Enable DNS Hostname resolution with OpenVPN and DNSMasq
I have configured OpenVPN as a server to host my own VPN and I want use DNSMasq to resolve hostnames on the VPN.
Say I have the OpenVPN server, two computers on the internal network, and one outside, all clients for the VPN (192.168.254.0/24):
- Internal Network: 192.168.1.0/24
server: IP: 192.168.1.1
A: IP: 192.168.1.2, VPN: 192.168.254.2
B: IP: 192.168.1.3, VPN: 192.168.254.3
- External Network: 192.168.2.0/24
C: IP: 192.168.2.1, VPN: 192.168.254.4
With my current setup, both A and B can resolve their hostnames via DNSMasq on the internal network. And, all of A, B, and C can access each other by direct IP. But, I want to allow C to access A and B by hostname (DNS resolution, not NetBIOS) without directing all network traffic through the VPN.
OpenVPN configuration:
proto tcp
dev tap
server 192.168.254.0 255.255.255.0
client-to-client
persist-key
persist-tun
Do I need to also configure the VPN server as a client? Do I need to push the domain from the Internal Network across the VPN? What do I need to do?
networking vpn dns openvpn dnsmasq
asked May 26 at 6:48
palswim
1,71162951
add a comment |
I have configured OpenVPN as a server to host my own VPN and I want use DNSMasq to resolve hostnames on the VPN.
Say I have the OpenVPN server, two computers on the internal network, and one outside, all clients for the VPN (192.168.254.0/24):
- Internal Network: 192.168.1.0/24
server: IP: 192.168.1.1
A: IP: 192.168.1.2, VPN: 192.168.254.2
B: IP: 192.168.1.3, VPN: 192.168.254.3
- External Network: 192.168.2.0/24
C: IP: 192.168.2.1, VPN: 192.168.254.4
With my current setup, both A and B can resolve their hostnames via DNSMasq on the internal network. And, all of A, B, and C can access each other by direct IP. But, I want to allow C to access A and B by hostname (DNS resolution, not NetBIOS) without directing all network traffic through the VPN.
OpenVPN configuration:
proto tcp
dev tap
server 192.168.254.0 255.255.255.0
client-to-client
persist-key
persist-tun
Do I need to also configure the VPN server as a client? Do I need to push the domain from the Internal Network across the VPN? What do I need to do?
networking vpn dns openvpn dnsmasq
asked May 26 at 6:48
palswim
1,71162951
add a comment |
I have configured OpenVPN as a server to host my own VPN and I want use DNSMasq to resolve hostnames on the VPN.
Say I have the OpenVPN server, two computers on the internal network, and one outside, all clients for the VPN (192.168.254.0/24):
- Internal Network: 192.168.1.0/24
server: IP: 192.168.1.1
A: IP: 192.168.1.2, VPN: 192.168.254.2
B: IP: 192.168.1.3, VPN: 192.168.254.3
- External Network: 192.168.2.0/24
C: IP: 192.168.2.1, VPN: 192.168.254.4
With my current setup, both A and B can resolve their hostnames via DNSMasq on the internal network. And, all of A, B, and C can access each other by direct IP. But, I want to allow C to access A and B by hostname (DNS resolution, not NetBIOS) without directing all network traffic through the VPN.
OpenVPN configuration:
proto tcp
dev tap
server 192.168.254.0 255.255.255.0
client-to-client
persist-key
persist-tun
Do I need to also configure the VPN server as a client? Do I need to push the domain from the Internal Network across the VPN? What do I need to do?
networking vpn dns openvpn dnsmasq
asked May 26 at 6:48
palswim
1,71162951
I have configured OpenVPN as a server to host my own VPN and I want use DNSMasq to resolve hostnames on the VPN.
