35

I have defined an unbound DNS server on my VPS and it appears to work. I need to use the DNS server instead of public DNS servers because some ISPs have blocked public DNS IPs. My openvpn.conf file is:

    dev tun
    proto tcp

    # Notice: here I set the listening port to be 80 to avoid possible port blockage
    port 80

    ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
    cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
    key /etc/openvpn/easy-rsa/2.0/keys/server.key
    dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

    user nobody
    group nogroup
    server 10.8.0.0 255.255.255.0

    persist-key
    persist-tun

    #status openvpn-status.log
    #verb 3
    client-to-client

    push "redirect-gateway def1"

    #pushing public DNS IPs

    push "dhcp-option DNS 208.67.222.222"
    push "dhcp-option DNS 208.67.222.220"

    comp-lzo

As it is suggested here, I tried to use my server's IPs (say 11.22.33.44). So instead of

    push "dhcp-option DNS 208.67.222.222"
    push "dhcp-option DNS 208.67.222.220"

I just put

push "dhcp-option DNS 11.22.33.44"

In openvpn.conf above. However, after restarting openvpn, I see that my client can still connect to the OpenVPN server but no pages can be rendered anymore.

What can be wrong here? How can I solve this problem?

Dessa Simpson
  • 491
  • 7
  • 25
hbp
  • 361
  • 1
  • 4
  • 5

4 Answers4

37

On Windows 10 clients, you need add the following directives to client.ovpn:

script-security 2                                                                                                       
dhcp-option DNS 10.0.8.1                                                                                           
dhcp-option DOMAIN example.lan                                                                                   

No more directives are required for windows.

On Ubuntu 16.04 clients, you may need add following directives to client.ovpn:

up /etc/openvpn/update-resolv-conf                                                                                      
down /etc/openvpn/update-resolv-conf  

The latest OpenVPN client versions for Windows do not recognize option DOMAIN-SEARCH correctly, and work with DOMAIN.

vskubriev
  • 656
  • 9
  • 15
  • Does this require a particular minimum OpenVPN version? – 0xC0000022L May 31 '17 at 13:44
  • I think you should use the VPN gateway IP (10.0.8.1), not the router's local gateway ip address (192.168.1.1). That's such a common router ip address that likely the untrusted network router they're directly connected to will be at the 192.168.1.1 address. – carlin.scott Feb 28 '19 at 22:13
  • I tried it on my mac - it was ignored because my profile is untrusted, what should I do – zzz777 Dec 16 '19 at 15:33
9

You say that the "it appears to work." How did you verify this? Are you basing it on the fact the server started without any errors or did you actually perform some queries against it?

First thing I would do is use nslookup or dig to connect to the unbound server and perform some queries. I know dig is more in fashion these days but I know nslookup better.


$ nslookup
> server 11.22.33.44
Default server: 11.22.33.44
Address: 11.22.33.44#53
> set type=A
> www.google.com
Server:     11.22.33.44
Address:    11.22.33.44#53

Non-authoritative answer:
www.google.com  canonical name = www.l.google.com.
Name:   www.l.google.com
Address: 74.125.225.52
Name:   www.l.google.com
Address: 74.125.225.48
Name:   www.l.google.com
Address: 74.125.225.49
Name:   www.l.google.com
Address: 74.125.225.50
Name:   www.l.google.com
Address: 74.125.225.51

If this does not work then you have to look back at the DNS configuration again.

Is this a primary DNS server or a caching DNS server? Are you trying to query local resources or internet resources? Does it work as expected if you do not push your DNS server to the client?

If you pass all your traffic through your OpenVPN server you should not need to worry about your ISP blocking public DNS servers anymore since as far as your ISP is concerned you are only generating traffic to your VPS; unless the VPS is behind the same ISP.

digitaladdictions
  • 1,465
  • 1
  • 11
  • 29
  • Well ubound could pass all the tests that you mentioned and some more so I'm pretty sure that it is not the problem. As for why I need to use my own DNS server, I have experienced that when I use public DNS as above, the clients in Iran (where millions of sites are blocked) can not get any page through their openvpn connection, despite the fact that they can connect to the openvpn server. Hence the effort. Thanks – hbp Oct 05 '11 at 18:14
  • 1
    Have you confirmed that they can get a webpage via IP address once they are connected? This would just make sure it really is DNS problem and not a routing issue. Its very common when setting up OpenVPN to be able to connect to the server but not get any traffic back due to a missing return route. – digitaladdictions Oct 05 '11 at 20:14
6

It turns out that if you are trying to connect from a non-Windows client, you need to do a couple of extra steps:

On Linux

Put this line on your client configuration (client.conf or xxxx.ovpnfile)

dhcp-option DNS 11.22.33.44

Call the OpenVPN client in this way:

$ openvpn --script-security 2 --config xxxx.ovpn

That worked for me.

JonDoe297
  • 523
  • 2
  • 8
  • 21
1

Tested on Ubuntu 18.04 at 13 Sep 2018

There is another useful commands to setup what you need via command line. But in my case you can control your VPN connection both with command line and GUI.

sudo nmcli connection add type vpn vpn-type openvpn con-name la.vpn.contoso.com ifname --

ifname -- is the required by default, but does not affect anything

sudo nmcli connection modify la.vpn.contoso.com ipv4.dns 172.16.27.1 sudo nmcli connection modify la.vpn.contoso.com ipv4.dns-search int.contoso.com sudo nmcli connection modify la.vpn.contoso.com ipv4.never-default yes

never-default should not use remote gateway as default route

And much more interested final touch:

nmcli connection modify la.vpn.contoso.com vpn.data 'ca = /tmp/la.vpn.contoso.com/you/ca.crt, key = /tmp/you.key, dev = tun, cert = /tmp/you.crt, cert-pass-flags = 1, comp-lzo = adaptive, remote = la.vpn.contoso.com:1194, connection-type = tls'

Afterwards you can control vpn with GUI or use following commands:

sudo nmcli --ask connection up la.vpn.contoso.com sudo nmcli connection down la.vpn.contoso.com

vskubriev
  • 656
  • 9
  • 15