OpenVPN client specific override DNS is not applied

lifeboy

I have set a CSO for some clients to change the DNS server that gets pushed to them. In the opvn log I can see that the conf gets read.

Jul 9 11:02:25	openvpn	35966	MULTI: primary virtual IP for xoliswa/41.161.86.201:26125: 192.168.x.x
Jul 9 11:02:25	openvpn	35966	MULTI: Learn: 192.168.x.x -> xoliswa/41.161.86.201:26125
Jul 9 11:02:24	openvpn	77508	openvpn server 'ovpns2' user 'xoliswa' address '41.161.86.201:26125' - connected
Jul 9 11:02:24	openvpn	35966	xoliswa/41.161.86.201:26125 PUSH: Received control message: 'PUSH_REQUEST'
Jul 9 11:02:24	openvpn	72845	openvpn server 'ovpns2' user 'xoliswa' address '41.161.86.201:26125' - connecting
Jul 9 11:02:24	openvpn	35966	xoliswa/41.161.86.201:26125 OPTIONS IMPORT: reading client specific options from: /var/etc/openvpn/server2/csc/xoliswa
Jul 9 11:02:24	openvpn	35966	xoliswa/41.161.86.201:26125 MULTI_sva: pool returned IPv4=192.168.132.4, IPv6=(Not enabled)
Jul 9 11:02:23	openvpn	35966	41.161.86.201:26125 [xoliswa] Peer Connection Initiated with [AF_INET]41.161.86.201:26125
Jul 9 11:02:23	openvpn	33368	user 'xoliswa' authenticated

The contents of xoliswa's config override file is:

cat /var/etc/openvpn/server2/csc/xoliswa
push "dhcp-option DNS 192.168.131.191"
push "redirect-gateway def1"

I have the machine's DNS manually set to 192.168.131.191. If I do a lookup without the VPN connected I get

nslookup -type=srv _ldap._tcp.dc._msdcs.imbfs.local
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.131.191

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

That is because 192.168.131.191 is not reachable without the VPN being connected.

Once I connect the VPN, I get this:

nslookup -type=srv _ldap._tcp.dc._msdcs.imbfs.local
Server:  fw.fast.za.net
Address:  192.168.131.254

*** fw.fast.za.net can't find _ldap._tcp.dc._msdcs.imbfs.local: Non-existent domain

Now the first DNS server was pushed to the client as 192.168.131.254, which is the DNS for the server configuration of that VPN connection. That indicates that the CSO DNS is not successfully pushed to the client.

I have not been able to figure out why. Who can help please?

lifeboy

Just to add a little more details, here is the problematic connection.

   Connection-specific DNS Suffix  . : imb.co
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-45-74-E2-DD
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d886:c8fe:6fae:15cd%8(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.132.5(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, July 9, 2024 2:24:52 AM
   Lease Expires . . . . . . . . . . : Wednesday, July 9, 2025 2:24:52 AM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 192.168.132.0
   DHCPv6 IAID . . . . . . . . . . . : 687931205
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2E-1D-B1-3A-28-F1-0E-28-F5-C8
   DNS Servers . . . . . . . . . . . : 192.168.131.254
                                       192.168.131.191
   NetBIOS over Tcpip. . . . . . . . : Enabled

I need to get rid of the 192.168.131.254 DNS or at least have that as the secondary.

lifeboy

I have found a workaround. In Windows PowerShell I can do this:

netsh dnsclient delete dnsserver "OpenVPN TAP-Windows6" all
netsh dnsclient add dnsserver "OpenVPN TAP-Windows6" 192.168.131.191

This sets the correct DNS server so that I can join the AD domain, which is the goal I was trying to achieve.

It seems that the CSO adds the DNS records to the existing one, and doesn't replace it. Is that by design or can it be fixed/changed?