OpenVPN / DNS / resolv.conf

For Unix users with OpenVPN clients, you may notice that when connecting to a VPN server via OpenVPN, your DNS servers aren't working properly. This might result in DNS leaks or domain name resolutions that don't work at all (i.e., google.com doesn't work but the IP address for google.com works).

This guide will be about configuring OpenVPN so that we use different DNS servers while we are connected to a VPN, and revert back to the original DNS servers when we are not connected to a VPN.

1. Check your /etc/resolv.conf

Your resolv.conf file determines what DNS servers will be used. By default, OpenVPN will not modify this file. This means that even if you connect to some VPN server with OpenVPN, you may still be using your original ISP's DNS servers.

The first thing you want to do is check if this file changes before/after connecting to your VPN server. If it does change, then chances are, OpenVPN is handling your DNS servers properly.

2. openresolv

openresolv makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes. You will need to install this so that OpenVPN can modify resolv.conf.

Depending on your Linux distribution, there are various ways to install it. Refer to your package manager for more details.

Ubuntu: sudo apt-get install openresolv

Arch: sudo pacman -S openresolv

3. Script: update-resolv-conf

Next, we'll need the update-resolv-conf script to be placed in /etc/openvpn/. This is the script that OpenVPN will execute. As long as openresolv is installed and working correctly, this script should execute without any problems.

You can grab the file below:

update-resolv-conf (RAW)

Note: You may need to change RESOLVCONF to something like /usr/bin/resolvconf depending on your distribution. You can try which resolvconf to find the direct PATH to your resolvconf binary file.

4. Configure your OpenVPN Client

Lastly, in your OpenVPN client config file, add the following lines:

script-security 2  
up /etc/openvpn/update-resolv-conf  
down /etc/openvpn/update-resolv-conf  

script-security 2 means that OpenVPN is allowed to call built-in executables and user-defined scripts. The number 2 just refers to the permission level.

up ... will execute the update-resolv-conf script and edit the DNS configurations accordingly. Likewise, down ... will revert the DNS configurations back to the original.