Closed dawansv closed 7 years ago
@dawansv,
Thanks. I'll get that added in.
Hate raising this from the dead but this should probably be in How to Enable
block since it's not clear that
dhcp-option DOMAIN-ROUTE .
is needed but actually it is quite needed or else the entire setup serves little purpose if not to prevent DNS leaks.
@ncoder-1 The entire setup is to have a working split DNS system not necessarily to route all DNS requests through the VPN (for instance when connecting to some site (like workplace) using VPN you want only requests for resources on site to be routed through VPN). Having said that some visible warning linking to https://github.com/jonathanio/update-systemd-resolved#dns-leakage section would make sure people do not overlook it when they need this.
Great script!
Just a documentation request:
By default, systemd-resolved queries all interfaces. If you want to avoid dns leak, it seems you need to force it to only use the link created by openvpn. It seems it is a simple a using "dhcp-option DOMAIN-ROUTE ." in your config file -- that is a dot/period instead of a specific domain name. The dot/period matches all domain names.
I think it would be nice to add that as an example in the documentation since this is the behavior a lot of people want.
I would also put a note to remind people that on the client side, it is only dhcp-option xxx that you put, not push "dhcp-option xxx"
To summarize this is what I added to my client config (added the first line to your instructions)
dhcp-option DOMAIN-ROUTE . script-security 2 setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin up /etc/openvpn/update-systemd-resolved down /etc/openvpn/update-systemd-resolved down-pre