anudeep wrote:The reason I want to route only DNS queries is I'm on a limited data plan on home (where OpenVPN is located) so default routing option can use more data?
For average use of the Internet, tunnelling all traffic through the VPN with a remote client will use more network data than just tunnelling DNS requests.
If it's not I will not change any settings. Can you please explain what will be the data usage by VPN and how it will be calculated?
Relying on having all traffic run over the VPN decreases risk of DNS leakage, or use of other DNS. It creates a foundation for the server that contains the OpenVPN service to have the option of intercepting all DNS traffic because all traffic is passing through it.
Not relying on this, and only using the OpenVPN server for DNS lookups does not make your task impossible, it just pushes more testing to the client side: You will need to verify that your OpenVPN client is not using other DNS Servers when it is pushed a DNS server to use when the link is up. (Even if there is a DNS server available over the VPN link, if the OS that is using your client is also using other DNS servers for lookups, then the ad-lookup feature you want will not be reliably used by the OS which may use your DNS along with whatever DNS it is configured to use.)
Routing all of your traffic through the vpn will consume throughput at your wherever your OpenVPN server is located. The cost in traffic to/from your home would be more than double what the client runs through your home. (Everything you request from the Internet through the tunnel would be downloaded by your home OpenVPN , and then uploaded by your home OpenVPN through the tunnel to the remote client.
How much network traffic will be consumed by the tunnel depends on the configuration of the VPN client, the VPN server their OS, and use of the network.
At a minimum, for data meant to go to/from the Internet passing through the tunnel, you can estimate a nearly symmetric consumption of traffic outside the tunnel. If you download a 1MB DNS zone transfer through the tunnel, then your home OpenVPN Server will be downloading 1MB and then uploading 1MB (at a minimum) when computing bits used outside the tunnel.
On top of that, there s the overhead of maintaining the tunnel, which varies in cost depending on the size of the packet data vs. the packet.. (Larger data vs header such as large file download is more efficient, while smaller data vs. header such as with interactive shell sessions is less efficient.) Then issues like the period of "reneg-sec" can have an on-going periodic, time-based cost that remains a fairly constant rate while connected, and pretty small percent compared to average Internet traffic.
An estimate based on average Internet use of a human browsing the web and using the VPN? The amount of data the client sends/received *through* the tunnel should probably be multiplied by around 1.2 to estimate the data used outside the tunnel for maintenance of the tunnel and overhead of encapsulation.
For the OpenVPN server, you can estimate that it will need to download from the Internet, and then upload to the client that data the client requests from the Internet through the tunnel, so if you get charged for bit going to/from your home whether they are received or transmitted, then there is a double-cost minimum for this data, but only the upload to the client would get the additional ~1.2x multiplier for traffic because of tunnel encapsulation and maintenance.
If your home network is only charged for downloads, then the data that will matter for that calculation will be what data your openVPN client sends to it through the tunnel, and what is downloaded from the Internet.
The above are generalizations and estimates based on common use. How much data the VPN will actually cost you will depend on many things, including things not explicitly mentioned above.
DNS is usually a small percent of network traffic when requesting a web page. It should not include anything like a DNS zone transfer by the OpenVPN client. The DNS request and response is probably smaller than the total amount of "text" (html) content in the average web page. The size of the DNS response can increase quite a bit if DNSSEC extensions are supported and included, but even with DNSSEC data in the request/response, the amount of data used by DNS is still probably less than the average amount of text (html) on a web page requested.
If you plan to run just DNS lookups over the VPN tunnel, then do it, but then verify there is no DNS leakage by the client.