Say I have the OpenVPN server, two computers on the internal network, and one outside, all clients for the VPN (192.168.254.0/24):
- Internal Network: 192.168.1.0/24
server: IP: 192.168.1.1
A: IP: 192.168.1.2, VPN: 192.168.254.2
B: IP: 192.168.1.3, VPN: 192.168.254.3
- External Network: 192.168.2.0/24
C: IP: 192.168.2.1, VPN: 192.168.254.4
With my current setup, both A and B can resolve their hostnames via DNSMasq on the internal network. And, all of A, B, and C can access each other by direct IP. But, I want to allow C to access A and B by hostname (DNS resolution, not NetBIOS) without directing all network traffic through the VPN.
OpenVPN configuration:
proto tcp
dev tap
server 192.168.254.0 255.255.255.0
client-to-client
persist-key
persist-tun
Do I need to also configure the VPN server as a client? Do I need to push the domain from the Internal Network across the VPN? What do I need to do?
networking vpn dns openvpn dnsmasq
networking vpn dns openvpn dnsmasq
asked May 26 at 6:48
palswim
1,71162951
asked May 26 at 6:48
palswim
1,71162951
edited Dec 11 at 22:26
asked May 26 at 6:48
palswim
1,71162951
asked May 26 at 6:48
palswim
1,71162951
asked May 26 at 6:48
palswim
1,71162951
1,71162951
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
With great complexity, I have something approximating DNS over the VPN.
First, I had to run a script upon the addition of an address to OpenVPN. In the server configuration:
ifconfig-pool-persist ip-pool # Store mappings of CN,IP, 1 per line
script-security 2 # Allow OpenVPN to run user scripts
learn-address /path/to/learn-address.sh
I started with the learn-address.sh script from an old OpenVPN thread, but since I was running a TAP interface, I had to add script to parse the ip-pool file as well:
#!/bin/sh
# openvpn learn-address script to manage a hosts-like file
# - intended to allow dnsmasq to resolve openvpn clients
# addn-hosts=/etc/hosts.openvpn-clients
#
# Changelog
# 2006-10-13 BDL original
# 2018-12-10 Palswim change to query OpenVPN Persistent pool for TAP interfaces
# replace with a sub-domain of your domain, use a sub-domain to
# prevent VPN clients from stealing existing names
DOMAIN=example
HOSTS=/etc/openvpn/hosts
h="hosts-openvpn-$DOMAIN"
LOCKFILE="/var/run/$h.lock"
IP="$2"
CN="$3"
if [ -z "$IP" ]; then
echo "$0: IP not provided" >&2
exit 1
else
# In TAP mode, OpenVPN passes MAC instead of IP, since with TAP, clients can use protocols other than IP
MAC="$IP"
IP=$(grep "^$CN[[:space:]]*," ip-pool | head -n 1 | cut -d, -f 2)
if [ -z "$IP" ]; then
echo "$0: Failed to find IP in ipconfig-pool" >&2
exit 0
else
echo "$0: Translated MAC ($MAC) to IP ($IP)"
fi
fi
case "$1" in
add|update)
if [ -z "$CN" ]; then
echo "$0: Common Name not provided" >&2
exit 0
fi
;;
delete)
;;
*)
echo "$0: unknown operation [$1]" >&2
exit 1
;;
esac
# serialise concurrent accesses
[ -x /bin/lock ] && /bin/lock "$LOCKFILE"
# clean up IP if we can
[ -x /bin/ipcalc ] && eval $(ipcalc "$IP")
FQDN="$CN"
# busybox mktemp must have exactly six X's
t=$(/bin/mktemp "/run/shm/$h.XXXXXX")
if [ $? -ne 0 ]; then
echo "$0: mktemp failed" >&2
exit 1
fi
case "$1" in
add|update)
/usr/bin/awk '
# update/uncomment address|FQDN with new record, drop any duplicates:
$1 == "'"$IP"'" || $1 == "#'"$IP"'" || $2 == "'"$FQDN"'"
