DNS management with OpenVPN

Last modified by Clément Aubin on 2018/01/04 23:41

Sometimes, setting up a proper VPN can be tedious. This article gives two advices related to DNS related VPN configuration that I found while implementing my own VPN using OpenVPN.

Pushing custom DNS server addresses through OpenVPN

When setting up a VPN using OpenVPN, you might need at some point to push DNS information from the VPN server to the client. The recommended way to do so is to use the following client configuration:

# Allow the client to receive pushed DHCP options
script-security 2

# Update the local resolv.conf file in order to apply any pushed DNS address
up <PATH_TO>/update-resolv-conf
down <PATH_TO>/update-resolv-conf

You can then use the directive push "dhcp-option DNS XXX.XXX.XXX.XXX" in the server configuration and send DNS server addresses to a client when it connects to the VPN, at least in theory.

In practice, this process needs a bit more work on the client side :

  • The client needs to have the update-resolv-conf script on its file system. Hopefully, the script is usually packaged on APT systems and available in /etc/openvpn.
  • The client should also have OpenResolv installed. This is used to merge DNS configurations coming from multiple sources (NetworkManager, OpenVPN, …) into /etc/resolv.conf.
  • Finally, the client configuration should not drop privileges when running, which means that you cannot use user nobody nor group nogroup in your configuration : if those options are used, OpenVPN will not be able to properly execute the update script when disconnecting from its server as the process has already dropped privileges.

Regarding this last point, two possible solutions could be done in order to keep the possibility to use update-resolv-conf while dropping privileges:

  • Use setuid in order to run the script as its owner (which might bring even more security issues).
  • Use OpenVPN down-root plugin to allow the execution of privileged commands even in this situation.

Prioritizing the VPN DNSs while renaming the client adapter name

In the client configuration, you can use the two following instructions in order to define a different network adapter name for your VPN:

# Set the type of adapter (tun or tap)
dev-type <DEV_TYPE>
# Set the custom adapter name
dev my-vpn

When doing so, you might note that for some cases, in your resolv.conf file, the DNS servers addresses provided by the VPN are not put before your local DNSs. This can create new problems as your VPN DNS might provide different resolutions from the ones that you get without your VPN or add new resolutions. As DNS addresses are taken in the order in which they are written in your resolv.conf when trying to resolve a host, having your VPN DNS in the end of the file might slow down the resolution and frustrate your users.

In order to fix this problem, you have to update the configuration of OpenResolv in order to change the processing order of the network interfaces when fetching locally available DNSs. You will have to use the dynamic_order configuration option ; here is its definition from resolvconf.conf (5):

dynamic_order
   These interfaces will be processed next, unless they have a metric.  If unset, defaults to the following:
   tap[0-9]* tun[0-9]* vpn vpn[0-9]* ppp[0-9]* ippp[0-9]*