OpenVPN server add DNS options

adrb04 · 17 November 2024 17:18

I have tried to find a place in the OpenVPN server settings to add the following DNS options I can add on the client config file, but are not accepted by all OpenVPN clients.

register-dns
block-outside-dns

I need the OpenVPN client to get the DNS from the OpenVPN server and use it exclusively while the link is active.

Any suggestions, please ?

Thank you !

lexuspolaris · 17 November 2024 17:34

If you really want to “forbid” the clients to use other DNS-Servers, I would recommend “tunnel all”, so that all traffic has to go through the VPN first before it goes out to the web. Then just add your preferred DNS-Server to the VPN-configuration.

It all depends on your clients. Are they “managed” from you or do you want to force them a configuration server-wise?

bonnietwin · 17 November 2024 18:33

I am not 100% sure but it seems like the following section on client specific settings might do what you want.

https://www.ipfire.org/docs/configuration/services/openvpn/config/client_conf#advanced-client-options

adrb04 · 18 November 2024 16:01

Thank you, but even if I do this, the DNS from my device is the one being used. The DNS from the OpenVPN server are added as secondary.
Also I have several users connecting to this server, so it would choke the internet traffic from the OpenVPN server.

adrb04 · 18 November 2024 16:02

I do not need specific DNS servers, I need for the device connecting to the OpenVPN server to only use the DNS servers pushed by the OpenVPN server, not the default device DNS client configuration.

bonnietwin · 18 November 2024 16:06

If the clients you are referring to are mobile phones then this might just be the fact that both android and ios and the app developers for those systems often ignore dns requests from the user and use the ones they prefer or want you to use to use.

lexuspolaris · 18 November 2024 16:12

Hmm… I don’t know how to configure that, DNS-servers are handled through DHCP if they’re not set manually, so unfortunately I don’t have a clue how to handle this… would need to do some research myself.

Okay, there is another problem: If you do not want to tunnel all, you cannot control if the users use your DNS-server or not. If they have admin rights, they would be able of changing it to another one and they would reach that one, too (if there is no firewall rule forbidding this).

What is you main goal? Do you just want a specific DNS for security / privacy or do you want to resolve some adresses that only you server knows or maybe are on the internal network?

nickh · 18 November 2024 16:34

Even if you want to tunnel all traffic or just DNS traffic, the user can block it in their config file by adding lines like:

pull-filter ignore block-outside-dns
pull-filter ignore redirect-gateway