Ubuntu and OpenVPN: Set pushed DNS servers globally

Achtung! Dieser Artikel ist älter als ein Jahr. Der Inhalt ist möglicherweise nicht mehr aktuell!

I’m using OpenVPN to connect to my home network. The endpoint is on my pfSense firewall I use there. I’m able to export a config file containing all needed connection parameters and needed certificates.

You can import that file into Ubuntus‘ Network Manager. However, the parser isn’t that good. You have to tweak the configuration to match the real config file. Pushed DNS servers or custom set ones are not used. The result is a stable connection without name resolution. Surfing the web isn’t fun without that.

I pass using the Network Manager because teweaking the settings in three different applications is not very end user friends. I decided to go back to the good old CLI.

My OpenVPN server pushes the DNS IP addressess. There are different approaches to use them globally.

Bad approach: Editing /etc/resolv.conf

This isn’t a very good approach, because you have to manually edit the system configuration. Normally all DNS servers are configured in the file under /etc/resolv.conf.

Over the past few years manually editing that file became obsolete. On modern Linux systems is a package installed name resolvconf. It sets 127.0.0.1 as only nameserver and spins up a forwarder. All requests are then forwarded to the DNS servers received over DHCP.

This is for a normal user pretty nice, because they don’t have to deal with DNS settings as soon as they change network. Editing this file is only temporary and therefore not acceptable.

Good approach: Tell OpenVPN to „make it work“

OpenVPN can talk to the resolvconf application and register the pushed DNS servers. You have to add the following three lines at the bottom of the OpenVPN config file:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

pfSense: OpenVPN Client Export Utility

If you use pfSense and the „Client Export Utility“ the the threee lines can also be added directly on generation. Use the text box in the advanced section:

openvpn_client_export_utility_advanced

Bonus: Verbose Output

To see what’s pushed you have to make OpenVPN more chatty. To see every config option but not traffic (scroll friendly) you can call it like this:

:~$ sudo openvpn --config firewall-udp-1194-laptop-config.ovpn --verb 4

You should find a line like this:

PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DOMAIN veloc1ty.lan,dhcp-option DNS 192.168.3.2,dhcp-option DNS 192.168.3.3 [...]

You should be able to see that _update-resolv-conf_ was executed:

[...] /etc/openvpn/update-resolv-conf [...]
dhcp-option DOMAIN veloc1ty.lan
dhcp-option DNS 192.168.3.2
dhcp-option DNS 192.168.3.3

##


Du hast einen Kommentar, einen Wunsch oder eine Verbeserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.

🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg)
Zurück