Version 11 (modified by 2 years ago) (diff) | ,
---|
Using DNS servers pushed to clients
This page describes how to use pushed DNS servers in the client.
Contents:
- Using DNS servers pushed to a Linux client
- Using DNS servers pushed to a Windows client
- Additional notes
Using DNS servers pushed to a Linux client
Linux must use an external script to update the DNS servers in /etc/resolve.conf
Most Distro OpenVPN packages include /etc/openvpn/update-resolv-conf.sh
script.
Source: https://github.com/alfredopalhares/openvpn-update-resolv-conf
Call the script by adding this to your client config file:
script-security 2 up /etc/openvpn/update-resolv-conf.sh down /etc/openvpn/update-resolv-conf.sh
Note: The script may also be called update-resolv-conf
without a .sh
suffix.
systemd-resolved
If you use systemd-resolved
then use this script:
Using DNS servers pushed to a Windows client
- OpenVPN 2.4
Windows uses the OpenVPN built-in DHCP server to update the TAP adapter's DNS servers and no additional steps are required.
This does require that the client is run using the OpenVPN-GUI and that the OpenVPN
InteractiveService
for Windows is started.
To prevent DNS leaks at the client use
--block-outside-dns
.
- OpenVPN 2.3
Windows uses the OpenVPN built-in DHCP server to update the TAP adapter's DNS servers and no additional steps are required.
This does require that the client is run as an administrator user.
This version does not support
--block-outside-dns
Additional notes
- Linux notes
If the client is run using
--user
and--group
to drop the process privileges then the--down
script will fail and leave the client DNS in an undefined state.
The recommended way to resolve this is to use the openvpn-down-root.so plugin module.