Differences

This shows you the differences between two versions of the page.

--- wiki:openvpn_installation [2024/05/21 14:14] – add info how to redirect all or some traffice over VPN antisa
+++ wiki:openvpn_installation [2025/03/03 16:15] (current) – [See also] add Revoke openvpn certificates antisa
@@ Line 135: / Line 135: @@
   push "redirect-gateway def1 bypass-dhcp"
 In client.conf add:
@@ Line 148: / Line 149: @@
 Remove the redirect-gateway lines from conf.
+<WRAP center round important 60%>
+[[https://web.archive.org/web/20240521145319/https://i.sstatic.net/KNr6M.png|Ubuntu Network Manager]] doesn't seem to need above settings, so you can just uncheck the "Use this connection only for resources on its network" to redirect all traffic over VPN.
+</WRAP>
+===== Redirect DNS through VPN =====
+First uninstall any other DNS server/resolver like ''systemd-resolved''. Now install dnsmasq
+  apt install dnsmasq
+Now make the ///etc/resolv.conf// look like this
+  nameserver ::1
+  nameserver 127.0.0.1
+  options trust-ad
+You might need to [[https://wiki.archlinux.org/title/Domain_name_resolution#Overwriting_of_/etc/resolv.conf|write protect]] this file because some other programs might overwrite this.
+In ///etc/dnsmasq.conf// add one or more upstream servers that dnsmasq will use for name resolution i.e.
+  listen-address=::1,127.0.0.1,10.8.0.1
+  interface=tun0
+  # Google's nameservers, for example
+  server=8.8.8.8
+  server=8.8.4.4
+Adapt the listen-address IP to your VPN interface IP and interface as well and uncomment ''no-resolv''.
+In ///etc/openvpn/server/server.conf// make sure you push DNS and redirect gateway:
+  ...
+  push "redirect-gateway def1 bypass-dhcp"
+  push "dhcp-option DNS 10.13.13.1"
+  ...
+<WRAP center round info 60%>
+If you run into problems with DNS not going through VPN in Windows installed as a VM in Virtualbox for example, you will need to disable automatic metric on VPN interface and set it to lower then the default Ethernet or wifi. To check open the powershell and type ''nslookup example.org'' and you should get a response from VPN IP e.g. 10.8.0.1.
+{{ :wiki:screenshots:windows:windows_metric-2024-05-22_14-17.png?400 |}}
+</WRAP>
+==== Resolve specific domains names to hard-coded IP ====
+Say you need to always resolve example.org to 1.2.3.4 address, you have two options.
+. Add the resolution to ///etc/hosts// i.e.
+  ...
+.2.3.4 www.example.org example.org
+. Remove the above from ///etc/hosts// and in ///etc/dnsmasq.conf// add following
+  address=/example.org/1.2.3.4
+Also [[https://wiki.archlinux.org/title/dnsmasq#Tips_and_tricks|there are other]] stuff you can do.
 ===== Firewall setup =====
@@ Line 159: / Line 211: @@
 #ZONE   INTERFACE       BROADCAST       OPTIONS
 net     eth0      detect          tcpflags,logmartians,nosmurfs,dhcp
-vpn     tun0
+vpn     tun0      detect
 </code>
@@ Line 221: / Line 273: @@
 ====== See also ======
   * [[wiki:ovpn_file_example]]
+  * [[wiki:vpn_troubleshooting|VPN troubleshooting]]
+  * [[wiki:revoke_openvpn_certificates|Revoke openvpn certificates]]
 ====== References ======
   * https://openvpn.net/community-resources/static-key-mini-howto/
@@ Line 229: / Line 283: @@
   * https://shorewall.org/OPENVPN.html
   * https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
+  * [[https://superuser.com/a/966833|windows metric issue]]