I've recently installed an autoritative DNS server (Unbound) and OpenVPN server on my VPS and wanted to use them with OpenWrt. After exporting my .ovpn to the router, the VPN tunnel is working fine... my IP changed, but I'm still using my ISP's DNS.
I've made a few research, but I have trouble to determine if the problem come from the server or the router's configuration and how to solve it (the DNS server is working fine)
Here are the different configuration files :
Server.conf (OpenVPN)
local xxx.xxx.xxx
port xxx
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 127.0.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 0
crl-verify crl.pem
explicit-exit-notify
Openvpn client (.ovpn)
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx xxx
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 0
I haven't find yet But since DNS request directly made on the VPS are working fine, I believe that there are probably options in OpenWRT to forward the DNS request through the VPN tunnel...
I'm following this thread, having the same problem. small question;
How do you define $addr ? i'm getting an error that $addr is not defined.
(i'm using a script to change outgoing dns, when vpn is up. But with a dnsleak check the one I use for vpn is on top, but the other is still in the list, so something is leaking)
If Unbound is performing all of your exit recursion, then you can add a forward-zone: either conf or by UCI. Require that you intranet domain is forwarded to the VPN servers and UCI fallback is disabled or conf forward-first: no (won't try the universe on fail). Rare case, but if your VPN servers are actually authoritative servers (NSD, bind, active directory), then it is a stub-zone:.
With ProtonVPN they advertise to add this config to avoid dns leaking:
Log in on your router via SSH client with root user. Type the following in the terminal:
cat << "EOF" > /etc/openvpn/client.sh
#!/bin/sh
env | sed -n -e "
/^foreign_option_.*=dhcp-option.*DNS/s//nameserver/p
/^foreign_option_.*=dhcp-option.*DOMAIN/s//search/p
" | sort -u > /tmp/resolv.conf.vpn
case ${script_type} in
(up) uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.vpn" ;;
(down) uci revert dhcp ;;
esac
/etc/init.d/dnsmasq restart &
EOF
chmod +x /etc/openvpn/client.sh
Exit your shell.