Linux - using pull-resolv-conf

One of the most common pitfalls when setting up a VPN connection on Linux is when the OpenVPN server pushes out new DNS settings. In the previous recipe, we saw that the NetworkManager-openvpn plugin also updated the system configuration file that contained the DNS setting, /etc/resolv.conf. If the command line is used, this is not done automatically. By default, OpenVPN comes with two scripts to add and remove DNS servers from the /etc/resolv.conf file. This recipe will show how to use these scripts.

Getting ready

We will use the following network layout:

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the basic-udp-server.conf configuration file from the Server-side routing recipe from Chapter 2Client-server IP-only Networks, as well as the  basic-udp-client.conf client configuration file at hand.

How to do it...

  1. Append the following line to the basic-udp-server.conf file:
            push "dhcp-option DNS 10.198.0.1" 
    

    Here, 10.198.0.1 is the address of a DNS server on the VPN server LAN. Save it as example9-2-server.conf.

  2. Start the server:
    [root@server]# openvpn --config example9-2-server.conf
    
  3. Similarly, for the client, add the following lines to the basic-udp-client.conf file:
            script-security 2 
            up   "/etc/openvpn/cookbook/client.up" 
            down "/etc/openvpn/cookbook/client.down" 
    
  4. Save it as example9-2-client.conf. Copy over the client.up and client.down files from the OpenVPN contrib directory and make them executable. On CentOS 6 and Fedora 22, these files are located in the /usr/share/doc/openvpn-2.3.11/contrib/pull-resolv-conf directory:
    [root@client]# cd /etc/openvpn/cookbook
    [root@client]# cp /usr/share/doc/openvpn-2.3.11/contrib/pull-
            resolv-conf/client.* .
    [root@client]# chmod 755 client.*
    
  5. And finally, start the client:
    [root@client]# openvpn --config example9-2-client.conf
    

After the VPN connection comes up, check the contents of the /etc/resolv.conf file. The first line should contain the DNS server as specified by the OpenVPN server:

nameserver 10.198.0.1 

When the VPN connection is terminated, the entry is removed again.

How it works...

The scripts supplied with OpenVPN parse the environment variable, foreign_option_*, and look for DOMAIN and DNS settings. These settings are then written out to the beginning of the /etc/resolv.conf file. This causes the DNS server and the DOMAIN pushed by the OpenVPN server to take precedence over the system's DNS and DOMAIN settings.

When the VPN connection is dropped, the same settings are removed from the /etc/resolv.conf file.

There's more...

Note that when the NetworkManager-openvpn plugin is used, these scripts are not necessary, as the NetworkManager itself updates the /etc/resolv.conf file.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.17.193