Using DNS provided by OpenVPN

EekNL · 5 November 2021 18:55

Hello everyone,

I’ve started with a fresh install of CoreELEC on my Odroid N2 yesterday. Used the latest image of Matrix 19.3 which went smootly.

The first thing i’ve started configuring is OpenVPN, because this is always the hardest to get right and in the past i took some “shortcuts” to get things working.

Anyway, the thing i had problems with last time is the nameservers; i could not get CoreELEC to use the nameservers provided by my VPN provider. In the end i resorted to handing out the VPN providers nameservers through my routers DHCP options, which means i can’t use DNS until the VPN is up and i have to resort to connecting to IP addresses of my VPN provider instead of hostnames.

Upon connecting the OpenVPN i can see that a nameserver is being provided:

CoreELEC openvpn[4913]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.10.0.1

However, when i do a lookup i see the nameserver being used that my router provides through DHCP:

CoreELEC:/etc # nslookup www.google.com
Server:    10.8.0.1
Address 1: 10.8.0.1

Name:      www.google.com
Address 1: 216.58.214.4 ams17s09-in-f4.1e100.net

And my OpenVPN config:

client
dev tun
proto udp4
remote-random
remote 1.2.3.4 1194
remote 5.6.7.8 1194
cipher AES-256-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
fast-io

route 10.0.10.0 255.255.248.0 net_gateway

pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"

auth-user-pass /storage/.config/credentials.txt
ca /storage/.config/vpn_ca.crt
remap-usr1 SIGTERM

script-security 2
up /storage/.config/deleteroute.sh

Any suggestions how i can get the VPN providers nameservers working when the VPN is up?

EekNL · 5 November 2021 20:27

I found a solution:

i’ve changed the last line in my openvpn config file to:

up /storage/.config/changeresolv.sh

(didnt need the route deletion anymore that was there before)

This file contains the following:

#!/bin/sh
echo "nameserver 10.10.0.1" > /etc/resolv.conf

This does seem to work. Are there any downsides to this solution?

The only one i can think of that this still doesn’t use the nameserver that gets pushed by the OpenVPN server, but sets it static.

Any better possible solution?

EekNL · 8 November 2021 22:44

Good evening,

I’m still struggling to get an OpenVPN setup that i am satisfied with regarding DNS. I would like to prevent DNS leaking, but i’m running into 2 main problems:

I can’t get CoreELEC to use the nameservers pushed by the OpenVPN server.
Automatically installed host routes to the nameservers provided by the local router’s DHCP.

The first problem has a few workarounds, but they create new problems:

Use up/down scripts to set the nameservers as the VPN status changes: I would have to set it to a pre-defined nameserver, this will break if my VPN provider changes nameservers and I’m not sure the down script will function properly if the VPN fails/stops/gets stopped, with the risk of the VPN not able to come back up because I’ve set a nameserver that’s only reachable with the VPN up.

This last part is fixable by changing the hostname of the VPN service to IP addresses, but these are not static I’ve noticed.

The second problem; the automatic host (/32) routes to the nameservers received by DHCP are a pain in my ass. I want DNS requests to go into the tunnel, not towards my router. I could make a script to delete these specific routes when the tunnel comes up, but that won’t work if the nameservers get changed in the routers DHCP sometime in the future or if I use my CoreELEC box somewhere else with different DHCP servers.

Any help pointing me in the right direction is much appreciated.

Regards,

Eek

system · 8 February 2022 04:45

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.