OpenVPN client not using VPN DNS server

Question

I have set up an OpenVPN server, as well as a DNS server on the private network to resolve private DNS addresses.

On the OpenVPN server, I have set the private DNS address in the client DNS config. I have three clients, running Android, Ubuntu and Raspbian, respectively.

The Android and Ubuntu clients seem to use the private server; at least I can resolve private names. This does not work on the Raspbian client, though: private addresses cannot be resolved, and nslookup returns a response coming from a DNS server on the client LAN, not the remote end of the VPN.

When I run nslookup in interactive mode and set the server explicitly, queries are resolved, which tells me DNS queries can pass through the VPN without being blocked. The issue seems to be that the client is querying the wrong DNS server.

Here is the config of the Raspbian client:

client
remote 'vpn.example.org'
ca 'ca.pem'
cert 'cert.pem'
key 'key.pem'
cipher AES-128-CBC
dev tun
proto udp
verify-x509-name 'vpn.example.org'
tls-auth 'hmackey.pem' 1
auth SHA256
nobind
auth-nocache
script-security 2
persist-key
persist-tun

The other two clients were configured using GUI tools, thus I cannot provide reliable config files (they offer exp

Do I need to set anything on the client side to get the client to use the DNS servers on the VPN?

Answer 1

According to this answer on serverfault, some Linux versions require two extra lines in the client config to update the resolver configuration when the VPN comes up or goes down:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Additionally, the internal DNS server needs to be configured to accept recursive queries from the VPN. By default, some servers (e.g. BIND9) allow this only for queries from the DNS server’s own subnet.

With these two changes, I can now resolve private names.