{ if (!m) print "'"$IP"'t'"$FQDN"'"; m=1; next }
{ print }
END { if (!m) print "'"$IP"'t'"$FQDN"'" } # add new address to end
' "$HOSTS" > "$t" && cat "$t" > "$HOSTS"
;;
delete)
/usr/bin/awk '
# no FQDN, comment out all matching addresses (should only be one)
$1 == "'"$IP"'" { print "#" $0; next }
{ print }
' "$HOSTS" > "$t" && cat "$t" > "$HOSTS"
;;
esac
# signal dnsmasq to reread hosts file
kill -HUP $(cat /var/run/dnsmasq/dnsmasq.pid)
rm "$t"
[ -x /bin/lock ] && /bin/lock -u "$LOCKFILE"
exit 0
I ended up running DNSMasq one server for my own LAN, and a different server for the VPN. I had to update my configuration (/etc/dnsmasq.conf):
no-resolv # Didn't want to serve anything but VPN requests
interface=tap0
no-hosts # Don't use /etc/hosts
add-hosts=/etc/openvpn/hosts # Target the output of the learn-address.sh script
expand-hosts
domain=example
Once I had this, I then had to push a few options via OpenVPN's DHCP server. Again, in the OpenVPN server configuration:
server 192.168.254.0 255.255.255.0 # Assuming this VPN network
push "dhcp-option DNS 192.168.254.1"
push "dhcp-option DOMAIN example" # Push domain to clients
Unfortunately, only the Windows version of OpenVPN supports setting these options automatically. Linux clients will need to configure scripts to run on connection up/down. If you Linux system uses /etc/resolv.conf, ultimately, you need your VPN domain to appear in your search list, and your server IP to appear as a nameserver:
search example # you may have other strings here too, separated by a space
# ... other nameservers, then:
nameserver 192.168.254.1
answered Dec 11 at 22:20
palswim
1,71162951
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1326106%2fenable-dns-hostname-resolution-with-openvpn-and-dnsmasq%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
With great complexity, I have something approximating DNS over the VPN.
First, I had to run a script upon the addition of an address to OpenVPN. In the server configuration:
ifconfig-pool-persist ip-pool # Store mappings of CN,IP, 1 per line
script-security 2 # Allow OpenVPN to run user scripts
learn-address /path/to/learn-address.sh
I started with the learn-address.sh script from an old OpenVPN thread, but since I was running a TAP interface, I had to add script to parse the ip-pool file as well:
#!/bin/sh
# openvpn learn-address script to manage a hosts-like file
# - intended to allow dnsmasq to resolve openvpn clients
# addn-hosts=/etc/hosts.openvpn-clients
#
# Changelog
# 2006-10-13 BDL original
# 2018-12-10 Palswim change to query OpenVPN Persistent pool for TAP interfaces
# replace with a sub-domain of your domain, use a sub-domain to
# prevent VPN clients from stealing existing names
DOMAIN=example
HOSTS=/etc/openvpn/hosts
h="hosts-openvpn-$DOMAIN"
LOCKFILE="/var/run/$h.lock"
IP="$2"
CN="$3"
if [ -z "$IP" ]; then
echo "$0: IP not provided" >&2
exit 1
else
# In TAP mode, OpenVPN passes MAC instead of IP, since with TAP, clients can use protocols other than IP
MAC="$IP"
IP=$(grep "^$CN[[:space:]]*," ip-pool | head -n 1 | cut -d, -f 2)
if [ -z "$IP" ]; then
echo "$0: Failed to find IP in ipconfig-pool" >&2
exit 0
else
echo "$0: Translated MAC ($MAC) to IP ($IP)"
