One way to do this is to assign an IP address to the server from the subnet that you use for the virtual IPs of your clients. Then you assign that IP address as DNS server to your clients and exclude the IP from the IP address pool. Optionally, filter access to that IP address via Netfilter's policy matching module (see iptables-extensions man page) so that it's only accessible via VPN.
For instance, if your IP address pool is 192.168.8.0/24
(e.g. configured in rightsourceip
in ipsec.conf or a "pool" section in swanctl.conf), you assign 192.168.8.1
to your server (on any interface, e.g. lo
) and then change the pool to 192.168.8.2/24
(so the first address assigned to a client will be 192.168.8.2
). To assign 192.168.8.1
as DNS server, configure it in rightdns
in ipsec.conf or the pool section in swanctl.conf.
While you could also use the server's public IP address, and only allow access to UDP port 53 via VPN using the mentioned policy matching, this won't work with Apple clients as they don't send packets to the server's public IP via VPN (so you'd have to make the DNS server publicly available, or dynamically add firewall rules that allow access to it from the client's public/natted IP address).