How to Force Host Resolution to a Specific IP in OpenVPN Client Configuration


4 views

When working with OpenVPN, you may encounter situations where you need to override DNS resolution for specific domains. This is particularly useful when:

  • Testing services before DNS propagation
  • Accessing internal resources with public domain names
  • Bypassing DNS-based filtering or geo-restrictions

While OpenVPN doesn't have a built-in DNS override feature in its configuration, we can achieve this through system-level solutions that work alongside OpenVPN:

Method 1: Using the hosts file

The simplest approach is to modify the system's hosts file:

# Linux/macOS: /etc/hosts
# Windows: C:\Windows\System32\drivers\etc\hosts

10.11.12.13 domain.tld

Method 2: DNSMasq Integration

For more advanced control, use DNSMasq with OpenVPN:

# Install DNSMasq
sudo apt install dnsmasq

# Configure DNSMasq
echo "address=/domain.tld/10.11.12.13" | sudo tee -a /etc/dnsmasq.conf

# Restart DNSMasq
sudo systemctl restart dnsmasq

Method 3: Using resolvectl (systemd-resolved)

On systemd-based systems:

resolvectl dns tun0 10.11.12.13
resolvectl domain tun0 '~domain.tld'

For a solution that only affects the VPN connection:

# In your client.conf
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

# Create a custom script
echo '#!/bin/sh
echo "nameserver 10.11.12.13" > /etc/resolv.conf
echo "search domain.tld" >> /etc/resolv.conf
' | sudo tee /etc/openvpn/custom-dns.sh
chmod +x /etc/openvpn/custom-dns.sh

After connecting to your VPN, verify the resolution:

nslookup domain.tld
ping domain.tld
  • Ensure scripts have correct permissions (755)
  • Check OpenVPN logs for errors
  • Verify no competing DNS settings exist
  • Test with different DNS tools (dig, host, nslookup)

When working with OpenVPN configurations, you might need to override DNS resolution for specific domains. This is particularly useful when you want to route traffic for public domains through your VPN tunnel to private IP addresses.

Normally, when your OpenVPN client resolves a domain like example.com, it follows the standard DNS resolution chain:

nslookup example.com
Server:  8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: example.com
Address: 93.184.216.34

OpenVPN provides two effective methods to override this behavior:

Method 1: Using --resolve Directive

Add this to your client configuration file (client.ovpn):

# Force domain.tld to resolve to 10.11.12.13
resolve domain.tld 10.11.12.13

Multiple domains can be specified with additional resolve lines. This works similarly to adding entries to /etc/hosts but is VPN-specific.

Method 2: Using --dhcp-option DNS

Alternatively, you can push DNS settings from server to client:

# Server-side configuration
push "dhcp-option DNS 10.11.12.13"

Here's a complete client configuration example with multiple host overrides:

client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3

# Host overrides
resolve internal-api.example.com 10.0.1.100
resolve db-replica.example.com 10.0.2.15
resolve files.example.com 10.0.3.77

After applying these changes, verify the resolution:

# Linux/macOS
dig +short internal-api.example.com

# Windows
nslookup internal-api.example.com

The command should return the IP address you specified in the configuration.

  • These settings only affect DNS resolution during the VPN session
  • For persistent changes, consider modifying the system's hosts file
  • Some OpenVPN versions require the --pull option for DNS settings to work
  • May not work with all DNS resolver implementations