Push DNS to a linux client.

[oakdene]

I would like to use OpenVPN to allow users of my server secure access. I'm using the BIND 9 feature "views" so that I can present differing IP addresses to the open internet and those on the VPN. This works fine when using OpenVPN GUI but not when using openvpn on a linux client.

So before connecting to the server with OpenVPN GUI nslookup of mydomain.com returns the public IP address of the /dev/eth0 device. Once I connect the VPN nslookup nslookup of mydomain.com returns the private address of the /dev/tun0 device.

The linux client doesn't exibit this behaviour.

My server config is as follows:-

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 192.168.86.0 255.255.255.0
push "route 192.168.86.0 255.255.255.0"
[b]push "dhcp-option DNS 192.168.86.1"[/b]
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

The "push "dhcp-option DNS 192.168.86.1"" being the line that gives the client a new DNS server.
I also notice that the comment kinda intimates that is a windows only feature.

On the linux client system I am starting openvpn with the command:-

Code: Select all

#  openvpn --client --config client.ovpn

client.ovpn contains:-

Code: Select all

client
dev tun
proto udp
remote myserver.com 1194

pkcs12 client.p12

comp-lzo
ns-cert-type server

I am using the same client.ovpn and client.p12 on both the windows and the linux systems. (But only connecting one or the other, But not both at the same time.)

If I read the man page correctly --client implies --pull but even if I add --pull it makes no difference.

Is there a way to make linux systems follow this same behaviour as I can get on a windows box.

Of course I could script a change to /etc/resolv.conf but that would mean if I needed to change address of the Name server the end user would need to change the script.

I also read some references to the --pull featuers being dependant on how openvpn is built. If at all possible I would like to run a package rather than compile my own version of openvpn.

Is it possible to push a new dns server to the linux clients?

t.

[oakdene]

I found a google hit in the Openvpn-users mailing list. <Sigh>

http://openvpn.net/archive/openvpn-user ... 00125.html

However that is for OSX so this is how I'm doing it.

I now use the command :-

Code: Select all

# openvpn  --client --up ./clientup.sh --down "./clientdown.sh"  --config client.ovpn

The script clientup.sh

Code: Select all

#! /bin/bash

dns=dns
for opt in ${!foreign_option_*}
do
   eval "dns=\${$opt#dhcp-option DNS }"
   if [ "$dns" != "dns" ]
       then
          echo ";; created by openvpn --up ${0} " >/tmp/resolv.conf
          grep search /etc/resolv.conf >>/tmp/resolv.conf
          echo "nameserver $dns" >>/tmp/resolv.conf
          if [[ ! -e resolv.conf ]]
          then
                mv /etc/resolv.conf ./resolv.conf
          fi
          mv -f /tmp/resolv.conf /etc 
          exit 0
       fi
done

the script clientdown.sh

Code: Select all

#! /bin/bash

mv -f resolv.conf /etc

[samuli]

the script clientdown.sh

Code: Select all

#! /bin/bash

mv -f resolv.conf /etc

This "down" script will only work if the openvpn daemon has not dropped privileges (e.g. to nobody:nogroup) and is running as "root".