Не получается настроить на клиенте openvpn dns так, чтобы клиент работал только через dns сервер (unbound), выдаваемый openvpn. Часть запросов идет через dns , выдаваемый провайдером клиента.
Вот пример вывода tcpdump на внешнем интерфейсе сервера
10.142.0.2 - адрес сервера с openvpn
Первый запрос-ответ - на dns сервер провайдера клиента (94.140.14.14)
Второй - на 1.1.1.1 , прописанный как форвард в unbound
В основном запросы на днс провайдера идут после перезапуска openvpn, Потом реже.
tcpdump -n -i ens4 port 53
14:18:02.020305 IP 10.142.0.2.48799 > 94.140.14.14.53: 16563+ [1au] AAAA? connectivity-check.ubuntu.com. (58)
14:18:02.082427 IP 94.140.14.14.53 > 10.142.0.2.48799: 16563 0/1/1 (119)
14:18:13.520614 IP 10.142.0.2.44218 > 1.1.1.1.53: 41509+ [1au] A? WwW.TunE-IT.ru. (43)
14:18:13.592899 IP 10.142.0.2.41787 > 1.1.1.1.53: 7978+ [1au] A? wWW.TUNe-it.ru. (43)
конфиг сервера unbound
server:
include: "/etc/unbound/unbound.conf.d/*.conf"
port: 53
username: unbound
interface: 127.0.0.1
interface: 10.8.0.1
outgoing-interface: 10.142.0.2
access-control: 127.0.0.0/8 allow_snoop
access-control: 10.8.0.0/8 allow_snoop # Service VPN
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
num-threads: 1
cache-min-ttl: 3600
cache-max-ttl: 86400
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
use-syslog: no
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 1.1.1.1 # Cloudflare
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8953
server-key-file: "unbound_server.key"
server-cert-file: "unbound_server.pem"
control-key-file: "unbound_control.key"
control-cert-file: "unbound_control.pem"
Конфиг сервера openvpn
port 443
port-share 127.0.0.1 4443
proto tcp-server
dev tun
ca ca.crt
cert san-vps.crt
dh dh.pem
tls-auth ta.key 0
cipher AES-256-CBC
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "block-outside-dns"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
Конфиг клиента openvpn
client
dev tun
proto tcp-client
remote 11.22.33.44 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
sсript-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
вывод systemd-resolve --status клиента
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 10.8.0.1
DNS Servers: 10.8.0.1
Link 2 (wlp2s0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 94.140.14.14
DNS Servers: 94.140.14.14
DNS Domain: ~.
Link 9 (tun0)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
resolv.conf клиента
nameserver 10.8.0.1
nameserver 127.0.0.53