I have defined an unbound DNS server on my VPS and it appears to work. I need to use the DNS server instead of public DNS servers because some ISPs have blocked public DNS IPs. My openvpn.conf file is:
dev tun
proto tcp
# Notice: here I set the listening port to be 80 to avoid possible port blockage
port 80
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client
push "redirect-gateway def1"
#pushing public DNS IPs
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.222.220"
comp-lzo
As it is suggested here, I tried to use my server's IPs (say 11.22.33.44). So instead of
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.222.220"
I just put
push "dhcp-option DNS 11.22.33.44"
In openvpn.conf above. However, after restarting openvpn, I see that my client can still connect to the OpenVPN server but no pages can be rendered anymore.
What can be wrong here? How can I solve this problem?
On
Windows 10
clients, you need add the following directives toclient.ovpn
:On
Ubuntu 16.04
clients, you may need add following directives toclient.ovpn
:The latest OpenVPN client versions for Windows do not recognize option
DOMAIN-SEARCH
correctly, and work withDOMAIN
.You say that the "it appears to work." How did you verify this? Are you basing it on the fact the server started without any errors or did you actually perform some queries against it?
First thing I would do is use nslookup or dig to connect to the unbound server and perform some queries. I know dig is more in fashion these days but I know nslookup better.
If this does not work then you have to look back at the DNS configuration again.
Is this a primary DNS server or a caching DNS server? Are you trying to query local resources or internet resources? Does it work as expected if you do not push your DNS server to the client?
If you pass all your traffic through your OpenVPN server you should not need to worry about your ISP blocking public DNS servers anymore since as far as your ISP is concerned you are only generating traffic to your VPS; unless the VPS is behind the same ISP.
It turns out that if you are trying to connect from a non-Windows client, you need to do a couple of extra steps:
On Linux
Put this line on your client configuration (
client.conf
orxxxx.ovpn
file)Call the OpenVPN client in this way:
That worked for me.
There is another useful commands to setup what you need via command line. But in my case you can control your VPN connection both with command line and GUI.
sudo nmcli connection add type vpn vpn-type openvpn con-name la.vpn.contoso.com ifname --
sudo nmcli connection modify la.vpn.contoso.com ipv4.dns 172.16.27.1 sudo nmcli connection modify la.vpn.contoso.com ipv4.dns-search int.contoso.com sudo nmcli connection modify la.vpn.contoso.com ipv4.never-default yes
And much more interested final touch:
nmcli connection modify la.vpn.contoso.com vpn.data 'ca = /tmp/la.vpn.contoso.com/you/ca.crt, key = /tmp/you.key, dev = tun, cert = /tmp/you.crt, cert-pass-flags = 1, comp-lzo = adaptive, remote = la.vpn.contoso.com:1194, connection-type = tls'
Afterwards you can control vpn with GUI or use following commands:
sudo nmcli --ask connection up la.vpn.contoso.com sudo nmcli connection down la.vpn.contoso.com