Use OpenVPN only for DNS, no other traffic

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
pikzigmar
OpenVpn Newbie
Posts: 8
Joined: Fri Sep 23, 2022 12:04 pm

Use OpenVPN only for DNS, no other traffic

Post by pikzigmar » Fri Sep 23, 2022 12:31 pm

Hello, I have been trying to set up OpenVPN in a particular way:
  • I have a server, with PiHole and OpenVPN server (to access PiHole from outside the network)
  • I want to use OpenVPN on my devices, lets say an Android 12 phone, for DNS querys only

Right now it does anything but that: Uses VPN for traffic, but not DNS. What it does:
  • All HTTP/SpeedTest traffic goes trough VPN (checked with nmon network traffic monitor on the server and SpeedTest)
  • Sometimes the PiHole DNS is used, but not all the time (looking at PiHole logs)
    Also:
  • The DNS server can be pinged from VPN client (after VPN is established)
  • Port 53 is accessible with telnet from VPN client
The config:
Server Config

port 1194
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server XXX.YYY.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#push "dhcp-option DNS XXX.XXX.XXX.XXX"
#push "dhcp-option DNS XXX.XXX.XXX.XXX"
#push "redirect-gateway def1 bypass-dhcp"
#push "def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_gBLlImXIby1mXydi.crt
key server_gBLlImXIby1mXydi.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3


Client: (added route to local network, ignore redirect-gateway, added local DNS of PiHole, block-outside-dns)
Client Config

client
dev tun
proto udp
remote vpn.$MYDOMAIN.$SOMETHING 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
verb 3
route $LOCALNETWORK 255.255.255.0
pull-filter ignore "redirect-gateway"
dhcp-option DNS $LOCAL_DNS_IP
register-dns
block-outside-dns
<ca>
-----BEGIN CERTIFICATE-----
...


Phone settings: (This is all copied from PingTools app. provider is my mobile "ISP")
Phone Config after VPN connection

IPv4: $providerIP
VPN IPv4: $correctVpnIp
Gateway: $providerGateway
DNS1: $PiHoleDNS
# I THINK I CANNOT REMOVE DNS2 AND DNS3. THEESE ARE DNS1 AND DNS2 WHEN VPN IS NOT CONNECTED
DNS2: 1.1.1.1
DNS3: 1.0.0.1
Network address: $providerNetwork

Phone settings look OK, but gateway is ignored, as all traffic goes trough VPN.
DNS1-3 seem to be used at random, or in some pattern I do not see.


So:
  • Is my config OK, or did I miss something? Im starting to suspect I have an Android problem
  • Does anyone know if DNS2-3 can be disabled on Android or with OpenVPN settings?
  • Can I limit VPN with ports? Like: only allow port 53 on this VPN and solve traffic problem like that?
Any help/recommendation would be greatly appreciated, so thank you in advance
Pikzigmar

TinCanTech
OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: Use OpenVPN only for DNS, no other traffic

Post by TinCanTech » Fri Sep 23, 2022 6:52 pm

The problem here is not that of server administration but that of how the client manages DNS.

300000
OpenVPN Expert
Posts: 677
Joined: Tue May 01, 2012 9:30 pm

Re: Use OpenVPN only for DNS, no other traffic

Post by 300000 » Fri Sep 23, 2022 8:18 pm

You should edit openvpn server config so it will send to client what you want,Only use dns from openvpn network .

push "route 0.0.0.0 192.0.0.0 net_gateway "
push "route 64.0.0.0 192.0.0.0 net_gateway "
push "route 128.0.0.0 192.0.0.0 net_gateway "
push "route 192.0.0.0 192.0.0.0 net_gateway "

push "dhcp-option DNS xxx.xxx.xxx.xxx "



Push route force client use its network for internet and the last push dns force client use dns from vpn server. you only need edit from server and let that work for you.




