Failing to resolve DNS while using PIA openvpn configuration

mrmobes · February 27, 2024, 8:12pm

Hello,

So I have successfully set up OpenWRT to tunnel traffic through a PIA vpn. All my devices can connect to the openwrt Lan I set up, and I am able to ping 8.8.8.8 perfectly fine. When I ping google.com or any other traffic fails to resolve the host. I edited the ovpn configuration to add both dhcp-option DNS 10.0.0.241 and 10.0.0.243 as specified by PIA.

I'm at a complete loss on how to resolve this. I should add that when I turn off the VPN, all traffic resolves quickly and immediately. However, my need for this router is to permanently enable the vpn and always use DNS 10.0.0.241 if possible.

egc · February 27, 2024, 8:24pm

The OpenWrt OpenVPN client does not deal with pushed or set DNS servers.

You have to take care of that yourself.

The easiest is if the DNS server are publicly available you then just set those as upstream resolvers, but in your case the DNS servers are only available when the tunnel is up.

There are several scripts which sets the pushed or set DNS servers as exclusive upstream DNS resolvers as the tunnel is up, this is the one I am using:
Readme:

Script:

github.com

egc112/OpenWRT-egc-add-on/blob/main/stop-dns-leak/use-openvpn-dns/ovpn-update-resolv-7

#!/bin/sh
# File name: ovpn-update-resolv-7
# Description: Script to grab DNS servers from the tunnel for exclusive use by DNSMasq and routes those via the tunnel to prevent DNS leaks
# Version: 22-jan-2024
# Before you start make a backup of your settings just in case
# Install:
#  Copy this cript to /etc/openvpn
#  Make executable: chmod +x /etc/openvpn/ovpn-update-resolv-7
#  Add in the OpenVPN config file these two lines:
#   up /etc/openvpn/ovpn-update-resolv-7
#   down /etc/openvpn/ovpn-update-resolv-7
##   script-security 2 #not necessary is already taken care of
# Fundamentals:
#  Gets the pushed DNS servers and DNS servers manually set in conf file with: dhcp-option DNS <ip-address-of-DNS-server>
#  DNS servers are set in a new resolv file which is used exclusively by DNSMasq to prevent DNS leaks.
#  Sets route for the DNS servers via the tunnel, necessary when using PBR
#  To stop getting the pushed DNS servers by the OpenVPN server add to conf file: pull-filter ignore "dhcp-option DNS"
#     but if you add this setting then you must add your own DNS servers otherwise you will not have DNS!
#  To set your own DNS servers to use when the tunnel is up, add in the openvpn conf file: dhcp-option DNS ip-address-DNS-server
#  To set your own search domain to use when the tunnel is up, add in the openvpn conf file: dhcp-option DOMAIN my-search-domain

This file has been truncated. show original

See also my notes about DNS-leak:

mrmobes · February 27, 2024, 8:37pm

I could kiss you. Thank you so much! I am relatively new to routing network traffic so thank you for your time. Just to confirm, from reading the script it looks like you check the config file and update the resolv config based on what DNS options it finds in the ovpn config?

And this is based on the tunnel being up or down so when I (which will be rare if ever) turn off the vpn it will still provide a functioning DNS provider?

mrmobes · February 27, 2024, 8:39pm

Just another note, I noticed that after the script executes during the vpn enabling, /tmp/resolv_config.vpn contains the following:

nameserver 10.0.0.241
nameserver 10.0.0.243
nameserver 10.0.0.243

Is it ok that .243 appears twice?

egc · February 27, 2024, 9:10pm

It is ok.
Probably PIA is pushing DNS servers and you also have set those yourself.
No problem it wont hurt

egc · February 27, 2024, 9:11pm

Yes exactly

system · March 8, 2024, 9:14pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.