Using DNS servers pushed to clients

This page describes how to use pushed DNS servers in the client.

Using DNS servers pushed to a Linux client

Linux must use an external script to update the DNS servers in /etc/resolve.conf

Blue-pill or Red-pill?

• https://github.com/jonathanio/update-systemd-resolved
• https://github.com/alfredopalhares/openvpn-update-resolv-conf

You are getting Blue-pill'd, regardless...

Using DNS servers pushed to a Windows client

OpenVPN 2.5+:

• Windows uses the OpenVPN built-in DHCP server to update the TAP adapter's DNS servers and no additional steps are required.
• This does require that the client is run using the OpenVPN-GUI and that the OpenVPN InteractiveService for Windows is started.
• To prevent DNS leaks at the client use --block-outside-dns.

OpenVPN 2.4:

• See: 2.5+
• Upgrade Now!

OpenVPN 2.3:

• Windows uses the OpenVPN built-in DHCP server to update the TAP adapter's DNS servers and no additional steps are required.
• This does require that the client is run as an administrator user.
• This version does not support --block-outside-dns
• Upgrade Now!

Additional notes

Linux notes:

• If the client is run using --user and --group to drop the process privileges then the --down script will fail and leave the client DNS in an undefined state.
• The recommended way to resolve this is to use the openvpn-down-root.so plugin module.