If you running on raspbeery open terminal and type

sudo nano /etc/openvpn/openvpn.conf

copy all push save file with command Ctrl+x then stop and restart openvpn again

systemctl stop openvpn
systemctl start openvpn

User avatar
ordex
OpenVPN Inc.
Posts: 423
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Use OpenVPN only for DNS, no other traffic

Post by ordex » Sat Sep 24, 2022 6:26 pm

300000 wrote:
Fri Sep 23, 2022 8:18 pm
You should edit openvpn server config so it will send to client what you want,Only use dns from openvpn network .

push "route 0.0.0.0 192.0.0.0 net_gateway "
push "route 64.0.0.0 192.0.0.0 net_gateway "
push "route 128.0.0.0 192.0.0.0 net_gateway "
push "route 192.0.0.0 192.0.0.0 net_gateway "
He is not redirecting all traffic to the VPN (although Android is doing something weird), so would the above be needed?

300000
OpenVPN Expert
Posts: 677
Joined: Tue May 01, 2012 9:30 pm

Re: Use OpenVPN only for DNS, no other traffic

Post by 300000 » Sat Sep 24, 2022 7:20 pm

yes that is what it need for.

pikzigmar
OpenVpn Newbie
Posts: 8
Joined: Fri Sep 23, 2022 12:04 pm

Re: Use OpenVPN only for DNS, no other traffic

Post by pikzigmar » Mon Sep 26, 2022 12:50 pm

Thanks everyone for help, I tried adding those push commands to my server conf (Ubuntu 20 - /etc/openvpn/server.conf). After that I created a new client, just for the sake of clean conf.

Now the DNS settings get ignored completely. Before VPN connection I see 2 DNS servers, from the ISP. After I connect VPN there are 2 other DNS servers - 1.1.1.1 and 1.0.0.1. I did not set these anywhere (1.1.1.1 is Ubuntu server main DNS, if that helps).

This behavior is the same on a Windows client - ipconfig bellow. Either I did something wrong or this is not the solution.


Server Config

port 1194
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "route 0.0.0.0 192.0.0.0 net_gateway "
push "route 64.0.0.0 192.0.0.0 net_gateway "
push "route 128.0.0.0 192.0.0.0 net_gateway "
push "route 192.0.0.0 192.0.0.0 net_gateway "
push "dhcp-option DNS 192.168.XXX.YYY "
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_gBLlImXIby1mXydi.crt
key server_gBLlImXIby1mXydi.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3


Client Config

client
dev tun
proto udp
remote $MYDOMAIN 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
<ca>
-----BEGIN CERTIFICATE-----
...



Windows ipconfig --all

Unknown adapter OpenVPN TAP-Windows6:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : xxxxxxxxxxxxxxx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : xxxxxxxxxxxxxxxxx
IPv4 Address. . . . . . . . . . . : 10.8.0.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : xxxxxxxxxxxxx
Lease Expires . . . . . . . . . . : xxxxxxxxx
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.8.0.0
DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxxxxx
DHCPv6 Client DUID. . . . . . . . : xxxxxxxxxxxx
DNS Servers . . . . . . . . . . . : 1.1.1.1
1.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

300000
OpenVPN Expert
Posts: 677
Joined: Tue May 01, 2012 9:30 pm

Re: Use OpenVPN only for DNS, no other traffic

Post by 300000 » Mon Sep 26, 2022 1:30 pm

Before vpn connection on client side will use local dns verver to go out internet. After vpn connection it will use dns push down from openvpn server. So everything is corrected .




1.1.1.1 is Ubuntu server main DNS, then you want use vpn for dns server only . That is what you want dns but not all traffic over vpn. What do you mean something is wrong? Your vpn client will get whatever dns you push down from server as it work correctly.


push "dhcp-option DNS xxx.xxx.xxx.xxx ". What is address you push is dns server for client to use.

pikzigmar
OpenVpn Newbie
Posts: 8
Joined: Fri Sep 23, 2022 12:04 pm

Re: Use OpenVPN only for DNS, no other traffic

Post by pikzigmar » Mon Sep 26, 2022 1:37 pm

300000 wrote:
Mon Sep 26, 2022 1:30 pm
push "dhcp-option DNS xxx.xxx.xxx.xxx ". What is address you push is dns server for client to use.
Yeah I get that, but I pushed my DNS and client does not show it.

