One of the most common pitfalls when setting up a VPN connection on Linux is when the OpenVPN server pushes out new DNS settings. In the previous recipe, we saw that the NetworkManager-openvpn
plugin also updated the system configuration file that contained the DNS setting, /etc/resolv.conf
. If the command line is used, this is not done automatically. By default, OpenVPN comes with two scripts to add and remove DNS servers from the /etc/resolv.conf
file. This recipe will show how to use these scripts.
We will use the following network layout:
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the basic-udp-server.conf
configuration file from the Server-side routing recipe from Chapter 2, Client-server IP-only Networks, as well as the basic-udp-client.conf
client configuration file at hand.
basic-udp-server.conf
file:push "dhcp-option DNS 10.198.0.1"
Here, 10.198.0.1
is the address of a DNS server on the VPN server LAN. Save it as example9-2-server.conf
.
[root@server]# openvpn --config example9-2-server.conf
basic-udp-client.conf
file:script-security 2 up "/etc/openvpn/cookbook/client.up" down "/etc/openvpn/cookbook/client.down"
example9-2-client.conf
. Copy over the client.up
and client.down
files from the OpenVPN contrib
directory and make them executable. On CentOS 6 and Fedora 22, these files are located in the /usr/share/doc/openvpn-2.3.11/contrib/pull-resolv-conf
directory:[root@client]# cd /etc/openvpn/cookbook [root@client]# cp /usr/share/doc/openvpn-2.3.11/contrib/pull- resolv-conf/client.* . [root@client]# chmod 755 client.*
[root@client]# openvpn --config example9-2-client.conf
After the VPN connection comes up, check the contents of the /etc/resolv.conf
file. The first line should contain the DNS server as specified by the OpenVPN server:
nameserver 10.198.0.1
When the VPN connection is terminated, the entry is removed again.
The scripts supplied with OpenVPN parse the environment variable, foreign_option_*
, and look for DOMAIN and DNS settings. These settings are then written out to the beginning of the /etc/resolv.conf
file. This causes the DNS server and the DOMAIN pushed by the OpenVPN server to take precedence over the system's DNS and DOMAIN settings.
When the VPN connection is dropped, the same settings are removed from the /etc/resolv.conf
file.
3.144.17.193