Work
1 post
DNS management with OpenVPN
Sometimes, setting up a proper VPN can be tedious. This article gives two advices related to DNS related VPN configuration that I found while implementing my own VPN using OpenVPN.
Pushing custom DNS server addresses through OpenVPN
When setting up a VPN using OpenVPN, you might need at some point to push DNS information from the VPN server to the client. The recommended way to do so is to use the following client configuration:
script-security 2
# Update the local resolv.conf file in order to apply any pushed DNS address
up <PATH_TO>/update-resolv-conf
down <PATH_TO>/update-resolv-conf
You can then use the directive push "dhcp-option DNS XXX.XXX.XXX.XXX" in the server configuration and send DNS server addresses to a client when it connects to the VPN, at least in theory.
In practice, this process needs a bit more work on the client side :
- The client needs to have the update-resolv-conf script on its file system. Hopefully, the script is usually packaged on APT systems and available in /etc/openvpn.
- The client should also have OpenResolv installed. This is used to merge DNS configurations coming from multiple sources (NetworkManager, OpenVPN, …) into /etc/resolv.conf.
- Finally, the client configuration should not drop privileges when running, which means that you cannot use user nobody nor group nogroup in your configuration : if those options are used, OpenVPN will not be able to properly execute the update script when disconnecting from its server as the process has already dropped privileges.
Prioritizing the VPN DNSs while renaming the client adapter name
In the client configuration, you can use the two following instructions in order to define a different network adapter name for your VPN:
dev-type <DEV_TYPE>
# Set the custom adapter name
dev my-vpn
When doing so, you might note that for some cases, in your resolv.conf file, the DNS servers addresses provided by the VPN are not put before your local DNSs. This can create new problems as your VPN DNS might provide different resolutions from the ones that you get without your VPN or add new resolutions. As DNS addresses are taken in the order in which they are written in your resolv.conf when trying to resolve a host, having your VPN DNS in the end of the file might slow down the resolution and frustrate your users.
In order to fix this problem, you have to update the configuration of OpenResolv in order to change the processing order of the network interfaces when fetching locally available DNSs. You will have to use the dynamic_order configuration option ; here is its definition from resolvconf.conf (5):
These interfaces will be processed next, unless they have a metric. If unset, defaults to the following:
tap[0-9]* tun[0-9]* vpn vpn[0-9]* ppp[0-9]* ippp[0-9]*