OpenVPN and DNS on a linux client

I got a weired issue with Linux clients while it worked fine with Windows machines. For some reason, the /etc/resolv.conf did not get updated. I found out a workaround thanks to this page. Of course, your server configuration file must contain (if 192.168.1.1 is your DNS server):

push "dhcp-option DNS 192.168.1.1"

First, you will need the resolvconf program. In debian :

$ apt-get install resolvconf

Then, you will need to add these lines into the configuration file of your Linux client (let’s say /etc/openvpn/client.conf) :

up /etc/openvpn/domain.up plugin /usr/lib/openvpn/openvpn-down-root.so /etc/openvpn/domain.down

The plugin provided by OpenVpn gives back root privilege (when initialized, OpenVPN needs root access but drops it soon).
Now let’s create the scripts :

/etc/openvpn/domain.up :

 #!/bin/sh
    # really naff script to add nameserver entry on up
    DEV=$1    
    set | sed -n "      s/^foreign_option_.* DNS \(.*\)'/nameserver \1/; T next; p;
    :next; s/^foreign_option_.* DOMAIN \(.*\)'/domain \1/; T; p;
      " | resolvconf -a $DEV
    resolvconf -u

/etc/openvpn/domain.down :

 #!/bin/sh
  # really naff script to delete nameserver entry on down
  DEV=$1
  resolvconf -d $DEV
  resolvconf -u

Now let’s give them the suitable rights :

$ chmod +x domain*

Finally, just restart openvpn and that should be fine !

UPDATE 2008/07/11 : The two scripts above are kind of obsolete, because, at least in Debian Etch, a similar script is included in the OpenVPN package.

There it is :

#!/bin/bash
# 
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk> 
# and Chris Hanson
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL. 
#
# 05/2006 chlauber@bnc.ch
# 
# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'

[ -x /sbin/resolvconf ] || exit 0

case $script_type in

up)
	for optionname in ${!foreign_option_*} ; do
		option="${!optionname}"
		echo $option
		part1=$(echo "$option" | cut -d " " -f 1)
		if [ "$part1" == "dhcp-option" ] ; then
			part2=$(echo "$option" | cut -d " " -f 2)
			part3=$(echo "$option" | cut -d " " -f 3)
			if [ "$part2" == "DNS" ] ; then
				IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
			fi
			if [ "$part2" == "DOMAIN" ] ; then
				IF_DNS_SEARCH="$part3"
			fi
		fi
	done
	R=""
	if [ "$IF_DNS_SEARCH" ] ; then
        	R="${R}search $IF_DNS_SEARCH"
	fi
	for NS in $IF_DNS_NAMESERVERS ; do
        	R="${R}nameserver $NS"
	done
	echo -n "$R" | /sbin/resolvconf -a "${dev}.inet"
	;;
down)
	/sbin/resolvconf -d "${dev}.inet"
	;;
esac

13 thoughts on “OpenVPN and DNS on a linux client

  1. JC Post author

    It is fixed now. It got broken due to my recent theme update.
    Also check the update I just posted, it is worth using it now.

  2. bubba

    On the ASUS EEEPC 901, the Problem STILL exists and the so called Tech support at WITOPIA are Totally Freakin CLUELESS.

    They have run me around the block on this problem, which is a MAJOR Security hole, and the folks at witopia just don’t seem to care.

    The problem is that your BROWSER sesson gets encrypted
    BUT
    your DNS queries DO NOT !!!

    So if you did this in CHINA and set up your Supposedly Secure Witopia session, where you Thought all was secure and then went to
    say “www.freetibet.org” your DNS lookup is IN THE CLEAR !!! Your session once yiu Got To the site is encrypted
    BUT
    Now its to late – You DIE
    witopia sucks SO MASSIVELY that they have ZERO mention on their WEB site and their tech support has ZERO Clue about the problem.

    worse – witopia tech support cops such a huge attitude with you – like YOU are the problem – NOT their product – NOT their lack of documentation

    THX SO MUCH for the HELP !!!!

  3. billybux

    Bubba,

    I don’t think that is correct about Witopia, or any decent VPN service provider worth its salt, but you are correct about DNS being a potential security hole that you need to keep an eye on. Witopia does provide secure DNS and says you should use their DNS servers for best security in the e-mail you receive after ordering.

