How to manage the DNS Leak in openvpn?

what is the possibility to stop openvpn from leaking the DNS outside of the ipfire?
Where should i bring the “block-outside-dns”? The server.conf overwrites by each restarting in the WUI.

So is it the solution and if so, where could the “block-outside-dns” be written?



OpenVPN has nothing to do with DNS resolution here, as the latter are handled by a different software and are usually not transmitted through an OpenVPN tunnel.

In case you are trying to do something like connecting a branch office to a company’s headquarter, and want internal DNS namespace to be resolved by an internal nameserver, please refer to the documentation on how to do so.

In case you are trying connect IPFire to a VPN provider, please do not do so for reasons mentioned here.

Thanks, and best regards,
Peter Müller

hmm… but what is about the “block-outside-dns” option? Where can i set it on the server?

I’m just connecting with the roadwarrior to the openVPN on my ipfire and have the dns leak with the DNS-IP of my mobile provider.

Just to clarify, are you using a phone?

yes, so called “smart” phone :smiley:

First of all, have you established whether the DNS queries are bypassing the VPN tunnel?

You can add additional configuration options in /var/ipfire/ovpn/scripts/server.conf.local.

I don’t have any experience of using OpenVPN on a phone but, generally, the (IPFire) server can “push” a number of configuration options to the client, which might include DNS (eg push "dhcp-option DNS"). The client, in this case your phone, should then act on those instructions.

So, you need to find out if the server is pushing a DNS address and, if so, whether the smartphone is doing anything with the instruction.

i found the setting in the client config on the server, there you can set the DNS. So i can set there the internal network dns and it works. Very fine!
The push possibility can be find via WUI in the further server settings, i think it could be another workaround.

Hi f starter,
i would suggest then to also use redirect-gateway .



Redirect-Gateway def1 in the server conf?
Why that?

Good evening,
yes --> to redirect all traffic through the tunnel.

Have a nice evening.



1 Like

there is redirect gateway in the client confs on the server and in the server confs. Should i activate both of them?

Please also check the documentation but you can configure it also for specific clients via CCD.



1 Like

ok, thanks!

Hi Erik,

thanks for mentioning this.

It should be a more straightforward solution to @fstarter’s problem, but slipped my mind as I was assuming redirect-gateway def1 to be set already. :slight_smile:

Thanks, and best regards,
Peter Müller

1 Like