Use both server AND client DNS servers

[Scentle5S]

Hello everyone,

I have a remote OpenVPN server on a DD-WRT to which I'm connecting from a macOS based laptop with Tunnelblick. The server network is 192.168.0.0/24 and the client one is 192.168.1.0/24. On both the server and client routers I have set some aliases in the hosts file, in order to access nodes more quickly. These aliases work fine on both sides, and I have put the following options in the server conf file so the clients will use it as their DNS server when they are connected to the VPN :

Code: Select all

push "dhcp-option DNS 192.168.0.2"
push "dhcp-option DOMAIN lan"

The problem is that with this conf, the clients can use the server's aliases but this overrides the client's DNS settings and it cannot use the other aliases anymore. I have tried setting a secondary DNS both manually in the client's network settings and with the following options in the client's conf file :

Code: Select all

dhcp-option DNS 192.168.1.1

But from what I have understood, the way macOS handles DNS entries means that only the first one will be used, until it doesn't respond. In my case, the primary one (the VPN server) always answer, but when asked for an alias that belongs to the client's network, it greets me with :

Code: Select all

ping: cannot resolve my_alias: Unknown host

This behavior seems correct because if I change the order of the DNS entries by putting the local one first and the VPN one after, the result is reversed : I can use local aliases but I can't use the remote ones anymore.

This seems to be more due to the way the DNS entries are used than the way my setup is configured, but I don't face this problem with a Windows client, since the tun interface seems to get its own DNS entry (the VPN server's IP that's been pushed). Then the client seems to use both the real and tun interface and therefore manages to reach both DNS servers and use all the aliases. That doesn't seem to be the case under macOS.

I've spent hours looking for a way to fix this, without success. I didn't even managed to find any similar case, even though this seems to me like a pretty important use case.

Is there a way to configure OpenVPN so that this works ? Or maybe I'm completely missing something here.

Below are the server and client confs :

View OriginalServer conf

port 1194
proto udp
dev tun

ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
dh /tmp/openvpn/dh.pem
tls-auth /tmp/openvpn/ta.key 0

server 10.8.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
log-append /var/log/openvpn
verb 3
management localhost 5001

push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.2"
push "dhcp-option DOMAIN lan"

View OriginalClient conf

client
proto udp
dev tun

remote my_remote_domain 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings

ca ca.crt
cert Me.crt
key Me.key
tls-auth ta.key 1

cipher AES-256-CBC
comp-lzo
verb 3

Thanks

Scentle5S

[TinCanTech]

The entire point of pushing DNS servers to clients is to over ride the client's default DNS.

This is in order to stop DNS leaks ..

With regard to Windows, because windows was so difficult to control
OpenVPN developed --block-outside-dns

What you are trying to do is more or less the opposite of what openvpn is designed to do
and so you will most likely have to find another way to achieve your goal.

[Scentle5S]

Thanks for the answer.

This confirms what I thought in a way : I'll have to find a way to fix the way DNS work in macOS and it's not OpenVPN's fault.

Do you happen to have an idea of how I could achieve that / where I should look ? Or is it completely irrelevant to this forum and I should ask my question elsewhere (which I understand) ?

[TinCanTech]

DNS is a Massive "can-o-worms" ..

Google :

• DNS Authoritative Answer
• DNS encrypted

Lots of people read this Forum so maybe somebody will share a good idea ..

[Scentle5S]

Okay, thanks. I'll keep on searching and will update the post when/if I find an answer.

[Scentle5S]

I just found a solution completely randomely ! I figured I would share it.

I was looking for other OpenVPN clients on macOS (I was using Tunnelblick), just out of curiosity, and came across Viscosity. It turns out that this client has a setting called "Split DNS", which allows to use both the server's AND the client's DNS, depending on the network's domain.

In my case, the domain used to be the same on both of my networks ("lan"), so this didn't work at first. I just changed it on one of the network in the router's settings, rebooted it to trigger new DHCP leases, and voilà ! I can now directly ping DNS aliases for stations located on both sides of the VPN and they all respond !

Just to be sure, I switched back to Tunnelblick to see if the fact that this didn't work may be due to the domain being the same on both sides. But no : even after the change, the "problem" is still here with Tunnelblick. I don't know what they are doing under the hood to make this work, but Viscosity's split DNS functionality is just awesome !