    Please comment back, but it’s my understanding that if you’re set up to automatically detect settings from your iSP, Witopia should function as your “virtual ISP” while VPN is connected and provides the Witopia IP address as well as DNS information from Witopia DNS servers over the encrypted tunnel.

    Witopia supplies DNS as part of their service and will also let you manually enter the server addresses (I have done this and it seems to improve performance and, as you mention, security). The DNS server info is on their FAQ, http://www.wiki.witopia.net/wiki/FAQ …#6).

    So, as I understand it, DNS queries while using Witopia are secure if you use their DNS servers, which you should automatically, if your machine is set up to auto-detect settings or you can manually set them as they suggest.

    Then, all DNS queries are encrypted over witopia VPN (outside of China..or any country) to and from Witopia servers unless you purposely enter your local ISP’s DNS servers (in China that wouldn’t be too good) or someone else’s. Which, as you mention, isn’t the optimal security setup and should be avoided.

  4. PCoE

    Many howtos and docs before i left any hope about VPN&DNS… But this article helped me. I was only about trying to edit correctly /etc/resolv.conf (as I remember, even with correct DNS coming with push command from server), thought it’s anougth, but no luck.

    Thnx a lot. =)

  5. Tom Parker

    Here is the ubuntu script modified to work with OpenSuSE’s netconfig instead of resolvconf

    #!/bin/bash
    #
    # Parses DHCP options from openvpn to update resolv.conf
    # To use set as ‘up’ and ‘down’ script in your openvpn *.conf:
    # up /etc/openvpn/update-resolv-conf
    # down /etc/openvpn/update-resolv-conf
    #
    # Used snippets of resolvconf script by Thomas Hood
    # and Chris Hanson
    # Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
    #
    # 05/2006 chlauber@bnc.ch
    #
    # Example envs set from openvpn:
    # foreign_option_1=’dhcp-option DNS 193.43.27.132′
    # foreign_option_2=’dhcp-option DNS 193.43.27.133′
    # foreign_option_3=’dhcp-option DOMAIN be.bnc.ch’

    NETCONFIG=”/sbin/netconfig”
    #OPTIONS=”–verbose –force-replace”

    [ -x $NETCONFIG ] || exit 0

    case $script_type in

    up)
    for optionname in ${!foreign_option_*} ; do
    option=”${!optionname}”
    #echo $option
    part1=$(echo “$option” | cut -d ” ” -f 1)
    if [ "$part1" == "dhcp-option" ] ; then
    part2=$(echo “$option” | cut -d ” ” -f 2)
    part3=$(echo “$option” | cut -d ” ” -f 3)
    if [ "$part2" == "DNS" ] ; then
    if [ "$IF_DNS_NAMESERVERS" ] ; then
    IF_DNS_NAMESERVERS=”$IF_DNS_NAMESERVERS $part3″
    else
    IF_DNS_NAMESERVERS=”$part3″
    fi
    fi
    if [ "$part2" == "DOMAIN" ] ; then
    IF_DNS_SEARCH=”$part3″
    fi
    fi
    done
    R=””
    if [ "$IF_DNS_SEARCH" ] ; then
    R=”${R} DNSSEARCH=’$IF_DNS_SEARCH'”
    fi
    if [ "$IF_DNS_NAMESERVERS" ] ; then
    R=”${R} DNSSERVERS=’$IF_DNS_NAMESERVERS'”
    fi
    echo -n “$R” | $NETCONFIG modify $OPTIONS -i “${dev}” -s openvpn
    ;;
    down)
    $NETCONFIG remove $OPTIONS -i “${dev}” -s openvpn
    ;;
    esac

  6. MrFrame

    Thanks JC !
    Finding this and implementing accordingly, saved me quite a bit of hassle mocking around with /etc/hosts and/or bind slaves.
    Thanks a lot!

  7. Damion Blessinger

    The easiest way (which is a little expensive) is to buy 2 VPN capable Routers, with statics public IP addressed on both ends…. with those setup it will be like both computers are networked at the same location

Comments are closed.