Skip to content

How to fix DNS issues when using OpenVPN.

Published June 13, 2019

How to fix DNS issues when using OpenVPN.

Sometimes you successfully connect to vpn server but nothing still seems to work. Well, one of the reasons could be the DNS.
Firstly, you should check your vpn logs, that would be for instance,
for MacOS:
/Library/Application Support/Tunnelblick/Logs
or Linux in:
journalctl -u NetworkManager.service on linux

2019-06-11 23:30:25.110048 MANAGEMENT: >STATE:1560292225,GET_CONFIG,,,,,,
2019-06-11 23:30:25.110251 SENT CONTROL [openvpn.example.com]: 'PUSH_REQUEST' (status=1)
2019-06-11 23:30:25.252005 PUSH: Received control message: 'PUSH_REPLY,route ....
dhcp-option DOMAIN dev.example.com,dhcp-option DOMAIN prod.example.com,dhcp-option DOMAIN int.example.com'
...
....
2019-06-11 23:30:25.252374 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:13: dhcp-option (2.4.7)

In the example above, openvpn client complaints about not recognising dhcp-options, because server pushes multiple ‘dhcp-option DOMAIN value’ config params whereas
client expects a single command with multiple values: ‘dhcp-option DOMAIN value1 value2’.

This normally happens when your client version doesn’t match with your server version, so you client doesn’t know what to do with them.

As a result you may not get correct settings in your ‘/etc/resolv.conf’, for example missing or incomplete ‘nameserver’ or ‘search’.
In this example we won’t get ‘search’ set up correctly meaning if there was a DNS record like something.int.example.com, we wouldn’t be able
to refer to it without FQDN like just ‘something’, that is what ‘search’ parameter does in ‘/etc/resolv.conf’.

If ‘nameserver’ was not configured then our DNS won’t work at all.

But there is a solution.

In this example, we can configure our client to ignore specific configs from server and instead configure it on the client side as below:

pull-filter ignore "dhcp-option DOMAIN"
dhcp-option DOMAIN "dev.example.com prod.example.com int.example.com"

If it doesn’t work for some reason, or your client doesn’t support them at all, you can always run a custom script that adds those parameters to your resolve.conf, or whatever your system
uses, important thing is to know what server trying to set up, and just set them by yourself:

[[ "$vpn_connection" == "mywork_vpn" ]] && \
 echo "setting-up-dns manually..." && \
 sudo bash -c 'echo -e "search dev.example.com prod.example.com int.example.com\nnameserver 172.16.0.03" > /etc/resolv.conf'

It is not probably best idea todo so, but in worst case it may still help, this file will be overriten by other tools like wifi connection or other vpn connection or you
can just store old version and write it after disconnecting from your mywork_vpn.

https://community.openvpn.net/openvpn/ticket/809
http://man7.org/linux/man-pages/man5/resolv.conf.5.html

Published in VPN