OpenVPN with DNSMasq -- solution and question

Use this forum to share your network setup and what's been working for you.
hankofthehell
OpenVpn Newbie
Posts: 5
Joined: Wed Aug 06, 2014 1:24 pm

OpenVPN with DNSMasq -- solution and question

Postby hankofthehell » Wed Aug 06, 2014 2:02 pm

Hey everyone,

In addition to being still pretty new with networking technology, this is also my very first time using OpenVPN server (Debian 7 Stable). Recently, I had an issue where my OpenVPN Client (Android) wouldn't read the DNS addresses file; this file functions as an Ad/Tracker blacklist (ie, "address=/pr0n.edu/127.0.0.1").

I solved it by having dnsmasq listen on the P-t-P address:

Code: Select all

/etc/dnsmasq.conf
[...]
listen=10.8.0.2

But, the problem is that I don't really know why this works; I'm posting this in hopes that someone can better explain what's happening, or offer another solution. Despite a couple weeks' worth of research (on my downtime between two jobs), I've actually found close to nothing regarding the integration of dnsmasq and openvpn (that which I did find did not work); and, indeed, my shot-in-the-dark solution was not one I found anywhere online. Using what knowledge I could find, I had assumed that OpenVPN would automatically use the DNSMasq values without further configuration. In addition, I don't know why listening on eth0's IP (192.168.0.3) wouldn't have solved it since, I would assume, OpenVPN's traffic would pass through that in order to reach the internet. But, again, this dilemma is merely a testament to what little knowledge I have about these networking technologies, so any clarification would be appreciated.

My second question is, will listening on the P-t-P address, in and of itself, introduce any security risks of which I should be aware? I ask only because, again, I haven't found any information regarding my solution, so I don't want to miss anything that would be obvious to more seasoned network administrators.

Thanks a bunch.

hankofthehell
OpenVpn Newbie
Posts: 5
Joined: Wed Aug 06, 2014 1:24 pm

Re: OpenVPN with DNSMasq -- solution and question

Postby hankofthehell » Sat Sep 06, 2014 12:11 am

I am so sorry it has taken so long to reply. Not long (days) after making that post, I was hired out of the blue for a full-time job, and I've been consumed by that ever since. Now that I have a moment to breathe, I just want to follow-up.
debbie10t wrote:For linux based systems, if you push DNS servers to the client you also need to run /etc/openvpn/update-resolv-conf like so:

Client.conf:
Code:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

This may negate the need for your solution (I do not personally know for Android, perhaps you can test)

Android doesn't have an /etc/openvpn or /system/etc/openvpn folder :\ so, I'm not sure if this would be beneficial at all. In addition, the OpenVPN app doesn't seem to include this as an option.
IE: Do not use "listen={tun.IP.Add}" :: Try the script above.

Out of curiosity, why not? So far, I've found a few tutorials about using dnsmasq with openvpn which recommend setting "listen=127.0.0.1,10.8.0.1" in dnsmasq.conf; why would this not be a valid solution (or would it be more appropriate for me to ask this in a dnsmasq forum)?

I do appreciate the help and advice, however. I want to believe that I'll have a little more free time in the future.

hankofthehell
OpenVpn Newbie
Posts: 5
Joined: Wed Aug 06, 2014 1:24 pm

Re: OpenVPN with DNSMasq -- solution and question

Postby hankofthehell » Sat Sep 06, 2014 7:17 pm

Code: Select all

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Alright, so I don't know why this hadn't dawned on me earlier. In Linux, your three parameters would simply pass custom commands through resolvconf, which I neither use nor have installed. But, since I use dhclient, I needed only to add the following parameter to /etc/dhcp/dhclient.conf (on the client pc):

Code: Select all

prepend domain-name-servers 10.8.0.1

Because Android has its own way of doing this (ie, it doesn't have an /etc/resolv.conf file), it makes sense that your client.conf parameters would be unusable on my phone. I speculate that the OpenVPN app has some native way of solving this issue, but I cannot say for sure.

I suppose we were discussing two sides of a similar coin XD

Also, thanks for the diagram. I admit that I didn't get it at first, but it actually helped clear things up quite a bit.

hankofthehell
OpenVpn Newbie
Posts: 5
Joined: Wed Aug 06, 2014 1:24 pm

Re: OpenVPN with DNSMasq -- solution and question

Postby hankofthehell » Sat Sep 06, 2014 8:59 pm

debbie10t wrote:
hankofthehell wrote: In Linux, your three parameters would simply pass custom commands through resolvconf, which I neither use nor have installed. But, since I use dhclient, I needed only to add the following parameter to /etc/dhcp/dhclient.conf (on the client pc):
Code:
prepend domain-name-servers 10.8.0.1
Does this work properly .. Would you say this feels like a more "elegant" solution ?

I would not be the person to judge whether this is more 'elegant' than resolvconf, but it does work fine for me on Debian (stable). In other readings, I've found instances where resolvconf can interfere with functionality, so I really haven't had much reason to use it. I'm open to new ideas, though.

hankofthehell
OpenVpn Newbie
Posts: 5
Joined: Wed Aug 06, 2014 1:24 pm

Re: OpenVPN with DNSMasq -- solution and question

Postby hankofthehell » Sat Sep 13, 2014 5:32 pm

One final note. If any linux users are running NetworkManager/nm-applet (default in Gnome/*buntu and other popular distros), it has a GUI plugin that will automatically set-up the VPN and solve DNS issues. However, NetworkManager also has a tendency to override a lot of settings, so keep that in mind as well. But it is an easy, straightforward solution.


Return to “Braggin' Rights”

Who is online

Users browsing this forum: No registered users and 1 guest