This is what I push: push "dhcp-option DNS 192.168.XXX.YYY "
This is what I get: 1.1.1.1 and 1.0.0.1

300000
OpenVPN Expert
Posts: 677
Joined: Tue May 01, 2012 9:30 pm

Re: Use OpenVPN only for DNS, no other traffic

Post by 300000 » Mon Sep 26, 2022 1:40 pm

Try to push "dhcp-option DNS 10.8.0.1 " to client and do it again

pikzigmar
OpenVpn Newbie
Posts: 8
Joined: Fri Sep 23, 2022 12:04 pm

Re: Use OpenVPN only for DNS, no other traffic

Post by pikzigmar » Mon Sep 26, 2022 1:49 pm

OK, I tried that. The end result is still the same :( with Android or Windows client (same config file)
DNS in client: 1.1.1.1 and 1.0.0.1

Edit: I did restart openvpn server, just to be sure I even restarted the whole Ubuntu server

300000
OpenVPN Expert
Posts: 677
Joined: Tue May 01, 2012 9:30 pm

Re: Use OpenVPN only for DNS, no other traffic

Post by 300000 » Mon Sep 26, 2022 1:59 pm

Remove push "redirect-gateway def1 bypass-dhcp"

Remove. client-config-dir /etc/openvpn/ccd

Try it again . All that will push different dns to client .

TinCanTech
OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: Use OpenVPN only for DNS, no other traffic

Post by TinCanTech » Mon Sep 26, 2022 2:12 pm

@pikzigmar Because you do not want to use the VPN for all traffic, remove all this:

Code: Select all

push "redirect-gateway def1 bypass-dhcp"
push "route 0.0.0.0 192.0.0.0 net_gateway "
push "route 64.0.0.0 192.0.0.0 net_gateway "
push "route 128.0.0.0 192.0.0.0 net_gateway "
push "route 192.0.0.0 192.0.0.0 net_gateway "
Push DNS to Windows use:

Code: Select all

push "dhcp-option DNS 192.168.XXX.YYY"
push "block-outside-dns"
Or use it in the client config:

Code: Select all

dhcp-option DNS 192.168.XXX.YYY
block-outside-dns
That is all that is required.

User avatar
ordex
OpenVPN Inc.
Posts: 423
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Use OpenVPN only for DNS, no other traffic

Post by ordex » Mon Sep 26, 2022 2:19 pm

@pikzigmar if it still does not work, please add "verb 4" to your client config and share the client log, so we can better understand what is happening..

pikzigmar
OpenVpn Newbie
Posts: 8
Joined: Fri Sep 23, 2022 12:04 pm

Re: Use OpenVPN only for DNS, no other traffic

Post by pikzigmar » Mon Sep 26, 2022 2:23 pm

@300000 I fixed it. The problem was, that I never edited the right server config file. It seems like the openvpn install script made another instance or something like that. I have 2 conf files:
  • /etc/openvpn/server.conf <- Wrong conf file
    and
  • /etc/openvpn/server/server.conf <- Right conf file
This was empty: /etc/openvpn/ccd
If you didn't direct me here I probably wouldn't notice server folder in /etc/openvpn/...

After editing the "right" conf file with push route options it does seem to have correct DNS and not use VPN for all traffic (VPN server has 20Mbits upload and Android client SpeedTest shows well above that).



@TinCanTech It works now, but I will try removing push routes today/tomorrow and "report" what happens with traffic.

300000
OpenVPN Expert
Posts: 677
Joined: Tue May 01, 2012 9:30 pm

Re: Use OpenVPN only for DNS, no other traffic

Post by 300000 » Mon Sep 26, 2022 2:49 pm

TinCanTech wrote:
Fri Sep 23, 2022 6:52 pm
The problem here is not that of server administration but that of how the client manages DNS.

If it work now why do you want to remove something you dont know yes? Correct edit server have done and work for you. Client need do nothing and that is how it work. If you change something you dont know it will break and you dont like that.

TinCanTech
OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: Use OpenVPN only for DNS, no other traffic

Post by TinCanTech » Mon Sep 26, 2022 4:40 pm

@300000 - Your changes break the OPs DNS requirement.

pikzigmar
OpenVpn Newbie
Posts: 8
Joined: Fri Sep 23, 2022 12:04 pm

Re: Use OpenVPN only for DNS, no other traffic

Post by pikzigmar » Tue Sep 27, 2022 11:48 am

Removing the push route options works the same; using my PiHole DNS and not using VPN for traffic.

Either way VPN now behaves as I wanted, so thank you all again for the help :)

Post Reply