How to Configure OpenVPN to Use Your Own DNS Server (Unbound DNS Integration)


2 views

When setting up OpenVPN with custom DNS, I encountered a situation where web pages wouldn't load despite successful VPN connections. The core issue lies in proper DNS resolution through the VPN tunnel, especially when ISPs block public DNS services.

Here's the original OpenVPN server configuration with public DNS:

dev tun
proto tcp
port 80

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

user nobody
group nogroup
server 10.8.0.0 255.255.255.0

persist-key
persist-tun
client-to-client
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.222.220"
comp-lzo

The correct approach to integrate your Unbound DNS server involves several crucial steps:

# Replace public DNS with your Unbound server IP
push "dhcp-option DNS 11.22.33.44"

# Additional recommended settings
push "block-outside-dns"
push "register-dns"

After implementing these changes, verify the configuration:

  1. Restart OpenVPN service: sudo systemctl restart openvpn
  2. On client side, check DNS resolution with: nslookup example.com
  3. Verify network routes: ipconfig /all (Windows) or ifconfig (Linux)

For more robust setups, consider these additional parameters:

# Force all DNS queries through VPN
push "dhcp-option DNS 11.22.33.44"
push "dhcp-option DOMAIN example.com"
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

When ISPs aggressively block public DNS servers like Cloudflare (1.1.1.1) or Google DNS (8.8.8.8), VPN users often find themselves unable to resolve domains even when connected. This occurs because:

  • ISP-level DNS filtering still applies to VPN tunnels
  • Default DNS pushes might conflict with local network policies
  • DNS leaks can expose your browsing activity

For proper DNS routing through your Unbound server via OpenVPN, three critical components must align:

1. OpenVPN server configuration (push DNS settings)
2. Unbound DNS server accessibility
3. Client-side network namespace handling

Here's a production-tested configuration that properly integrates Unbound DNS:

dev tun
proto tcp
port 80 

# Certificate configuration
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem

server 10.8.0.0 255.255.255.0
user nobody
group nogroup
persist-key
persist-tun

# Critical DNS settings
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"  # VPN server's internal IP
push "block-outside-dns"         # Windows-specific DNS leak protection

Your /etc/unbound/unbound.conf should include:

server:
    interface: 10.8.0.1    # VPN subnet
    interface: 127.0.0.1   # Localhost
    access-control: 10.8.0.0/24 allow
    do-ip6: no
    prefetch: yes
    hide-identity: yes
    hide-version: yes

If DNS resolution fails after configuration:

  1. Test Unbound locally: dig @10.8.0.1 example.com
  2. Check firewall rules: 
    iptables -I INPUT -p udp --dport 53 -j ACCEPT
iptables -I INPUT -p tcp --dport 53 -j ACCEPT
  3. Verify client DNS settings: 
    Windows: ipconfig /all | findstr DNS
Linux: nmcli dev show | grep DNS

For enhanced privacy, configure Unbound to forward queries via DoT:

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 8.8.8.8@853#dns.google