OpenVPN DNS

[fotingo]

I've been using OpenVPN to connect to my network from outside my LAN. It works great and no issues.
I have Pihole set as my main dns server on my router for all clients..and it works great..also no issues.

I've notice when I connect to OpenVPN from outside the LAN, I doesn't use my Pihole as the DNS server.
I found this setting

but it doesn't appear to do what I thought it would do.
Is there a way to set OpenVPN to use my router's DNS server when connecting to it?

 

[eibgrad]

Most likely it will only push its own DNS server (i.e., DNSMasq) to the OpenVPN clients. But nothing stops you from disabling "Advertise DNS to clients" and manually adding the underlying directive to the OpenVPN server for the pihole (e.g., 192.168.1.100) in the custom config field.

push "dhcp-option DNS 192.168.1.100"

I don't use pihole, but if it's anything like DNSMasq, it might NOT accept clients from anything other than the LAN, at least by default. So you might also have to configure the pihole to accept clients from the OpenVPN server's network interface and/or private IP network.

 

[fotingo]

I had "Advertise DNS to clients" set to NO all this time, so I thought by setting to Yes it would allow the Router's DNS server to be used, in this case Pihole since it's the default DNS server.
I will contact the Pihole folks to see if what you're suggesting is possible.

Thank you eibgrad.

 

[fotingo]

I found a setting in Pihole to "Permit all origins". The default setting is "Allow only local requests"
If I select Permit all origins, then the Router's DNS, in this case the Pihole DNS is used when connecting to OpenVPN...but according to Pihole's documentation, the option to Permit all origins is NOT recommended.

So, is there a way to achieve this by maybe changing the OpenVPN config file to accept a custom dns server?

tried push "dhcp-option DNS 192.168.1.88" , but I get no internet. Also tried 192.168.1.1, but no internet either.

 

[eibgrad]

The alternative would be to NAT the traffic from the OpenVPN tunnel w/ the LAN ip of the router as its dropped on LAN so it appears to be sourced from the router rather than the OpenVPN client.

iptables -t nat -I POSTROUTING -s $(nvram get vpn_server1_sn)/$(nvram get vpn_server1_nm) -o br0 -d 192.168.1.88 -p tcp --dport 53 -j SNAT --to $(nvram get lan_ipaddr)
iptables -t nat -I POSTROUTING -s $(nvram get vpn_server1_sn)/$(nvram get vpn_server1_nm) -o br0 -d 192.168.1.88 -p udp --dport 53 -j SNAT --to $(nvram get lan_ipaddr)

The above assumes server #1. For server #2, adjust accordingly.

Since these types of personal firewalls on the LAN are rather common, you might prefer to NAT *all* the inbound traffic rather than being so specific about the target (which is what I do).

iptables -t nat -I POSTROUTING -s $(nvram get vpn_server1_sn)/$(nvram get vpn_server1_nm) -o br0 -j SNAT --to $(nvram get lan_ipaddr)

Of course, either of these would have to be added as a nat-start script.

 

[eibgrad]

P.S. In case you don't know how to add a nat-start script ...

RT-AX86U + OpenVPN + AdGuard Home = No Internet on Android

Good evening, all. This site always comes up when Googling questions about my routers so I figured I'd sign up and ask a question I have not been able to find an answer for. My current setup is an RT-AX86U router running OpenVPN server. I also have AdGuard Home installed on a Windows PC. I have...

www.snbforums.com

 

[bluzfanmr1]

I found a setting in Pihole to "Permit all origins". The default setting is "Allow only local requests"
If I select Permit all origins, then the Router's DNS, in this case the Pihole DNS is used when connecting to OpenVPN...but according to Pihole's documentation, the option to Permit all origins is NOT recommended.

So, is there a way to achieve this by maybe changing the OpenVPN config file to accept a custom dns server?

tried push "dhcp-option DNS 192.168.1.88" , but I get no internet. Also tried 192.168.1.1, but no internet either.

Saw your post at the other forum and replied there. You should be fine choosing "Respond only on interface eth0", at least that's what I had to do. The warnings are scary but there should be no worries in this case. You can even go to an open resolver test site to ensure you haven't enabled one.

 

[fotingo]

@eibgrad thank you sir.. Pihole folks responded and said I should be good to go enabling Respond only on interface eth0 which is a much simpler way for a simpleton like me lol.
If that fails, I will def give yours a go.. thanks for this!