Openvpn client, force DNS server

Question

Our Linux Ubuntu configuration does have a DNS server (Bind 9).
And resolv.conf has its

  nameserver 127.0.0.1

When using openvpn client on that Linux, the nameserver is not changed (by the VPN server) but I would like to set it - only during the VPN session - to another specific DNS server x.y.z.t, by changing the openvpn client config.

Then, when the openvpn session ends, nameserver should be back to 127.0.0.1.

Is there a "clean" way (ie a line in the openvpn client config file) to do that?

(Note: The VPN server config cannot be changed)

score 18 · Accepted Answer · answered Apr 23 '14 at 06:28

18

After more googling, could find the answer - below if it can help someone.

install resolvconf which can save and restore the resolv.conf config file
add a script to be run by openvpn, in /usr/share/openvpn, named update-resolv-conf. The script determines what should be the new resolv.conf, and how to restore it (see link below)
add

these lines

  script-security 2
  up /usr/share/openvpn/update-resolv-conf
  down /usr/share/openvpn/update-resolv-conf

in the openvpn client config file.

Read on this wiki for more information.

answered Apr 23 '14 at 06:28

Déjà vu

5,408
9
32
52

7

Newer installs of OpenVPN include this script with the installation. Instead of manually downloading and installing at `/usr/share/openvpn/update-resolv-conf`, you can find it pre-installed at `/etc/openvpn/update-resolv-conf`. – Nate Lampton Jun 18 '18 at 23:26
Which version of OpenVPN started to include this file? – lanoxx Aug 26 '18 at 13:39
1

A bit late to the party here but I'm using `2.4.6` and it's been installed for me – Roshan Bhumbra Dec 22 '19 at 20:26

I.Am.A.Guy · Answer 2 · 2021-12-29T02:35:44.597

5

2022 update (Arch Linux)

To set a public dns server and update resolvconf, add the following to your ovpn client profile file:

dhcp-option DNS 1.1.1.1
script-security 2
up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
down /usr/share/openvpn/contrib/pull-resolv-conf/client.down

edited Dec 29 '21 at 02:35

answered Dec 28 '21 at 16:57

I.Am.A.Guy

151
1
4

1

You saved my day! – softwaresupply Mar 09 '22 at 20:31

score 1 · Answer 3 · answered Apr 23 '14 at 06:28

1

Consider using route-up / route-down scripts on your client to alter your configuration on connection setup as you see fit. See the OpenVPN docs on details for how to set this up and which variables you might use in these scripts.

answered Apr 23 '14 at 06:28

the-wabbit

40,319
13
105
169

+1, interesting and useful. The *resolvconf* solution via *up* and *down* (above or below dep. on rating..) is however more to the point, and, imo, cleaner. – Déjà vu Apr 23 '14 at 06:31
@ring0 I would advise using `route-up` instead of `up` to minimize race conditions. When the `up` script is executed, the connection is not yet set up and you have no chance to query the remote resolver you're setting. If you start the OpenVPN client in a situation where the connection setup would not complete, you are putting your resolver into a possibly non-functional state for a prolonged period of time. See the "Script Order of Execution" section in the [OpenVPN man page](https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html) for details. – the-wabbit Apr 23 '14 at 08:11
I did a few tests, and the *up* script is called right when "Initialization Sequence Completed" is reached, not before. Btw cannot find "route-down" in the man. – Déjà vu Apr 23 '14 at 15:19

score 1 · Answer 4 · answered Aug 20 '18 at 16:11

This was useful information in order to help me fixing this issue.

I'm an arch linux user and what I saw is that when a Linux client is used with Access Server, this one is unable to alter the DNS settings on the client in question not resolving host as it the stands on OPEN VPN Documentation

I created a script which fixes the problem and with a couple of extra parameters handles openvpn connections via command line.

https://gist.github.com/android10/ee5c3e93dbcf9b7b31e6ee768cbfd477

Here is the main command being executed for the connection:

  nohup openvpn --config $OVPN_FILE_PATH --askpass $OVPN_PRIVATE_KEY_FILE_PATH \
  --script-security 2 \
  --setenv PATH '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \
  --up /etc/openvpn/scripts/update-systemd-resolved \
  --down /etc/openvpn/scripts/update-systemd-resolved \
  --down-pre \
  &>/dev/null &

Any feedback is more than appreciated it.

score -3 · Answer 5 · answered Aug 18 '14 at 06:26

-3

echo "nameserver=w.x.y.z" > /etc/resolv.conf
echo "nameserver=127.0.0.1" >> /etc/resolv.conf

answered Aug 18 '14 at 06:26

monk

5

2

That seems inexact (think about the DNS search path, and the persistence of the VPN nameserver), but it's also unclear where you want him to put this. – Falcon Momot Aug 18 '14 at 06:54
1

There should be a space between 'nameserver' and the IP. – lorenzog Mar 12 '17 at 15:39

Openvpn client, force DNS server

5 Answers5

2022 update (Arch Linux)

Linked