I have been trying to find a solution to this problem, but have found no answer so far, so I hope you guys can help me out.

I have a server running Ubuntu 10.04, which has a static IP address and an URL pointing to it, say server.foo.com

On this server I got an OpenVPN server running with the following configuration:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS"
;push "dhcp-option DOMAIN foo.com"
keepalive 10 120
tls-auth ta.key 0
user nobody
group nogroup
status openvpn-status.log
log openvpn.log
verb 1
plugin /usr/lib/openvpn/openvpn-auth-pam.so vpnlogin

Clients are configured as followed:

dev tun
proto udp
remote server.foo.com 1194
resolv-retry infinite
ca ca.crt
cert server.crt
key server.key
ns-cert-type server
tls-auth ta.key 1
verb 1

As you can see in the server configuration, I got a DNS server running on it as well. This server is a dnsmasq server, with the following configuration in /etc/dnsmasq.conf:


In /etc/dnsmasq.d/ there are files that route URLs back to this server, which should be pushed to VPN clients. The most important of those contains:


Note that this URL is exactly the same on as my public URL. I have also created other DNS entries to test, for example address=/server2.foo.com/

Now I've got a HTTP service running on this server, and I only want to allow users from within my LAN as well as OpenVPN clients to reach it. I have blocked all incoming traffic in ufw, with the exceptions being:

To         Action       From
1194       ALLOW        Anywhere
53         ALLOW
80/tcp     ALLOW
80/tcp     ALLOW

Now to finally come to my problem. When an OpenVPN client connects, the DNS entries from dnsmasq should get pushed to the clients, which they do.

However the entry server.foo.com apparently gets ignored, perhaps in favour of a public DNS. When I type server.foo.com in Firefox or Chrome while being outside my LAN but connected to the VPN, I get a timeout., and other entries such as server2.foo.com all work.

A traceroute in Windows 7 32-bit shows that for example server2.foo.com gets sent in one jump to, but server.foo.com goes through a public DNS server and tries to connect to my public static IP, which is blocked, thus giving a timeout.

I have so far tried a number of things, yet it still doesn't work:

  1. Setting the DNS server authoritative (as seen in the above dnsmasq.conf: dhcp-authoritative).
  2. push "dhcp-option DOMAIN foo.com" in the server.conf for OpenVPN.

Sorry for such a long post for what is perhaps a quite short question. And I hope someone can help me.

Best regards, Mike.

  • 51
  • 1
  • 3

2 Answers2


I think your setup is going to break or not work:

Your OpenVPN client configuration uses server.foo.com's public address to connect to the OpenVPN server. This address will be looked up prior to establishing the VPN tunnel, obviously.

You're trying to push a DNS entry for server.foo.com with a OpenVPN IP after the tunnel is established with the dnsmasq config. Either the OpenVPN client ignores it (since it already knows about server.foo.com as it had to look it up to establish the tunnel) or it will respect it, and then drop the tunnel because the OpenVPN client configuration will point to a now nonexistent IP address. The latter may likely happen during your OpenVPN session, depending on the TTL of the DNS server for server.foo.com's public IP.

TL;DR: you are basically trying to tell your client conflicting information about server.foo.com. I can't think of a good way to do what you have in mind. An alternative might be to set up a second DNS entry A record vpnserver.foo.com which points to the same IP as server.foo.com, and then change your OpenVPN config to use that.

  • 24,533
  • 2
  • 49
  • 69
  • Thank you for your reply. I have been thinking of the same thing, and have changed in the OpenVPN client config file the server URL to the external IP address of the server. So now it doesn't use server.foo.com and doesn't make a DNS lookup before connecting. However it still doesn't work. Same problem as before. Other URLs get resolved correctly to the VPN network (e.g. server2.foo.com), but not the main URL. Perhaps it remembers the IP and makes a reverse DNS lookup and saves the corresponding URL? – Michael Mar 16 '12 at 20:11
  • 1
    That will work too. As said, if you want DNS for the server config, you probably will need to pick a different name like vpn.foo.com. – cjc Mar 16 '12 at 20:17
  • But I'm sure it can be done in some way. I know it would be just easier to use an alternative URL while being within the VPN, but small things like that bug me :) There must be a switch in a config file that can force that redirect to happen in clients. Thanks though for your help! – Michael Mar 16 '12 at 21:29

Though very late but one possible workaround might be diverting all client traffic through the tunnel (if the client scenario allows it). You need to add following directive to your server's config file. e.g. push "redirect-gateway def1" For details refer here This way client will not check for the public DNS.