fi
fi
case "$1" in
add|update)
if [ -z "$CN" ]; then
echo "$0: Common Name not provided" >&2
exit 0
fi
;;
delete)
;;
*)
echo "$0: unknown operation [$1]" >&2
exit 1
;;
esac
# serialise concurrent accesses
[ -x /bin/lock ] && /bin/lock "$LOCKFILE"
# clean up IP if we can
[ -x /bin/ipcalc ] && eval $(ipcalc "$IP")
FQDN="$CN"
# busybox mktemp must have exactly six X's
t=$(/bin/mktemp "/run/shm/$h.XXXXXX")
if [ $? -ne 0 ]; then
echo "$0: mktemp failed" >&2
exit 1
fi
case "$1" in
add|update)
/usr/bin/awk '
# update/uncomment address|FQDN with new record, drop any duplicates:
$1 == "'"$IP"'" || $1 == "#'"$IP"'" || $2 == "'"$FQDN"'"
{ if (!m) print "'"$IP"'t'"$FQDN"'"; m=1; next }
{ print }
END { if (!m) print "'"$IP"'t'"$FQDN"'" } # add new address to end
' "$HOSTS" > "$t" && cat "$t" > "$HOSTS"
;;
delete)
/usr/bin/awk '
# no FQDN, comment out all matching addresses (should only be one)
$1 == "'"$IP"'" { print "#" $0; next }
{ print }
' "$HOSTS" > "$t" && cat "$t" > "$HOSTS"
;;
esac
# signal dnsmasq to reread hosts file
kill -HUP $(cat /var/run/dnsmasq/dnsmasq.pid)
rm "$t"
[ -x /bin/lock ] && /bin/lock -u "$LOCKFILE"
exit 0
I ended up running DNSMasq one server for my own LAN, and a different server for the VPN. I had to update my configuration (/etc/dnsmasq.conf):
no-resolv # Didn't want to serve anything but VPN requests
interface=tap0
no-hosts # Don't use /etc/hosts
add-hosts=/etc/openvpn/hosts # Target the output of the learn-address.sh script
expand-hosts
domain=example
Once I had this, I then had to push a few options via OpenVPN's DHCP server. Again, in the OpenVPN server configuration:
server 192.168.254.0 255.255.255.0 # Assuming this VPN network
push "dhcp-option DNS 192.168.254.1"
push "dhcp-option DOMAIN example" # Push domain to clients
Unfortunately, only the Windows version of OpenVPN supports setting these options automatically. Linux clients will need to configure scripts to run on connection up/down. If you Linux system uses /etc/resolv.conf, ultimately, you need your VPN domain to appear in your search list, and your server IP to appear as a nameserver:
search example # you may have other strings here too, separated by a space
# ... other nameservers, then:
nameserver 192.168.254.1
answered Dec 11 at 22:20
palswim
1,71162951
add a comment |
With great complexity, I have something approximating DNS over the VPN.
First, I had to run a script upon the addition of an address to OpenVPN. In the server configuration:
ifconfig-pool-persist ip-pool # Store mappings of CN,IP, 1 per line
script-security 2 # Allow OpenVPN to run user scripts
learn-address /path/to/learn-address.sh
I started with the learn-address.sh script from an old OpenVPN thread, but since I was running a TAP interface, I had to add script to parse the ip-pool file as well:
#!/bin/sh
# openvpn learn-address script to manage a hosts-like file
# - intended to allow dnsmasq to resolve openvpn clients
# addn-hosts=/etc/hosts.openvpn-clients
#
# Changelog
# 2006-10-13 BDL original
# 2018-12-10 Palswim change to query OpenVPN Persistent pool for TAP interfaces
# replace with a sub-domain of your domain, use a sub-domain to
# prevent VPN clients from stealing existing names
DOMAIN=example
HOSTS=/etc/openvpn/hosts
