Openvpn client, force DNS server

Question

Our Linux Ubuntu configuration does have a DNS server (Bind 9).
And resolv.conf has its

  nameserver 127.0.0.1

When using openvpn client on that Linux, the nameserver is not changed (by the VPN server) but I would like to set it - only during the VPN session - to another specific DNS server x.y.z.t, by changing the openvpn client config.

Then, when the openvpn session ends, nameserver should be back to 127.0.0.1.

Is there a "clean" way (ie a line in the openvpn client config file) to do that?

(Note: The VPN server config cannot be changed)

Answer 1

After more googling, could find the answer - below if it can help someone.

• install resolvconf which can save and restore the resolv.conf config file
• add a script to be run by openvpn, in /usr/share/openvpn, named update-resolv-conf. The script determines what should be the new resolv.conf, and how to restore it (see link below)
• add

these lines

  script-security 2
  up /usr/share/openvpn/update-resolv-conf
  down /usr/share/openvpn/update-resolv-conf

in the openvpn client config file.

Read on this wiki for more information.

Answer 2

2022 update (Arch Linux)

To set a public dns server and update resolvconf, add the following to your ovpn client profile file:

dhcp-option DNS 1.1.1.1
script-security 2
up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
down /usr/share/openvpn/contrib/pull-resolv-conf/client.down

Answer 3

Ubuntu 16.04 LTS and newer

Ubuntu 16.04 and newer versions use systemd-resolved for DNS resolution and caching. To verify this, run systemctl status systemd-resolved, the status should be active.

To force OpenVPN on the client side to use your DNS server, do this:

1. Install the helper script:

   sudo apt install openvpn-systemd-resolved
   

2. Add to your client configuration .ovpn or .conf file:

   (typically placed after the remote directive and before redirect-gateway if present.)

   script-security 2
   up /etc/openvpn/update-systemd-resolved
   down /etc/openvpn/update-systemd-resolved
   dhcp-option DOMAIN-ROUTE .
   dhcp-option DNS 8.8.8.8
   dhcp-option DNS <another-dns-server>
   

   Replace 8.8.8.8 with your DNS server IP address. You can add more DNS servers if needed.

Make sure system-resolved uses your DNS server now:

• Verify domain name resolution: If your DNS is supposed to resolve domain names to certain IP addresses, run this and verify the returned IP:

  dig <your-domain-name>
  

• Check for DNS leaks: If you change your DNS to force the use of DNS servers in the country or region of your VPN server, run a DNS leak test to confirm:

  • Use a service like DNS Leak Test.
  • After running the test, check the location of the returned DNS servers.

Answer 4

Consider using route-up / route-down scripts on your client to alter your configuration on connection setup as you see fit. See the OpenVPN docs on details for how to set this up and which variables you might use in these scripts.

Answer 5

This was useful information in order to help me fixing this issue.

I'm an arch linux user and what I saw is that when a Linux client is used with Access Server, this one is unable to alter the DNS settings on the client in question not resolving host as it the stands on OPEN VPN Documentation

I created a script which fixes the problem and with a couple of extra parameters handles openvpn connections via command line.

https://gist.github.com/android10/ee5c3e93dbcf9b7b31e6ee768cbfd477

Here is the main command being executed for the connection:

  nohup openvpn --config $OVPN_FILE_PATH --askpass $OVPN_PRIVATE_KEY_FILE_PATH \
  --script-security 2 \
  --setenv PATH '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \
  --up /etc/openvpn/scripts/update-systemd-resolved \
  --down /etc/openvpn/scripts/update-systemd-resolved \
  --down-pre \
  &>/dev/null &

Any feedback is more than appreciated it.

Answer 6

echo "nameserver=w.x.y.z" > /etc/resolv.conf
echo "nameserver=127.0.0.1" >> /etc/resolv.conf