Change DNS when connected to VPN

Hi guys, bit of a conundrum this one. Back in the Raspbmc days, I used to be able to dynamically change my DNS settings whenever OpenVPN was active, using my VPN’s private DNS. This was achieved by the use of ‘update-resolv-conf’, as detailed here: [https://forum.vpn.ac/discussion/13/running-openvpn-in-linux-terminal-with-no-dns-leaks][1]

Note though that I’m using the update-resolv-conf that is automatically installed when doing ‘sudo apt-get install openvpn’, rather than the version on that web page.

Since moving to OSMC, it doesn’t seem to do anything, I connect to a VPN server (by use of Brian Hornsby’s excellent Kodi ui plugin), but when I go to check /etc/resolv.conf, it’s always still at my DNS default nameserver settings.

As a workaround I’ve set a static ip and am using OpenNIC DNS, but I’d like to use my VPN’s private DNS if I can, and dynamically as and when I turn my VPN on. I suspect the issue is something to do with ConnMan not playing ball.

Any idea how to resolve my resolv.conf woes?
[1]: https://forum.vpn.ac/discussion/13/running-openvpn-in-linux-terminal-with-no-dns-leaks

For now, edit /usr/bin/start-network

Change:

exec /usr/sbin/connmand -n --nodnsproxy --config=/etc/connman.conf

to

exec /usr/sbin/connmand -n --nodnsproxy --noresolvmodify --config=/etc/connman.conf

In the next update, @DBMandrake will allow noresolvmodify=yes to be set via /etc/connman.prefs.

Hi Sam! Ah so I wasn’t going mad…spent ages trying to work this out! So if I do as use suggest, then the default update-resolv-conf script that comes with openvpn will dynamically change the DNS settings via the ‘up /etc/openvpn/update-resolv-conf’ and ‘down /etc/openvpn/update-resolv-conf’ contained within my VPN config files, is that correct?

Hasn’t worked…changing that line prevents me from getting connected to the internet at device startup.

What are you trying to achieve? I assumed you did not want /etc/resolv.conf to be written to, as you want OpenVPN to be doing it. Is that correct?

Sam

Well I’m trying to change my DNS settings ‘on the fly’ to my VPN provider’s, whenever I activate one of their servers. And then drop back to my default DNS setting once I deactivate VPN. The commands in my OpenVPN files are supposed to launch ‘update-resolv-conf’ which is supposed to then update the /etc/resolv.conf file, changing it to use that which is automatically provided by my VPN provider.

But changing that line you mentioned, on boot it stopped me getting any kind of internet connection at all.

There’s not an easy way to do that at this time. You may have more luck from configuring OpenVPN via ConnMan

Hmm, the thing is though I use loads of different VPN servers round the world, all provided by Private Internet Access. I’m assuming configuring OpenVPN via ConnMan will limit me to one server at a time and I’d have to edit it manually every time I wanted to change server?

The beauty of doing it by .ovpn settings is for example, I can dial into PIA’s Sydney server and then watch Australian online news, for example. And then go Dutch and watch TV in the Netherlands, all via an easy to use ui plugin.

Did something fundamental change between Raspbmc and OSMC which has stopped the previous solution from working? I’m just freaked by DNS leaks, and such. Paranoid perhaps but I’d like to use the full services my VPN provider has, if I can.

Yes, the Connection Manager that is used. Raspbmc uses Network Manager and OSMC uses ConnMan.

Sam

So, I’m guessing that solution you gave me, will work but OpenVPN has to be active. If it isn’t, I won’t have any internet connection at all.

Nevermind, I’ll see how I fare with OpenNIC DNS servers. That’s for trying anyhow.

It’s kind of a shame though that ConnMan always takes priority, that there’s no way to perhaps set resolv.conf on boot and then ‘back off’ and let another application override it.

I’m not sure if this is helpful or not, but there were users using this with Raspbmc.

http://brianhornsby.com/blog/how-to-setup-your-vpn-client

The script in step 10 is what I’m referring to here.

No it’s not that, it’s a way of preventing DNS leaks when OpenVPN is active, by automatically setting your pi’s DNS to that provided by your VPN provider. You can do it easily in the Windows client but on a pi it’s a fair bit trickier…

…at least it is in OSMC, the script doesn’t work as ConnMan always takes control.

Poor man’s solution, may crash ConnMan

When your script updates /etc/resolv.conf, run

sudo chattr +i /etc/resolv.conf

when you are happy to use your DNS again,

sudo chattr -i /etc/resolv.conf && sudo systemctl restart connman

Hi Sam, thanks for the effort, but I don’t want it persistant on boot though, because the DNS is a private DNS and only works when the VPN is active, and I only turn it on as and when I need it. I’m trying to get DNS to change only during active VPN sessions. When VPN is not active, DNS should default to either DHCP-provided or static.

DNS leaks these days are a big problem (Sky broadband who I’m with are definitely leaking and their router’s DNS settings are locked down, you can’t change them) so it would be good in this ‘post-Snowden’ era if you could look into a way of changing something in ConnMan to let any active VPN sessions take priority over net settings, would be good for security. Perhaps my needs are quite niche but you’d be surprised how many people are using VPN’s these days after Tempora and Prism.

Yes, and you seemed to suggest you were using a script to do this. By the immutable flag on /etc/resolv.conf accordingly, you’ll be able to control when ConnMan writes ‘normal’ (ISP) DNS to it or not. The idea is: get OpenVPN to write the new resolv.conf values, set +i, set -i when you want them to be updated again.

VPN traffic is monitored as well by these programs, especially ‘big name’ VPN providers. I personally would not recommend the use of VPN for anonymity, but they are good for users that want to watch geoblocked content.

Sam

But the issue is I can’t get the script to write to /etc/resolv.conf at all, because ConnMan won’t allow it…whenever I try, and then ‘sudo nano /etc/resolv.conf’, I see that the default values are still there…

Also those are shell commands, and the idea is that I shouldn’t need to use the shell as I’m using the .ovpn config files directly from the ui via the OpenVPN plugin. (Using my TV remote control).

Sorry if I haven’t explained myself very well, I want it to work just like this:

https://wiki.archlinux.org/index.php/OpenVPN#DNS

Now, when your launch your OpenVPN connection, you should find that your
resolv.conf file is updated accordingly, and also returns to normal
when your close the connection.

Hmm, that page says to install ‘openresolv’, I wonder if that would do the trick?

I don’t completely follow. Are you not having to change between VPN providers / connection status manually anyway?

Sam