How to ignore server pushing DNS to iOS OpenVPN
Posted: Sat Apr 13, 2019 11:15 am
Hi all. Long time lurker, first time poster.
I can't seem to stop my commercial VPN provider (https://vpn.ac) from pushing down a DNS server to the connection on iOS. They provide an ovpn configuration file which I have shown below (the X's in the certs I have change for readability). Everything below the commented line I have added.
What is working is that my client is adding the prefered DNS servers, but I can't stop the VPN server from pushing down another DNS server.
Below is the config file used for the import.
Below is the connection logs from the OpenVPN client for iOS, you can see that the pull filter lines are listed in the UNSUED OPTIONS section so I'm not sure what I've done wrong, but some good news is that I can see that the preferred DNS servers are being added correctly.
If there is any help anybody could provide on what I'm doing wrong I'd be forever grateful!
I can't seem to stop my commercial VPN provider (https://vpn.ac) from pushing down a DNS server to the connection on iOS. They provide an ovpn configuration file which I have shown below (the X's in the certs I have change for readability). Everything below the commented line I have added.
What is working is that my client is adding the prefered DNS servers, but I can't stop the VPN server from pushing down another DNS server.
Below is the config file used for the import.
Code: Select all
remote-random
remote sg1.vpn.ac 8000
remote sg1.vpn.ac 50000
dev tun
tls-client
persist-tun
persist-key
nobind
pull
redirect-gateway def1
route-delay 3
auth-user-pass
verb 3
explicit-exit-notify 2
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
auth SHA512
persist-remote-ip
[b]###MODIFICATIONS ARE BELOW THIS LINE###
#ignore server DNS
pull-filter ignore "dhcp-option DNS"
pull-filter ignore "dhcp-option DNS6"
# use preferred dns
dhcp-option DNS 176.103.130.130
dhcp-option DNS 176.103.130.131[/b]
<ca>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----
</tls-auth>
Code: Select all
2019-30-13 18:30:28 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct 3 2018 06:35:04
2019-30-13 18:30:28 Frame=512/2048/512 mssfix-ctrl=1250
2019-30-13 18:30:28 UNUSED OPTIONS
4 [tls-client]
5 [persist-tun]
6 [persist-key]
7 [nobind]
8 [pull]
10 [route-delay] [3]
12 [verb] [3]
13 [explicit-exit-notify] [2]
18 [persist-remote-ip]
19 [pull-filter] [ignore] [dhcp-option DNS]
20 [pull-filter] [ignore] [dhcp-option DNS6]
2019-30-13 18:30:28 EVENT: RESOLVE
2019-30-13 18:30:28 Contacting [209.58.160.189]:50000/UDP via UDP
2019-30-13 18:30:28 EVENT: WAIT
2019-30-13 18:30:28 Connecting to [sg1.vpn.ac]:50000 (209.58.160.189) via UDPv4
2019-30-13 18:30:28 EVENT: CONNECTING
2019-30-13 18:30:28 Tunnel Options:V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client
2019-30-13 18:30:28 Creds: Username/Password
2019-30-13 18:30:28 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
2019-30-13 18:30:28 VERIFY OK : depth=1
cert. version : 3
serial number : C7:EB:A7:3D:C3:43:82:B0
issuer name : C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac
subject name : C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac
issued on : 2014-01-05 14:34:59
expires on : 2024-01-03 14:34:59
signed using : RSA with SHA-512
RSA key size : 4096 bits
basic constraints : CA=true
2019-30-13 18:30:28 VERIFY OK : depth=0
cert. version : 3
serial number : 82
issuer name : C=RO, ST=BUC, O=VPN.AC, OU=VPN.AC CA, CN=VPN.AC, emailAddress=info@vpn.ac
subject name : CN=sg1-4096
issued on : 2014-05-20 06:34:09
expires on : 2024-05-17 06:34:09
signed using : RSA with SHA-512
RSA key size : 4096 bits
basic constraints : CA=false
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
2019-30-13 18:30:28 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2019-30-13 18:30:28 Session is ACTIVE
2019-30-13 18:30:28 EVENT: GET_CONFIG
2019-30-13 18:30:28 Sending PUSH_REQUEST to server...
2019-30-13 18:30:28 OPTIONS:
0 [redirect-gateway] [def1]
[b]1 [dhcp-option] [DNS] [176.103.130.130]
2 [dhcp-option] [DNS] [176.103.130.131] [/b]
3 [redirect-gateway] [def1]
[b]4 [dhcp-option] [DNS] [10.10.100.1] [/b]
5 [sndbuf] [524288]
6 [rcvbuf] [524288]
7 [route] [10.10.100.1]
8 [topology] [net30]
9 [ping] [60]
10 [ping-restart] [120]
11 [ifconfig] [10.10.100.6] [10.10.100.5]
12 [peer-id] [0]
13 [cipher] [AES-256-GCM]
2019-30-13 18:30:28 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA512
compress: NONE
peer ID: 0
2019-30-13 18:30:28 EVENT: ASSIGN_IP
2019-30-13 18:30:28 NIP: preparing TUN network settings
2019-30-13 18:30:28 NIP: init TUN network settings with endpoint: 209.58.160.189
2019-30-13 18:30:28 NIP: adding IPv4 address to network settings 10.10.100.6/255.255.255.252
2019-30-13 18:30:28 NIP: adding (included) IPv4 route 10.10.100.4/30
2019-30-13 18:30:28 NIP: adding (included) IPv4 route 10.10.100.1/32
2019-30-13 18:30:28 NIP: redirecting all IPv4 traffic to TUN interface
[b]2019-30-13 18:30:28 NIP: adding DNS 176.103.130.130
2019-30-13 18:30:28 NIP: adding DNS 176.103.130.131
2019-30-13 18:30:28 NIP: adding DNS 10.10.100.1[/b]
2019-30-13 18:30:28 Connected via NetworkExtensionTUN
2019-30-13 18:30:28 EVENT: CONNECTED vpnXXXXXX@sg1.vpn.ac:50000 (209.58.160.189) via /UDPv4 on NetworkExtensionTUN/10.10.100.6/ gw=[/]