DNSMASQ, when you just need a quick name resolution
Jan 2, 2015
2 minutes read

Hello journal, let’s talk a bit about DNSMASQ

I have a server with an OpenVPN instance running on it. This server also serves web pages/applications with Apache2. I wanted to restrict access of some virtual hosts to the people connected on the VPN and not the others.

My First attempt

The first thing I tried was to set the so-called virtual hosts to only listen on the tunnel interface but it appeared that nobody could access these, even the people inside the VPN. It took me a little bit of a time to understand what was going wrong: The DNS used by the clients pointed to the public IP of the server and thereby, requests send to these address were sent through the eth interface of the server, the public one.

Change OpenVPN Configuration

I read a bit about OpenVPN (not that much, it is quite obvious that OpenVPN has such capabilities) and found out that it is possible to push the DNS server to be used by the clients. So I added only a small change to my /etc/openvpn/server.conf file to push the DNS server address:

push "dhcp-option DNS 10.8.0.1"

You may need more than that if you are in some complex setup but mine is rather simple.

Put a DNS server here

Now that your vpn server tells your clients to register a DNS server, you need to have this DNS server installed. I chose to go with DNSMASQ as it is quite really simple one. If you want a fully featured DNS go use Bind9, but in my case I just wanted to override one or two entries. So, to install DNSMASQ:

$ apt-get update
$ apt-get install dnsmasq

That’s all you need. Now edit /etc/dnsmasq.conf

# uncomment interface and set it to only listen to your VPN tunnel
interface=tun0

# uncomment address and set the addresses you want to override
address=/the.address.to.override/10.8.0.1

You’re done! service dnsmasq restart and your server is fully set up!

Fix client config for Ubuntu

If you’re using Ubuntu like me, you’ll see that it is still not working; If you go to the.address.to.override it will still be accessed using the public IP and not the VPN one. This can be easily fixed; simply add this to your client configuration (you config.ovpn file):

# this is needed to run scripts from openVPN config files
--script-security 2
# the openVPN scripts to update your resolv.conf file
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

That’s all folks!

Amike, Erwyn


Back to posts


comments powered by Disqus