5

I am trying to push DNS to the client with OpenVPN server with config: 

 push "dhcp-option DNS 192.168.x.x"

It is working well, but what I really need is that during the VPN connection I do not want to use my primary resolvers, clients should use only the DNS provided by the server. It can be done with push redirect-gateway, but I do not want to tunnel all connections from the client thru the VPN, only specific networks.

Is it possible to do it somehow?
Linux clients are OK with a script, on Windows I am not sure

Gabor Vincze
  • 554
  • 1
  • 4
  • 11
  • Are the connections you do not want to be tunneled just for external communications, like web browsing? On Windows this is an option under the VPN connection properties. – scape Nov 07 '12 at 18:16
  • scape, are you sure you are talking about openvpn Btw, the problem is not with the tunneling – Gabor Vincze Nov 10 '12 at 14:00

3 Answers3

3

Use redirect-private, but also add route per every network you want to route through VPN.

Btw note that DNS setting on other interfaces will stop work, when that interface will not have route to its DNS servers. This is what happens when redirect-gateway drops default gateway from your (W)LAN interface and adds host route to VPN server IP through original GW. Depends on your setup, may be there is no working setup and you'll have to change DNS naming to include some subdomain for internal networks.

nudzo
  • 648
  • 1
  • 6
  • 8
0

// edit: Sorry, I did not see the windows part when I posted this. The following is about linux.

I had that problem some time ago with openvpn and a linux client. But resolvconf gave me an extra hard time writing the pushed dhcp-options directly to the local resolv.conf file and there was no way to restore the old nameserver after disconnecting from the vpn. So i gave up and made two little bash scripts that handle my resolv.conf file on vpn connect/disconnect. (Of course, these scripts have to be installed on every client, so its no general solution.)

The up-script backups your regular nameserver definitions to a safe location before overwriting them with the ones in the received dhcp-option. The down-script simply moves your regular file back in place.

append to your vpn connection conf

script-security 2
up /etc/openvpn/dns.up.sh
down /etc/openvpn/dns.down.sh

dns.up.h

#!/bin/bash

        mv /etc/resolv.conf /etc/resolv.conf.novpn

        for optionname in ${!foreign_option_*} ; do
                option="${!optionname}"
                echo $option
                part1=$(echo "$option" | cut -d " " -f 1)
                if [ "$part1" == "dhcp-option" ] ; then
                        part2=$(echo "$option" | cut -d " " -f 2)
                        part3=$(echo "$option" | cut -d " " -f 3)
                        if [ "$part2" == "DNS" ] ; then
                                IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
                        fi
                        if [ "$part2" == "DOMAIN" ] ; then
                                IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
                        fi
                fi
        done
        R=""
        for SS in $IF_DNS_SEARCH ; do
                R="${R}search $SS
"
        done
        for NS in $IF_DNS_NAMESERVERS ; do
                R="${R}nameserver $NS
"
        done
        echo -n "$R" > /etc/resolv.conf

dns.down.sh

#!/bin/sh

mv /etc/resolv.conf.novpn /etc/resolv.conf
Karma Fusebox
  • 1,064
  • 9
  • 18
  • Unfortunately the OP explicitly mentions that he needs help getting this to work on Windows. Quoting "Linux clients are OK with a script, on Windows I am not sure". – chutz Nov 09 '12 at 06:16
  • I feel a little embarassed for overlooking that part (and the windows 7 tag as well). I hope this will at least help some also-overlooking linux user that stumbles in here one day. – Karma Fusebox Nov 09 '12 at 20:23
-1

Karma Fusebox. This sorted me out seven years and nine months later.

OpenVPN 2.4.7 on Linux raspberrypi 5.4.51-v7l+ #1333

Ta

John Simpson
  • 9
  • 1