To get the D-Bus controlled dnsmasq that NetworkManager runs to use different DNS servers, there are the following options (obviously adjust domains and IP addresses in the examples):
- Add a file to
/etc/NetworkManager/dnsmasq.d
that sets the DNS server for the subnet you want: myvpn-server.conf
could contain server=/myvpn.domain.com/10.8.4.9
. This will always be respected by dnsmasq even when not connected to the VPN, in which case queries for these domains should time out. Disadvantage is that you need to specify the IP address statically, advantage is simplicity
- Use D-Bus to talk directly to dnsmasq to tell it to update the servers using something like
sudo dbus-send --system --print-reply --dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq uk.org.thekelleys.SetDomainServers "array:string:192.168.0.1,/myvpn.domain.com/10.8.4.9"
. This could be scripted when the vpn connects. You'd need to look up existing DNS servers (the 192.168.0.1
in my example) over D-Bus or using nm-cli
- Use D-Bus to talk to Network Manager itself and tell it to update the servers. Here's an example of doing this using Python which would require some work to include the current servers.
I'm using the first option and have only tried preliminary versions of the other two
It is possible to just access the internal resources without internet connection, i think this is actually the usual scenario for using OpenVPN.
So if you followed some guide to setup OpenVPN server, there were also some steps that allowed forwarding clients traffic to the internet, you'll need to undo those steps.
I think you should start with commenting this line in server.conf
push "redirect-gateway def1 bypass-dhcp"
Then pushing a DNS server for clients should be disabled by commenting out lines that look like
push "dhcp-option DNS xxx.xxx.xxx.xxx
Ofcourse you'll need to reload OpenVpn conf after making the changes.
sudo service openvpn reload
And then disabling packet forwarding out to the internet
echo 0 > /proc/sys/net/ipv4/ip_forward
And to make disabling forwarding permanent you'll also have to edit
/etc/sysctl.conf
commenting line
net.ipv4.ip_forward=1
By now i think clients shouldn't anymore be able to access the internet through VPN.
Best Answer
I am not sure about
tun0
, but I think the script in/etc/network/if-up.d/
and/etc/network/if-down.d/
are invoked when an interface goes up or down, respectively.Inside the script you can determine which interface is interested from the content of the variable
IFACE
.To be sure, add a simple script to
/etc/network/if-up.d/
which content ismake it executable
then see if the up events are recorded in
/var/log/tun-up.log