Manage Linux client DNS settings in OpenVPN and Wireguard

March 31, 2020 

OpenVPN and Wireguard are both used to provide secure, remote access to an organization's internal services such as network shares (NFS and Samba), desktops and servers (SSH and RDP) or web services. Linux is generally a first-class citizen as far as clients are concerned but with one exception: accessing DNS through the VPN tunnel.

OpenVPN servers have the concept of pushing settings such as DNS servers to client. This happens by emulating a DHCP server. Windows OpenVPN clients for example are able to process this information automatically to update the (per-link) DNS server settings automatically. But Linux traditionally has not had this capability without support from "up" and "down" scripts. When one is using systemd-resolved the traditional ways such as using resolvconf or modifying /etc/resolv.conf directly no longer work or cause issues. Fortunately there is a good script, update-systemd-resolved, for automating the DNS server setup process for systemd-resolved. Basically it takes the list of DNS settings OpenVPN provides and converts them into dbus calls that modify the running systemd-resolved's configuration.

Wireguard has no such script as far as I know. It has the "DNS" option but it just replaces /etc/resolv.conf and as such, is useless on systems such as Ubuntu 18.04 or Fedora 30+. Fortunately there is a very simple alternative - just add this:

PostUp = systemd-resolve -i wg0 --set-dns=

This forwards all requests for * to DNS server

The above example would work as the OpenVPN's "up" script as well and would be significantly simpler than the update-systemd-resolved script. The only caveat is that the DNS servers OpenVPN pushes are then ignored. This may be perfectly fine if the DNS servers can be expected to be static or change very rarely.

Samuli Seppänen
Samuli Seppänen
Author archive