How to use OpenVPN with DNSCrypt?

How to use OpenVPN with DNSCrypt?

edited November 2016 in Help

How do I set it up? How can I use DNSCrypt servers as DNS resolver in OpenVPN?

Tagged:

Comments

  • Up.

    20.11.2016

  • Well. I am not familiar with the dnscrypt software. But as far as I know, and just guessing, you should have a dnscrypt resolver available, or install some software somewhere to act as a proxy for the dnscrypt protocol. Probably the normal choice for the second option would be the same openvpn server, listening on the vpn address.

    After getting this part working, you should configure your clients to use that resolver instead of your normal ones.

  • mik997mik997 Member
    edited November 2016

    roll your own dnsdist resolvers with dnscrypt enabled and use dnscrypt client on the endpoint

    https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#dnscrypt

    or use one of the existing public dnscrypt resolvers

    https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

  • edited November 2016

    Hello again,

    I have installed DNSCrypt on the server. (https://github.com/simonclausen/dnscrypt-autoinstall) Then I installed OpenVPN. But when I do DNS resolution, it seems Google's DNS resolvers. IP addresses that are not relevant to the DNSCrypt servers are coming out. @yomero, @mik997

  • I'm not yet clear on whether this is on the OpenVPN client side or the server side.

    But (at the expense of appearing foolish) here goes:

    1. Install dnscrypt-proxy which will then contact one of the public dnscrypt resolvers (you pick) See: https://dnscrypt.org/#dnscrypt-proxy

    2. As documented there you're better off with a local caching dns proxy (either unbound or dnsmasq - unbound seems to be better/more reliable with DNSSEC but recent versions of dnsmasq are also supposed to work fine - I have not used/enabled/forced DNSSEC as yet so don't have any thoughts). Ensure that the local resolver (either unbound or dnsmasq) uses the local version of dnscrypt (127.0.0.1#PORT where PORT is the port you've picked for 1). Once this is working fine, you've got DNS working with caching using dnscrypt. There are plenty of good websites that should help with the basics here See: https://wiki.debian.org/HowTo/dnsmasq#dnsmasq_with_dnscrypt-proxy or https://wiki.archlinux.org/index.php/DNSCrypt

    3. Now add OpenVPN to the mix and do what is needed. On the server as long as resolv.conf uses (2) you should be all set. On a client, assuming you are forcing a default route via the OpenVPN server you should be all set - but again perhaps the OpenVPN experts (or other config suggestions from other threads) can pitch in on the specifics of pushing a DNS server on the server to the client.

    I hope this will at least get you off the ground in a step by step way after which you can refine and lockdown/secure things.

    HTH.

    Thanked by 1mik997
  • Anna_ParkerAnna_Parker Member
    edited November 2016

    @Arttu_Rantanen Tested by myself as I'm also using OpenVPN + dnscrypt.

    wget https://raw.githubusercontent.com/simonclausen/dnscrypt-autoinstall/master/dnscrypt-autoinstall --no-check-certificate
    chmod +x dnscrypt-autoinstall.sh
    ./dnscrypt-autoinstall.sh
    

    Then edit /etc/openvpn/server.conf and add these lines:

    push "dhcp-option DNS 127.0.0.1"
    push "dhcp-option DNS 127.0.0.2"
    

    RC5 cracker since 1998!

  • edited November 2016

    @Anna_Parker, @nullnothere

    Though I tried many times, it never happened. When I run the DNS resolver test, the Google DNS resolvers come out with Dutch and Belgian IP addresses.

    I do this: (1) DNSCrypt is installed. > (2) OpenVPN is installed. During installation, system DNS resolver is selected as DNS resolver. (/etc/resolv.conf) > (3) The OpenVPN connection is performed. > (4) DNS resolver test is done.

    Resolved DNS resolutions:

    ...Google DNS - Netherlands
    
    Google DNS - Belgium...
    

    It is not. :(

  • Anna_ParkerAnna_Parker Member
    edited November 2016

    @Arttu_Rantanen Check the /etc/resolv.conf - it should be 127.0.0.1.

    BTW, I've found tutorial which might helps: https://mydarkerego.blogspot.nl/2015/03/dnscrypt-proxy-unbound-openvpn.html

    RC5 cracker since 1998!

  • @Arttu_Rantanen said:

    just to clarify .. what OpenVPN client OS are you using? Linux or Windows?

  • @mik997 Linux and Android.

  • I tried eight times in the day. But it is not. It does not make any mistakes anywhere. But when I run the DNS resolver test, Google DNS goes out. What is Google DNS? Am I configuring by Google DNS? No. Damn OpenVPN and DNSCrypt. :( @mik997, @Anna_Parker

  • A few more suggestions:

    1. On the VPN Server, can you confirm that DNS is working as you expect (via DNSCrypt etc.)?

    2. On the VPN Client, I assume that DNS works (normally, without DNSCrypt etc.) when you are NOT on VPN.

    3. Once the VPN Client connects to the VPN server, the VPN server should be pushing down default routes as well as DNS servers to the client. If the VPN server pushes 127.0.0.1 to the VPN Client, then the client will use whatever local DNS server (assuming one is setup) to resolve. OTOH, if the VPN server pushes the VPN Server's private VPN server IP to the client, then the client should use that IP which will result in traffic over VPN for DNS. Can you confirm if this is happening?

    4. Independent of everything, please run dig @SERVER-OR-IP some-public-host-somewhere to get confirmation of how dns is resolving with the appropriate SERVER-OR-IP and then fine tune via routes,push etc.

    HTH.

  • I just could not do it. Maybe I have tried fifty times so far but the result is vain. @nullnothere

Sign In or Register to comment.