How to ignore server pushing DNS to iOS OpenVPN

How to customize and extend your OpenVPN installation.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
nathanernest
OpenVpn Newbie
Posts: 2
Joined: Sat Apr 13, 2019 10:52 am

How to ignore server pushing DNS to iOS OpenVPN

Post by nathanernest » Sat Apr 13, 2019 11:15 am

Hi all. Long time lurker, first time poster.

I can't seem to stop my commercial VPN provider (https://vpn.ac) from pushing down a DNS server to the connection on iOS. They provide an ovpn configuration file which I have shown below (the X's in the certs I have change for readability). Everything below the commented line I have added.

What is working is that my client is adding the prefered DNS servers, but I can't stop the VPN server from pushing down another DNS server.

Below is the config file used for the import.

Code: Select all

remote-random
remote sg1.vpn.ac 8000
remote sg1.vpn.ac 50000
dev tun
tls-client
persist-tun
persist-key
nobind
pull
redirect-gateway def1
route-delay 3
auth-user-pass
verb 3
explicit-exit-notify 2
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
auth SHA512
persist-remote-ip
[b]###MODIFICATIONS ARE BELOW THIS LINE###
#ignore server DNS
pull-filter ignore "dhcp-option DNS"
pull-filter ignore "dhcp-option DNS6"
# use preferred dns
dhcp-option DNS 176.103.130.130
dhcp-option DNS 176.103.130.131[/b]

<ca>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----
</tls-auth>
Below is the connection logs from the OpenVPN client for iOS, you can see that the pull filter lines are listed in the UNSUED OPTIONS section so I'm not sure what I've done wrong, but some good news is that I can see that the preferred DNS servers are being added correctly.

Code: Select all

2019-30-13 18:30:28 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct 3 2018 06:35:04

2019-30-13 18:30:28 Frame=512/2048/512 mssfix-ctrl=1250

2019-30-13 18:30:28 UNUSED OPTIONS
4 [tls-client] 
5 [persist-tun] 
6 [persist-key] 
7 [nobind] 
8 [pull] 
10 [route-delay] [3] 
12 [verb] [3] 
13 [explicit-exit-notify] [2] 
18 [persist-remote-ip] 
19 [pull-filter] [ignore] [dhcp-option DNS] 
20 [pull-filter] [ignore] [dhcp-option DNS6] 

2019-30-13 18:30:28 EVENT: RESOLVE

2019-30-13 18:30:28 Contacting [209.58.160.189]:50000/UDP via UDP

2019-30-13 18:30:28 EVENT: WAIT

2019-30-13 18:30:28 Connecting to [sg1.vpn.ac]:50000 (209.58.160.189) via UDPv4

2019-30-13 18:30:28 EVENT: CONNECTING

2019-30-13 18:30:28 Tunnel Options:V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client

2019-30-13 18:30:28 Creds: Username/Password

2019-30-13 18:30:28 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2


2019-30-13 18:30:28 VERIFY OK : depth=1
cert. version : 3
serial number : C7:EB:A7:3D:C3:43:82:B0
issuer name : C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac
subject name : C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac
issued on : 2014-01-05 14:34:59
expires on : 2024-01-03 14:34:59
signed using : RSA with SHA-512
RSA key size : 4096 bits
basic constraints : CA=true


2019-30-13 18:30:28 VERIFY OK : depth=0
cert. version : 3
serial number : 82
issuer name : C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac
subject name : CN=sg1-4096
issued on : 2014-05-20 06:34:09
expires on : 2024-05-17 06:34:09
signed using : RSA with SHA-512
RSA key size : 4096 bits
basic constraints : CA=false
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication


2019-30-13 18:30:28 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

2019-30-13 18:30:28 Session is ACTIVE

2019-30-13 18:30:28 EVENT: GET_CONFIG

2019-30-13 18:30:28 Sending PUSH_REQUEST to server...

2019-30-13 18:30:28 OPTIONS:
0 [redirect-gateway] [def1] 
[b]1 [dhcp-option] [DNS] [176.103.130.130] 
2 [dhcp-option] [DNS] [176.103.130.131] [/b]
3 [redirect-gateway] [def1] 
[b]4 [dhcp-option] [DNS] [10.10.100.1] [/b]
5 [sndbuf] [524288] 
6 [rcvbuf] [524288] 
7 [route] [10.10.100.1] 
8 [topology] [net30] 
9 [ping] [60] 
10 [ping-restart] [120] 
11 [ifconfig] [10.10.100.6] [10.10.100.5] 
12 [peer-id] [0] 
13 [cipher] [AES-256-GCM] 


2019-30-13 18:30:28 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA512
compress: NONE
peer ID: 0

2019-30-13 18:30:28 EVENT: ASSIGN_IP

2019-30-13 18:30:28 NIP: preparing TUN network settings

2019-30-13 18:30:28 NIP: init TUN network settings with endpoint: 209.58.160.189

2019-30-13 18:30:28 NIP: adding IPv4 address to network settings 10.10.100.6/255.255.255.252

2019-30-13 18:30:28 NIP: adding (included) IPv4 route 10.10.100.4/30

2019-30-13 18:30:28 NIP: adding (included) IPv4 route 10.10.100.1/32

2019-30-13 18:30:28 NIP: redirecting all IPv4 traffic to TUN interface

[b]2019-30-13 18:30:28 NIP: adding DNS 176.103.130.130

2019-30-13 18:30:28 NIP: adding DNS 176.103.130.131

2019-30-13 18:30:28 NIP: adding DNS 10.10.100.1[/b]

2019-30-13 18:30:28 Connected via NetworkExtensionTUN

2019-30-13 18:30:28 EVENT: CONNECTED vpnXXXXXX@sg1.vpn.ac:50000 (209.58.160.189) via /UDPv4 on NetworkExtensionTUN/10.10.100.6/ gw=[/]
If there is any help anybody could provide on what I'm doing wrong I'd be forever grateful!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to ignore server pushing DNS to iOS OpenVPN

Post by TinCanTech » Sat Apr 13, 2019 12:03 pm

nathanernest wrote:
Sat Apr 13, 2019 11:15 am
you can see that the pull filter lines are listed in the UNSUED OPTIONS section so I'm not sure what I've done wrong
Unused option means not supported.

nathanernest
OpenVpn Newbie
Posts: 2
Joined: Sat Apr 13, 2019 10:52 am

Re: How to ignore server pushing DNS to iOS OpenVPN

Post by nathanernest » Sat Apr 13, 2019 3:30 pm

TinCanTech wrote:
Sat Apr 13, 2019 12:03 pm
nathanernest wrote:
Sat Apr 13, 2019 11:15 am
you can see that the pull filter lines are listed in the UNSUED OPTIONS section so I'm not sure what I've done wrong
Unused option means not supported.
Oh damn that's brutal! Is there another openVPN client that would support this feature?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to ignore server pushing DNS to iOS OpenVPN

Post by TinCanTech » Sat Apr 13, 2019 4:21 pm

I do not know enough about iOS but maybe you could try a custom --up script.

Post Reply