h="hosts-openvpn-$DOMAIN"
LOCKFILE="/var/run/$h.lock"
IP="$2"
CN="$3"
if [ -z "$IP" ]; then
echo "$0: IP not provided" >&2
exit 1
else
# In TAP mode, OpenVPN passes MAC instead of IP, since with TAP, clients can use protocols other than IP
MAC="$IP"
IP=$(grep "^$CN[[:space:]]*," ip-pool | head -n 1 | cut -d, -f 2)
if [ -z "$IP" ]; then
echo "$0: Failed to find IP in ipconfig-pool" >&2
exit 0
else
echo "$0: Translated MAC ($MAC) to IP ($IP)"
fi
fi
case "$1" in
add|update)
if [ -z "$CN" ]; then
echo "$0: Common Name not provided" >&2
exit 0
fi
;;
delete)
;;
*)
echo "$0: unknown operation [$1]" >&2
exit 1
;;
esac
# serialise concurrent accesses
[ -x /bin/lock ] && /bin/lock "$LOCKFILE"
# clean up IP if we can
[ -x /bin/ipcalc ] && eval $(ipcalc "$IP")
FQDN="$CN"
# busybox mktemp must have exactly six X's
t=$(/bin/mktemp "/run/shm/$h.XXXXXX")
if [ $? -ne 0 ]; then
echo "$0: mktemp failed" >&2
exit 1
fi
case "$1" in
add|update)
/usr/bin/awk '
# update/uncomment address|FQDN with new record, drop any duplicates:
$1 == "'"$IP"'" || $1 == "#'"$IP"'" || $2 == "'"$FQDN"'"
{ if (!m) print "'"$IP"'t'"$FQDN"'"; m=1; next }
{ print }
END { if (!m) print "'"$IP"'t'"$FQDN"'" } # add new address to end
' "$HOSTS" > "$t" && cat "$t" > "$HOSTS"
;;
delete)
/usr/bin/awk '
# no FQDN, comment out all matching addresses (should only be one)
$1 == "'"$IP"'" { print "#" $0; next }
{ print }
' "$HOSTS" > "$t" && cat "$t" > "$HOSTS"
;;
esac
# signal dnsmasq to reread hosts file
kill -HUP $(cat /var/run/dnsmasq/dnsmasq.pid)
rm "$t"
[ -x /bin/lock ] && /bin/lock -u "$LOCKFILE"
exit 0
I ended up running DNSMasq one server for my own LAN, and a different server for the VPN. I had to update my configuration (/etc/dnsmasq.conf):
no-resolv # Didn't want to serve anything but VPN requests
interface=tap0
no-hosts # Don't use /etc/hosts
add-hosts=/etc/openvpn/hosts # Target the output of the learn-address.sh script
expand-hosts
domain=example
Once I had this, I then had to push a few options via OpenVPN's DHCP server. Again, in the OpenVPN server configuration:
server 192.168.254.0 255.255.255.0 # Assuming this VPN network
push "dhcp-option DNS 192.168.254.1"
push "dhcp-option DOMAIN example" # Push domain to clients
Unfortunately, only the Windows version of OpenVPN supports setting these options automatically. Linux clients will need to configure scripts to run on connection up/down. If you Linux system uses /etc/resolv.conf, ultimately, you need your VPN domain to appear in your search list, and your server IP to appear as a nameserver:
search example # you may have other strings here too, separated by a space
# ... other nameservers, then:
nameserver 192.168.254.1
answered Dec 11 at 22:20
palswim
1,71162951
add a comment |
With great complexity, I have something approximating DNS over the VPN.
First, I had to run a script upon the addition of an address to OpenVPN. In the server configuration:
ifconfig-pool-persist ip-pool # Store mappings of CN,IP, 1 per line
script-security 2 # Allow OpenVPN to run user scripts
learn-address /path/to/learn-address.sh
I started with the learn-address.sh script from an old OpenVPN thread, but since I was running a TAP interface, I had to add script to parse the ip-pool file as well:
