openvpn and resolv.conf

openvpn is an amazingly easy to use, free vpn that uses ssl to secure communications, there are clients for Linux and Windows and the source is available. Ive been using it to connect to a few different places, and DNS is the one thing that keeps messing me around.

Especially if you are using a "split" DNS system, you'll need to modify your resolv.conf to add the internal DNS servers of the net you are connecting to. You can do this manually, and it works, or you can opt for the useful and tastefully named "update-resolv-conf". Just copy it to /etc/openvpn and add the following to your openvpn client conf:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Heres the script from Thomas Hood and Chris Hanson - I needed to add an extra newline on the nameservers for multiple nameservers sent from the server.

#!/bin/bash                                                                                                                
#                                                                                                                          
# Parses DHCP options from openvpn to update resolv.conf                                                                   
# To use set as 'up' and 'down' script in your openvpn *.conf:                                                             
# up /etc/openvpn/update-resolv-conf                                                                                       
# down /etc/openvpn/update-resolv-conf                                                                                     
#                                                                                                                          
# Used snippets of resolvconf script by Thomas Hood <[email protected]>                                                  
# and Chris Hanson                                                                                                         
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL.                                                         
#                                                                                                                          
# 05/2006 [email protected]                                                                                                  
#                                                                                                                          
# Example envs set from openvpn:                                                                                           
# foreign_option_1='dhcp-option DNS 193.43.27.132'                                                                         
# foreign_option_2='dhcp-option DNS 193.43.27.133'                                                                         
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'                                                                                                                                                                                             
[ -x /sbin/resolvconf ] || exit 0                                                                                                                                                                                                                     
case $script_type in                                                                                                       
up)
for optionname in ${!foreign_option_*} ; do
option="${!optionname}"
echo $option
part1=$(echo "$option" | cut -d " " -f 1)
if [ "$part1" == "dhcp-option" ] ; then
part2=$(echo "$option" | cut -d " " -f 2)
part3=$(echo "$option" | cut -d " " -f 3)
if [ "$part2" == "DNS" ] ; then
IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
fi
if [ "$part2" == "DOMAIN" ] ; then
IF_DNS_SEARCH="$part3"
fi
fi
done
R=""
if [ "$IF_DNS_SEARCH" ] ; then
R="${R}search $IF_DNS_SEARCH\n"
fi
for NS in $IF_DNS_NAMESERVERS ; do
R="${R}nameserver $NS\n"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.inet"
;;
down)
/sbin/resolvconf -d "${dev}.inet"
;;
esac 

Gotchas

You'll need to run openvpn with --script-security 2 since you are calling an external script, it will complain and stop otherwise. If you are using --user to drop to a non-priviliged user, then you wont be able to automatically reconnect after a disconnection

Topic: 

The Ubuntu Counter Project - user number # 5498