OpenVPN and systemd-resolved

openvpnresolv.confsystemd

How does one use the dns pushed via an openvpn server with systemd-resolved ?

Before I decide to 'upgrade' to systemd-networkd. I could use some variant of openvpn-resolv-conf script to call resolvconf to manage entries in /etc/resolv.conf on successfully establishing a vpn tunnel.

This would allow me to resolve names on the remote end of the vpn tunnel.

Now that systemd-resolved manages /run/systemd/resolved/resolv.conf is it possible to automatically add DNS pushed via a openvpn connection to the list of nameservers used for resolution?

Best Answer

Use up/down scripts from https://github.com/jonathanio/update-systemd-resolved in your OpenVPN's config file. These use systemd-resolved's DBus interface to update DNS information.

Related Solutions

Ubuntu – Routing setup for OpenVPN server on Amazon EC2

You need to enable forwarding on the OpenVPN server in the kernel (/proc/sys/net/ipv4/ip_forward) and you have to globally or selectively allow forwarding in the firewall (iptables), e.g.:

# there is probably already a rule allowing all established connections
# iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
# the next rules for every OpenVPN interface (or once for the respective address block)
iptables -A FORWARD -i tun0 -d 10.0.0.0/8  -j ACCEPT
iptables -A FORWARD -i tun0 -d 172.16.0.23 -j ACCEPT
# if the local network shall be accessible
# iptables -A FORWARD -i tun0 -d 172.16.20.0/24 -j ACCEPT

You need not set routes on the server if just simple clients connect. If 172.16.20.1 connects as a gateway for the local network then you need a route for 172.16.20.0/24 but that is probably (and best) set in the OpenVPN config for 172.16.20.1.

Edit 1

If you cannot configure the routing on certain systems and their routing would not send the traffic back the right way then you need NAT (more precise: SNAT):

iptables -t nat -A POSTROUTING -d $PROBLEM_HOST_IP \! -s $LOCAL_IP \
  -j SNAT --to-source $LOCAL_IP

with the variables set accordingly. Assuming you can set the correct routing for targets in 172.16.20.0/24 only then you can do this easier this way:

iptables -t nat -I POSTROUTING 1 -s $LOCAL_IP -j ACCEPT
iptables -t nat -I POSTROUTING 2 -d 172.16.20.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING 3 -j SNAT --to-source $LOCAL_IP

Centos 7 with SElinux: openvpn and DNS

Try this commands:

$ mkdir /etc/openvpn/scripts
$ mv /etc/openvpn/update-resolv-conf /etc/openvpn/scripts/
$ restorecon -v /etc/openvpn/scripts/
$ restorecon -v /etc/openvpn/scripts/update-resolv-conf
$ setsebool openvpn_run_unconfined on
$ nano -w /etc/openvpn/config.conf
up /etc/openvpn/update-resolv-conf                                                                                                            
down /etc/openvpn/update-resolv-conf
script-security 2
$ systemctl start openvpn@config.service
$ systemctl status openvpn@config.service

Best Answer

Related Solutions

Ubuntu – Routing setup for OpenVPN server on Amazon EC2

Centos 7 with SElinux: openvpn and DNS

Related Topic