#!/bin/sh
# openvpn learn-address script to manage a hosts-like file
# - intended to allow dnsmasq to resolve openvpn clients
# addn-hosts=/etc/hosts.openvpn-clients
#
# Changelog
# 2006-10-13 BDL original
# 2018-12-10 Palswim change to query OpenVPN Persistent pool for TAP interfaces
# replace with a sub-domain of your domain, use a sub-domain to
# prevent VPN clients from stealing existing names
DOMAIN=example
HOSTS=/etc/openvpn/hosts
h="hosts-openvpn-$DOMAIN"
LOCKFILE="/var/run/$h.lock"
IP="$2"
CN="$3"
if [ -z "$IP" ]; then
echo "$0: IP not provided" >&2
exit 1
else
# In TAP mode, OpenVPN passes MAC instead of IP, since with TAP, clients can use protocols other than IP
MAC="$IP"
IP=$(grep "^$CN[[:space:]]*," ip-pool | head -n 1 | cut -d, -f 2)
if [ -z "$IP" ]; then
echo "$0: Failed to find IP in ipconfig-pool" >&2
exit 0
else
echo "$0: Translated MAC ($MAC) to IP ($IP)"
fi
fi
case "$1" in
add|update)
if [ -z "$CN" ]; then
echo "$0: Common Name not provided" >&2
exit 0
fi
;;
delete)
;;
*)
echo "$0: unknown operation [$1]" >&2
exit 1
;;
esac
# serialise concurrent accesses
[ -x /bin/lock ] && /bin/lock "$LOCKFILE"
# clean up IP if we can
[ -x /bin/ipcalc ] && eval $(ipcalc "$IP")
FQDN="$CN"
# busybox mktemp must have exactly six X's
t=$(/bin/mktemp "/run/shm/$h.XXXXXX")
if [ $? -ne 0 ]; then
echo "$0: mktemp failed" >&2
exit 1
fi
case "$1" in
add|update)
/usr/bin/awk '
# update/uncomment address|FQDN with new record, drop any duplicates:
$1 == "'"$IP"'" || $1 == "#'"$IP"'" || $2 == "'"$FQDN"'"
{ if (!m) print "'"$IP"'t'"$FQDN"'"; m=1; next }
{ print }
END { if (!m) print "'"$IP"'t'"$FQDN"'" } # add new address to end
' "$HOSTS" > "$t" && cat "$t" > "$HOSTS"
;;
delete)
/usr/bin/awk '
# no FQDN, comment out all matching addresses (should only be one)
$1 == "'"$IP"'" { print "#" $0; next }
{ print }
' "$HOSTS" > "$t" && cat "$t" > "$HOSTS"
;;
esac
# signal dnsmasq to reread hosts file
kill -HUP $(cat /var/run/dnsmasq/dnsmasq.pid)
rm "$t"
[ -x /bin/lock ] && /bin/lock -u "$LOCKFILE"
exit 0
I ended up running DNSMasq one server for my own LAN, and a different server for the VPN. I had to update my configuration (/etc/dnsmasq.conf):
no-resolv # Didn't want to serve anything but VPN requests
interface=tap0
no-hosts # Don't use /etc/hosts
add-hosts=/etc/openvpn/hosts # Target the output of the learn-address.sh script
expand-hosts
domain=example
Once I had this, I then had to push a few options via OpenVPN's DHCP server. Again, in the OpenVPN server configuration:
server 192.168.254.0 255.255.255.0 # Assuming this VPN network
push "dhcp-option DNS 192.168.254.1"
push "dhcp-option DOMAIN example" # Push domain to clients
Unfortunately, only the Windows version of OpenVPN supports setting these options automatically. Linux clients will need to configure scripts to run on connection up/down. If you Linux system uses /etc/resolv.conf, ultimately, you need your VPN domain to appear in your search list, and your server IP to appear as a nameserver:
search example # you may have other strings here too, separated by a space
# ... other nameservers, then:
nameserver 192.168.254.1
answered Dec 11 at 22:20
palswim
1,71162951
With great complexity, I have something approximating DNS over the VPN.
