Allow OpenVPN client to push it's own DNS servers, regardless of OpenVPN server's pushed dns?

linux domain-name-system vpn openvpn linux-networking
43,027

Solution 1

As of 2017 (OpenVPN 2.4) this is now possible. Add this line to your client config file:

pull-filter ignore "dhcp-option DNS"

and it will ignore all pushed config lines that start with the quoted text.

Options are matched top-down, so the first match is used. You can use this to allow some routes and reject others, if it suits your needs.

The three action keywords are accept, ignore, and reject. I have not discovered a use case for reject.

Solution 2

In the official OpenVPN documentation you can find:

[...]
--route-nopull
  When used with --client or --pull, accept options pushed by server EXCEPT for routes and 
  dhcp options like DNS servers.
  When used on the client, this option effectively bars the server from adding routes to the 
  client's routing table, however note that this option still allows the server to set the 
  TCP/IP properties of the client's TUN/TAP interface.
[...]

Unfortunately, in addition to what you're asking, this has the side effect of disabling also the redirect-gateway provided by your configuration and this can represent an issue, for your case.

What I suggest is a completely different approach.

As you explicitely mentioned: "My goal is to automatically apply a default DNS server to not-technically-skilled users, while also allow skilled computer users to set their own DNS servers." it looks like you know exactly which users you want to provide a DNS-config and which users you don't want to provide such config.

Hence, instead of pushing your config directly in the main OpenVpn config file (...and, as such, provide such config to ALL of your users), you can implement a per-user config. You can do this with:

--client-config-dir dir
  Specify a directory dir for custom client config files. After a connecting client 
  has been authenticated, OpenVPN will look in this directory for a file having the 
  same name as the client's X509 common name. If a matching file exists, it will be
  opened and parsed for client-specific configuration options. If no matching file is
  found, OpenVPN will instead try to open and parse a default file called "DEFAULT", 
  which may be provided but is not required. Note that the configuration files must 
  be readable by the OpenVPN process after it has dropped it's root privileges.
  This file can specify a fixed IP address for a given client using --ifconfig-push, as 
  well as fixed subnets owned by the client using --iroute.
  One of the useful properties of this option is that it allows client configuration 
  files to be conveniently created, edited, or removed while the server is live, without 
  needing to restart the server.
  The following options are legal in a client-specific context: --push, --push-reset, 
  --iroute, --ifconfig-push, and --config.

So, as for the main config, you should remove:

  [**** to be removed from the main config***]
  push "dhcp-option DNS 8.8.8.8"
  push "dhcp-option DNS 8.8.4.4"

and add reference to the /etc/openvpn/userconf directory (as an example. Feel free to choose whatever you like):

 [**** to be ADDED to the main config***]
 client-config-dir /etc/openvpn/userconf

Then, in such userconf directory, create one file for each of the user you want to provide such DNS, including in such file the two rows deleted above.

Obviously you're free to fine-tune the openvpn config for every user, not limiting the customization to the two rows above.

As a final note, you may be interested in the ccd-exclusive parameter as well.

Solution 3

My problem wasn't exactly the same, but the symptoms were similar enough for this question to appear in search results, so in case anyone else winds up here for the same reason:

I'm using Tunnelblick, an OpenVPN GUI for Mac OS. My OpenVPN server was not set to push any DHCP or DNS options, but the client was still using the DNS server over VPN, instead of the local, non-VPN DNS server that I wanted it to use.

The solution was to go into Tunnelblick's Configurations → Settings tab and change Set DNS/WINS to Do not set nameserver.

Share:
43,027

Related videos on Youtube

Dimi
Author by

Dimi

Updated on September 18, 2022

Comments

  • Dimi
    Dimi almost 2 years

    There is an OpenVPN server running on a Debian and it pushes a DNS in the server config file:

    push "dhcp-option DNS 8.8.8.8"

    Is there an option to allow the users to change that DNS servers on the client side?

    Here is the catch, the openvpn server must push a DNS because otherwise many OpenVPN clients will not be able to open web pages until the manually set DNS servers in system's network settings.

    My goal is to automatically apply a default DNS server to not-technically-skilled users, while also allow skilled computer users to set their own DNS servers.

    Note that simply changing DNS settings on the PC while the 'push "dhcp-option DNS 8.8.8.8"' option is active on the openvpn server, does nothing. The DNS pushed by the server remains regardless of the local DNS settings.

    Any ideas?

    OpenVPN server config:

    # cat /etc/openvpn/openvpn.conf
server 10.186.35.0 255.255.255.0
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
#push "route 0.0.0.0 0.0.0.0"
#push "redirect-gateway"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
script-security 3
auth-user-pass-verify /etc/openvpn/auth-chap via-env
client-cert-not-required
duplicate-cn
management 127.0.0.1 5119
script-security 3 system
username-as-common-name
client-connect /etc/openvpn/scripts/clientconnect.sh
client-disconnect /etc/openvpn/scripts/clientdisconnect.sh
log-append /var/log/openvpn.log
log /var/log/openvpn.log

    UPDATE: The clients operating systems are Windows and Mac

    • Andrew B
      Andrew B over 9 years
      You haven't specified the primary operating system of your DHCP clients, so all we can really say is "yes, overriding DHCP supplied DNS servers is usually pretty trivial". What were you experiencing that suggested that this wasn't the case?
  • Dimi
    Dimi over 9 years
    Thanks for the effort Damiano but I'm afraid the correct answer is that the TAP adapter's DNS server should be changed, as changing the Internet connection's IPv4 properties to custom DNS servers does not help when connected to a OpenVPN server that pushes DNS servers. This way it's not required to remove anything from server configs, but to simply edit the IPv4 properties of the Windows machine's TAP adapters.
  • 0xC0000022L
    0xC0000022L about 7 years
    @Dimi: actually that solution is much more limited than you make it appear. Since different VPN connections use different DNS servers and the order of establishing the links will determine which TAP adapter gets used, I cannot possibly preconfigure the TAP adapters to use a specific set of DNS, as the DNSs I am configuring may not even apply to the connection that is established using that particular TAP adapter. In short, your workaround works only iff there is but a single VPN connection always established through the same TAP adapter.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OpenVPN Client connects, but DNS setting are not correct (cannot resolve domain names)
Disabling DNS change in openvpn client
Resolv Conf Multiple DNS Servers with specific domains
Will the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?
Resolve names on OpenVPN server side?
How to correct Openvpn with elevated rights while being an ordinary user?
OpenVPN client connects to VPN server, but no internet connection
Split tunnel routing a specific port over OpenVPN on Ubuntu Server 12.04
How do I connect to SSH over an existing OpenVPN connection?
OpenVPN not starting tun0