you don't want to provide such config.

Hence, instead of pushing your config directly in the main OpenVpn config file (...and, as such, provide such config to ALL of your users), you can implement a per-user config. You can do this with:

--client-config-dir dir
  Specify a directory dir for custom client config files. After a connecting client 
  has been authenticated, OpenVPN will look in this directory for a file having the 
  same name as the client's X509 common name. If a matching file exists, it will be
  opened and parsed for client-specific configuration options. If no matching file is
  found, OpenVPN will instead try to open and parse a default file called "DEFAULT", 
  which may be provided but is not required. Note that the configuration files must 
  be readable by the OpenVPN process after it has dropped it's root privileges.
  This file can specify a fixed IP address for a given client using --ifconfig-push, as 
  well as fixed subnets owned by the client using --iroute.
  One of the useful properties of this option is that it allows client configuration 
  files to be conveniently created, edited, or removed while the server is live, without 
  needing to restart the server.
  The following options are legal in a client-specific context: --push, --push-reset, 
  --iroute, --ifconfig-push, and --config.

So, as for the main config, you should remove:

  [**** to be removed from the main config***]
  push "dhcp-option DNS 8.8.8.8"
  push "dhcp-option DNS 8.8.4.4"

and add reference to the /etc/openvpn/userconf directory (as an example. Feel free to choose whatever you like):

 [**** to be ADDED to the main config***]
 client-config-dir /etc/openvpn/userconf

Then, in such userconf directory, create one file for each of the user you want to provide such DNS, including in such file the two rows deleted above.

Obviously you're free to fine-tune the openvpn config for every user, not limiting the customization to the two rows above.

As a final note, you may be interested in the ccd-exclusive parameter as well.

Solution 3:

My problem wasn't exactly the same, but the symptoms were similar enough for this question to appear in search results, so in case anyone else winds up here for the same reason:

I'm using Tunnelblick, an OpenVPN GUI for Mac OS. My OpenVPN server was not set to push any DHCP or DNS options, but the client was still using the DNS server over VPN, instead of the local, non-VPN DNS server that I wanted it to use.

The solution was to go into Tunnelblick's Configurations → Settings tab and change Set DNS/WINS to Do not set nameserver.