First, I had to run a script upon the addition of an address to OpenVPN. In the server configuration:
ifconfig-pool-persist ip-pool # Store mappings of CN,IP, 1 per line
script-security 2 # Allow OpenVPN to run user scripts
learn-address /path/to/learn-address.sh
I started with the learn-address.sh script from an old OpenVPN thread, but since I was running a TAP interface, I had to add script to parse the ip-pool file as well:
#!/bin/sh
# openvpn learn-address script to manage a hosts-like file
# - intended to allow dnsmasq to resolve openvpn clients
# addn-hosts=/etc/hosts.openvpn-clients
#
# Changelog
# 2006-10-13 BDL original
# 2018-12-10 Palswim change to query OpenVPN Persistent pool for TAP interfaces
# replace with a sub-domain of your domain, use a sub-domain to
# prevent VPN clients from stealing existing names
DOMAIN=example
HOSTS=/etc/openvpn/hosts
h="hosts-openvpn-$DOMAIN"
LOCKFILE="/var/run/$h.lock"
IP="$2"
CN="$3"
if [ -z "$IP" ]; then
echo "$0: IP not provided" >&2
exit 1
else
# In TAP mode, OpenVPN passes MAC instead of IP, since with TAP, clients can use protocols other than IP
MAC="$IP"
IP=$(grep "^$CN[[:space:]]*," ip-pool | head -n 1 | cut -d, -f 2)
if [ -z "$IP" ]; then
echo "$0: Failed to find IP in ipconfig-pool" >&2
exit 0
else
echo "$0: Translated MAC ($MAC) to IP ($IP)"
fi
fi
case "$1" in
add|update)
if [ -z "$CN" ]; then
echo "$0: Common Name not provided" >&2
exit 0
fi
;;
delete)
;;
*)
echo "$0: unknown operation [$1]" >&2
exit 1
;;
esac
# serialise concurrent accesses
[ -x /bin/lock ] && /bin/lock "$LOCKFILE"
# clean up IP if we can
[ -x /bin/ipcalc ] && eval $(ipcalc "$IP")
FQDN="$CN"
# busybox mktemp must have exactly six X's
t=$(/bin/mktemp "/run/shm/$h.XXXXXX")
if [ $? -ne 0 ]; then
echo "$0: mktemp failed" >&2
exit 1
fi
case "$1" in
add|update)
/usr/bin/awk '
# update/uncomment address|FQDN with new record, drop any duplicates:
$1 == "'"$IP"'" || $1 == "#'"$IP"'" || $2 == "'"$FQDN"'"
{ if (!m) print "'"$IP"'t'"$FQDN"'"; m=1; next }
{ print }
END { if (!m) print "'"$IP"'t'"$FQDN"'" } # add new address to end
' "$HOSTS" > "$t" && cat "$t" > "$HOSTS"
;;
delete)
/usr/bin/awk '
# no FQDN, comment out all matching addresses (should only be one)
$1 == "'"$IP"'" { print "#" $0; next }
{ print }
' "$HOSTS" > "$t" && cat "$t" > "$HOSTS"
;;
esac
# signal dnsmasq to reread hosts file
kill -HUP $(cat /var/run/dnsmasq/dnsmasq.pid)
rm "$t"
[ -x /bin/lock ] && /bin/lock -u "$LOCKFILE"
exit 0
I ended up running DNSMasq one server for my own LAN, and a different server for the VPN. I had to update my configuration (/etc/dnsmasq.conf):
no-resolv # Didn't want to serve anything but VPN requests
interface=tap0
no-hosts # Don't use /etc/hosts
add-hosts=/etc/openvpn/hosts # Target the output of the learn-address.sh script
expand-hosts
domain=example
Once I had this, I then had to push a few options via OpenVPN's DHCP server. Again, in the OpenVPN server configuration:
server 192.168.254.0 255.255.255.0 # Assuming this VPN network
push "dhcp-option DNS 192.168.254.1"
push "dhcp-option DOMAIN example" # Push domain to clients
Unfortunately, only the Windows version of OpenVPN supports setting these options automatically. Linux clients will need to configure scripts to run on connection up/down. If you Linux system uses /etc/resolv.conf, ultimately, you need your VPN domain to appear in your search list, and your server IP to appear as a nameserver:
search example # you may have other strings here too, separated by a space
# ... other nameservers, then:
nameserver 192.168.254.1
answered Dec 11 at 22:20
palswim
1,71162951
edited Dec 14 at 19:40
answered Dec 11 at 22:20
palswim
1,71162951
answered Dec 11 at 22:20
palswim
1,71162951
answered Dec 11 at 22:20
palswim
1,71162951
1,71162951
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1326106%2fenable-dns-hostname-resolution-with-openvpn-and-dnsmasq%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
