Setting DNS servers using OpenVPN client config file
Solution 1
You can use batch script to do this, something like the following. It assumes your home DNS servers are 1.1.1.1 and 2.2.2.2 and your VPN DNS servers are 8.8.8.8 9.9.9.9:
vpn-connect.bat:
netsh interface ip set dns "Local Area Connection" static 8.8.8.8
netsh interface ip add dns "Local Area Connection" 9.9.9.9
vpn-disconnect.bat
netsh interface ip set dns "Local Area Connection" static 1.1.1.1
netsh interface ip add dns "Local Area Connection" 2.2.2.2
I was going to include in these scripts methods of connecting and disconnecting, however I do not see an option in OpenVPN to disconnect via command line. If you wish to automate connection, this should work:
C:\Program Files\bin\openvpn.exe C:\Program Files\conf\client.ovpn
Solution 2
You can add the following to the client config file.
dhcp-option DNS <dns_server_ip_address>
On the server side it would have been :
push "dhcp-option DNS <dns_server_ip_address>"
It seems it's using dhcp-option
on both sides. You can do the same with route
.
Solution 3
In addition to either of the two below:
dhcp-option DNS <dns_server_ip_address> (add to client config)
or
push "dhcp-option DNS <dns_server_ip_address>" (add to server config)
Add these to the client config as well, to force Windows to use the configured DNS:
register-dns
block-outside-dns
The 1st forces Windows to prefer the configured DNS server over any other it may have received from DHCP. The 2nd prevents DNS leakage to any DNS server other than the configured one.
Solution 4
Apparently there is problem with a faulty binding order in Windows, at least including Windows 2000/XP/7. This will cause Windows OpenVPN clients to use the default network adapter's DNS settings rather than the VPN adapter's settings.
To fix this you need to place your VPN TUN or TAP device above your local network adapter in the bind order:
- Identify your VPN device by looking at the output from
ipconfig
. For me this was "Local Area Connection 2". Remember your IP address for this adapter. - Open regedit.exe and find the key under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
which matches your VPN adapter's IP address. Remember the GUID for this adapter. - Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
and double click onBind
. This will contain a list of GUIDs for the adapters. Cut and paste the line corresponding to your VPN device's GUID to the top of the list and save the list.
This will cause the DNS entries for your VPN device to be used (and only while the VPN connection is active). You can set them according to the answer by @brunoqc. While you're at it, you should probably also add the openvpn option block-outside-dns
, to ensure that DNS queries are not leaking.
This answer is based upon this very useful blog post.
Related videos on Youtube
Fahad Yousuf
Updated on September 18, 2022Comments
-
Fahad Yousuf over 1 year
How can I set DNS servers on the client using only the client configuration. My client is a windows machine and I want to change the DNS servers when the client connects and revert back to the original configuration when I disconnect from the VPN.
All information I have found so far refers to pushing the DNS configuration to the client using the server's config but in this case I can't change the server configuration and am currently doing it manually every time I connect to the VPN. An openvpn config option to set the local machines DNS servers for the duration of the connection would be great.
-
Shea almost 8 yearsThis didn't work for me though it seems like it should. The option wasn't in the generated client.ovpn. When I add it, it still doesn't work. Running from an Asus RT-N66U with stock firmware 3.0.0.4.376_3861
-
Michael Kargl about 6 yearsI added this to my .ovpn file just before the <ca> tag and it worked splendnidly! Thank you! I tested this on my windows machine with OpenVPN 2.4.4 Windows version 6.2
-
SeriousM about 6 yearsThat worked pretty well! Thank you sir for writing this guide
-
Antonio Rodríguez over 3 yearsYou may need to add
register-dns
to make it works, as said by @Duke Nukem.