There is an OpenVPN server running on a Debian and it pushes a DNS in the server config file: push 'dhcp-option DNS 8.8.8.8' Is there an option to allow the users to change that DNS servers on the client side? Here is the catch, the openvpn server must push a DNS because otherwise many OpenVPN clients will not be able to open web pages until the manually set DNS servers in system's network settings. My goal is to automatically apply a default DNS server to not-technically-skilled users, while also allow skilled computer users to set their own DNS servers. Note that simply changing DNS settings on the PC while the 'push 'dhcp-option DNS 8.8.8.8' option is active on the openvpn server, does nothing.

The DNS pushed by the server remains regardless of the local DNS settings. In the official you can find:.route-nopull When used with -client or -pull, accept options pushed by server EXCEPT for routes and dhcp options like DNS servers. When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

Unfortunately, in addition to what you're asking, this has the side effect of disabling also the redirect-gateway provided by your configuration and this can represent an issue, for your case. What I suggest is a completely different approach. As you explicitely mentioned: ' My goal is to automatically apply a default DNS server to not-technically-skilled users, while also allow skilled computer users to set their own DNS servers.'

Dhcp Options List

It looks like you know exactly which users you want to provide a DNS-config and which users you don't want to provide such config. Hence, instead of pushing your config directly in the main OpenVpn config file (.and, as such, provide such config to ALL of your users), you can implement a per-user config. You can do this with: -client-config-dir dir Specify a directory dir for custom client config files. After a connecting client has been authenticated, OpenVPN will look in this directory for a file having the same name as the client's X509 common name.

If a matching file exists, it will be opened and parsed for client-specific configuration options. If no matching file is found, OpenVPN will instead try to open and parse a default file called 'DEFAULT', which may be provided but is not required.

Note that the configuration files must be readable by the OpenVPN process after it has dropped it's root privileges. This file can specify a fixed IP address for a given client using -ifconfig-push, as well as fixed subnets owned by the client using -iroute. One of the useful properties of this option is that it allows client configuration files to be conveniently created, edited, or removed while the server is live, without needing to restart the server. The following options are legal in a client-specific context: -push, -push-reset, -iroute, -ifconfig-push, and -config. So, as for the main config, you should remove:. to be removed from the main config.

push 'dhcp-option DNS 8.8.8.8' push 'dhcp-option DNS 8.8.4.4' and add reference to the /etc/openvpn/userconf directory (as an example. Feel free to choose whatever you like):. to be ADDED to the main config. client-config-dir /etc/openvpn/userconf Then, in such userconf directory, create one file for each of the user you want to provide such DNS, including in such file the two rows deleted above. Obviously you're free to fine-tune the openvpn config for every user, not limiting the customization to the two rows above. As a final note, you may be interested in the ccd-exclusive parameter as well. @Dimi: actually that solution is much more limited than you make it appear.

Since different VPN connections use different DNS servers and the order of establishing the links will determine which TAP adapter gets used, I cannot possibly preconfigure the TAP adapters to use a specific set of DNS, as the DNSs I am configuring may not even apply to the connection that is established using that particular TAP adapter. In short, your workaround works only iff there is but a single VPN connection always established through the same TAP adapter.

– May 31 '17 at 13:31. My problem wasn't exactly the same, but the symptoms were similar enough for this question to appear in search results, so in case anyone else winds up here for the same reason: I'm using, an OpenVPN GUI for Mac OS. My OpenVPN server was not set to push any DHCP or DNS options, but the client was still using the DNS server over VPN, instead of the local, non-VPN DNS server that I wanted it to use. The solution was to go into Tunnelblick's Configurations → Settings tab and change Set DNS/WINS to Do not set nameserver.