openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

[Question] How to allow local DNS resolvers using Windows openvpn.exe version?

Open oblomingo opened this issue 10 months ago • 10 comments

Hey, I would like to use a local DNS server for Open VPN network adapter. I've tried to connect to a VPn server using a command line: openvpn.exe --config al.ovpn Then I change DNS servers using a PowerShell command: Set-DnsClientServerAddress -InterfaceAlias "Open VPN adapter name" -ServerAddresses ("1.1.1.1", "8.8.8.8") and DNS resolution work perfectly fine:

nslookup google.com
Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:4001:827::200e
          142.250.186.46

However, if I set local DNS server using a PowerShell command: Set-DnsClientServerAddress -InterfaceAlias "Open VPN adapter name" -ServerAddresses ("127.0.0.2", "127.0.0.2") DNS resolution doesn't work:

nslookup google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  127.0.0.2

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.

It seems there is some kind of additional protection (maybe a leak protection) that block UDP requests to the localhost. I wonder how to configure open vpn connection to allow DNS requests to the localhost?

P.S. I have tried OpenVPN Connect app (Windows version) and found special settings for this case:

Image When the checkbox is checked, I can change DNS server to the local one and it works. When the checkbox is unchecked and DNS resolution doesn't work, app logs has additional rows on a connection start:

...
block IPv4 DNS requests to loopback from other apps
block IPv6 DNS requests to loopback from other apps
...

Does openvpn daemon vesion has this feature? If yes, how I could disable it?

oblomingo avatar Mar 18 '25 15:03 oblomingo

I think we just missing this (small part of) functionality @d12fk

lstipakov avatar Mar 18 '25 15:03 lstipakov

@lstipakov any updates? Are you planning to implement this missing functionality?

oblomingo avatar Mar 25 '25 08:03 oblomingo

@lstipakov I lost track... is this something you addressed in the NRPT patches?

cron2 avatar Jul 31 '25 20:07 cron2

@cron2 We do block DNS requests to loopback via WFP if config has "block-outside-dns" or we decide that block-local is needed. In OpenVPN3 there is setting to nevertheless permit DNS requests to loopback (an additional WFP rule) because we have a customer with Cisco Umbrella, which provides some traffic filtering via DNS server on 127.0.0.1. This is about adding such functionality to OpenVPN2.

I am not against this feature, just wasn't on top of my priority list.

lstipakov avatar Aug 01 '25 07:08 lstipakov

Thanks. So I understand we do not allow "DNS to loopback IPs" yet, if block-local is active - wasn't sure without reading up on it.

(I know that 2.x has no explicit switch to turn this on/off, but with one of the many DNS related patches, our defaults might have changed).

@oblomingo with the much improved --dns functionality in 2.7, it's well possible that --block-outside-dns is no longer needed in many cases. You might want to test with 2.7_alpha3.

cron2 avatar Aug 01 '25 07:08 cron2

Hey, @lstipakov @cron2 Sorry for the late response. I've tried the case one more time using the latest OpenVPN release version (2.6.14). It seems openvpn.exe --config al.ovpn (without --block-outside-dns) do not block loopback DNS addresses anymore. When the command executed with --block-outside-dns parameter I can see that WFP rules appear and blocks DNS requests on IPv4 and IPv6 networks. Since our product use openvpn.exe with self-made more configurable leak protection, we could disable to block outside dns, but it is not clear what unexpected side efffects can happen. Could you provide more information how --block-outside-dns works? Is it only WFP rule that block all DNS requests that do not go through a VPN tunnel or something else that we should know about if we would like to disable the protection.

oblomingo avatar Sep 08 '25 09:09 oblomingo

--block-outside-dns installs WFP rules that block DNS queries (UDP+TCP port 53) made by non-openvpn processes on non-openvpn interfaces. Nothing else.

So if your product has its own leak protection, feel free to just not use --block-outside-dns.

Also, have a look at 2.7_beta2 which does more things with DNS on windows (and most users should no longer need --block-outside-dns anymore).

That said, @d12fk still might want to look into "permit loopback"...?

cron2 avatar Oct 11 '25 17:10 cron2

In openvpn3 this is not a config option, but one that is passed into the lib via ClientOption struct. So, if we decide to introduce this here we should do so in a way that doesn't introduce another incompatibility between v2 and v3. Since we cannot go down the path of using a struct or any other means of circumventing a config option for v2, I would suggest to add a parameter to --block-outside-dns, something like allow-loopback. Any opinions?

Edit: forgot to add my two ¢. IMHO allowing loopback punches a big enough hole into the blocking that the option could just as well be left off the config in the first place. That is mainly because the only use case I have seen so far is for Umbrella / OpenDNS, which practically allows queries to escape from the tunnel, so I don't see the need for blocking in the first place.

d12fk avatar Oct 26 '25 09:10 d12fk

allow-loopback works for me :-)

(One of the reasons we use --block-outside-dns is actually a split-dns setup, and ensuring that windows really stops asking anything that is not the tun DNS server of the corp VPN - with NRPT that should just work in 2.7.0, but I still keep the block-outside-dns, for good measure. For our use case, 127.0.0.1 yes/no would not have made much of a difference)

cron2 avatar Oct 26 '25 09:10 cron2