I have tried to find a place in the OpenVPN server settings to add the following DNS options I can add on the client config file, but are not accepted by all OpenVPN clients.
register-dns
block-outside-dns
I need the OpenVPN client to get the DNS from the OpenVPN server and use it exclusively while the link is active.
Any suggestions, please ?
Thank you !
If you really want to “forbid” the clients to use other DNS-Servers, I would recommend “tunnel all”, so that all traffic has to go through the VPN first before it goes out to the web. Then just add your preferred DNS-Server to the VPN-configuration.
It all depends on your clients. Are they “managed” from you or do you want to force them a configuration server-wise?
I am not 100% sure but it seems like the following section on client specific settings might do what you want.
Thank you, but even if I do this, the DNS from my device is the one being used. The DNS from the OpenVPN server are added as secondary.
Also I have several users connecting to this server, so it would choke the internet traffic from the OpenVPN server.
I do not need specific DNS servers, I need for the device connecting to the OpenVPN server to only use the DNS servers pushed by the OpenVPN server, not the default device DNS client configuration.
If the clients you are referring to are mobile phones then this might just be the fact that both android and ios and the app developers for those systems often ignore dns requests from the user and use the ones they prefer or want you to use to use.
Hmm… I don’t know how to configure that, DNS-servers are handled through DHCP if they’re not set manually, so unfortunately I don’t have a clue how to handle this… would need to do some research myself. 
Okay, there is another problem: If you do not want to tunnel all, you cannot control if the users use your DNS-server or not. If they have admin rights, they would be able of changing it to another one and they would reach that one, too (if there is no firewall rule forbidding this).
What is you main goal? Do you just want a specific DNS for security / privacy or do you want to resolve some adresses that only you server knows or maybe are on the internal network?
Even if you want to tunnel all traffic or just DNS traffic, the user can block it in their config file by adding lines like:
pull-filter ignore block-outside-dns
pull-filter ignore redirect-gateway
The main goal is to use the private DNS on the remote LAN.
I am aware of the possible ignoring of the option you mention, but they would not work in all OpenVPN different devices clients.
Hello,
I am reusing this topic for a related question on OpenVPN, Advanced client options, DNS1 and DNS2 servers
Foreword: On a windows client, the order of the DNS servers I have set on “OpenVPN” page, “Advanced client options” section, is reversed: DNS 2 is on the first position on Windows Client (ipconfig /all). This poses a problem for me because DNS1 is the one from IPFIRE that has RPZ enabled while DNS2 is a public DNS server with no RPZ. Now the odd thing: after putting the same IP address on both DNS1 AND DNS 2 the Windows client still show in ipconfig /all the older DNS servers, even after stopping and restarting the VPN connection.
Question 1: is there a cache somewhere I need to erase to get rid of that DNS server value that I used it initially and no longer need it?
Late edit: here is the log line copied from OpenVPN Client: the DNS server 193.110.81.9 is no longer in the Advanced option page but still pushed?
Thu Jan 9 12:15:01 2025 PUSH: Received control message: 'PUSH_REPLY,route 192.a.b.c 255.255.255.0,route 192.x.y.z 255.255.255.0,route 192.j.k.l 255.255.255.0,route 10.100.99.0 255.255.255.0,redirect-gateway def1,dhcp-option DOMAIN ipfire.com,dhcp-option DNS 193.110.81.9,route 10.10.99.1,topology net30,ping 10,ping-restart 60,redirect-gateway,route 192.a.b.c 255.255.255.0,dhcp-option DNS 193.110.81.9,dhcp-option DNS 192.a.b.c,ifconfig 10.10.99.22 10.10.99.21,peer-id 0,cipher AES-256-GCM'
Thu Jan 9 12:15:01 2025 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Thu Jan 9 12:15:01 2025 OPTIONS IMPORT: timers and/or timeouts modified
Evidence:
Question 2: the order of DNS servers (primary and secondary) on client is something that can be controlled by changing the values between DNS1 and DNS2 settings from “OpenVPN” page, “Advanced client options” section? I reversed the order of those, but my windows client ignored that order (so I put the same IP address on both DNS1 and DNS2 fields)
IPFire version: CU 189
Windows client: OpenVPN GUI 11.29.0.0
Oh, there is another DNS server definition on “Main” page - which is “generally” applied to all clients!
I missed that!
I believe this parameter goes “first” in the list of DNS servers on client side - this is why no matter what I’ve put in Client page (DNS1 and DNS2) those were on second and 3rd position as DNS servers on the client side.
I hope I am right…
