Openvpn client dns

[DJones]

So I don’t typically use a client vpn from the router so it’s not something I’ve really encountered, but I’m trying something new. I’m trying to enforce dns to be used from cloudflare instead of the vpn provider, I’ve tried enforcing it from windows dns setting, browser settings, even enabling DoH in browser.

I’ve pushed cloudflares dns in the vpn clients configuration even. But dns leaks shows it’s still using the vpn providers dns.

Is it that the dns provider is being blocked by the vpn provider?

 

[eibgrad]

You might find the following helpful.

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...

www.snbforums.com

It's NOT clear exactly what you did to specify CF as your preferred DNS server(s). For one thing, the client can not *push* anything to itself. Only the server can push. If the client wants to add something, it just adds it.

IOW, the client does NOT do the following.

push "dhcp-option DNS 1.1.1.1"

.. but rather ...

dhcp-option DNS 1.1.1.1

Normally the VPN provider pushes their own DNS server(s). But if you set "Accept DNS configuration" to Disabled on the OpenVPN client, it will ignore those push'd directives. But it will also ignore any such directives you simply added to the OpenVPN client yourself!

What you might try is using Exclusive for "Accept DNS configuration", but filtering out any DNS servers push'd from the OpenVPN server. The add your own DNS server(s) and route them through the VPN.

pull-filter ignore "dhcp-option DNS'
dhcp-option DNS 1.1.1.1
dhcp-option DNS 1.0.0.1
route 1.1.1.1
route 1.0.0.1

This is where DNS monitoring could come in handy, so you can confirm if indeed the above changes produce the desired results, rather than relying on external checkers. The latter is sometimes misleading since the public DNS server(s) could simply be proxies to other DNS servers.

 

[DJones]

You might find the following helpful.

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...

www.snbforums.com

It's NOT clear exactly what you did to specify CF as your preferred DNS server(s). For one thing, the client can not *push* anything to itself. Only the server can push. If the client wants to add something, it just adds it.

IOW, the client does NOT do the following.

push "dhcp-option DNS 1.1.1.1"

.. but rather ...

dhcp-option DNS 1.1.1.1

Normally the VPN provider pushes their own DNS server(s). But if you set "Accept DNS configuration" to Disabled on the OpenVPN client, it will ignore those push'd directives. But it will also ignore any such directives you simply added to the OpenVPN client yourself!

What you might try is using Exclusive for "Accept DNS configuration", but filtering out any DNS servers push'd from the OpenVPN server. The add your own DNS server(s) and route them through the VPN.

pull-filter ignore "dhcp-option DNS'
dhcp-option DNS 1.1.1.1
dhcp-option DNS 1.0.0.1
route 1.1.1.1
route 1.0.0.1

This is where DNS monitoring could come in handy, so you can confirm if indeed the above changes produce the desired results, rather than relying on external checkers. The latter is sometimes misleading since the public DNS server(s) could simply be proxies to other DNS servers.

I will give these a try.

pull-filter ignore "dhcp-option DNS'
route 1.1.1.1
route 1.0.0.1

Here’s my current configuration:

resolv-retry infinite
remote-random
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
remote-cert-tls server
comp-noadapt
cipher AES-128-CBC
dhcp-option DNS 1.1.1.1
dhcp-option DNS 1.0.0.1
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"

I was also thinking of using a OPNsense vm to utilize dnssec which I thought might enforce the dns provider I want to use which is cloudflare. Opposed to the vpn providers dns.

The router itself has dnssec, but I don’t think it’s working in this situation.