endvour wrote: endvour wrote:
You're right about DNS, I found out that right now only Windows clients natively accept the pushed nameservers.
I was wrong about this, that was probably outdated info. Pushing nameservers seems to work out of the box with Linux clients (I'm testing with Ubuntu 16.10). All that's necessary is pushing dhcp-option DNS and, if you want to use dnsmasq as the nameserver, set localservice 0 in /etc/config/dhcp (required if the VPN server interface uses unmanaged protocol). That's it! I'm able to reach devices in my LAN by hostname and outbound queries are correctly forwarded to my dnsmasq resolvers.
Again, happy to write a couple lines myself about this for the wiki.
UPDATE: works like a charm also with an Android 7.1 client using the OpenVPN for Android app
Some distributions work well, others not so much. The biggest issue is laptops running various linux distributions. OpenVPN handles DNS (in some linux distributions) by saving the DNS servers on change, then restoring those settings on disconnect. On a laptop that might be migrating between connections, this can potentially lead to the wrong DNS servers being restored, compromising connectivity.
I wrote the guide with the idea that it will set up a VPN server with basic functions and connectivity for beginners, which can also be modified to meet specific use cases by advanced users who should know to read man pages.
With that in mind, I didn't feel the need to include DNS pushing because it is not a requirement of basic functions or connectivity, and 99% of users do not require this feature. It didn't make sense to include it in a beginner's guide where it will just generate more questions and confusion. Especially when such a feature is associated with so many client-specific variables that can potentially disrupt connectivity on client machines.
If you disagree with my assessment, you can certainly add it to the guide. It's a wiki and open for anyone to edit! That's the wonderful thing about open systems like wikis.
Even with an "optional" tag, every newbie around would attempt to use the feature because it "sounds" like it enhances security, but in the majority of cases just impairs performance with no added benefit. There is nothing illegal about a user looking up the IP (via DNS) of (for example) a torrent website, and an ISP won't throttle your connection for checking the domain. That could happen with browser prefetching and you reading a news article that mentions it. It's the actions after that which matter and will get your throttled (or arrested...) - and those are all done via the VPN.
If you're in a situation that merely looking up a domain name would get you into hot water... Well either 1) you're under an extremely oppressive government and you need a whole lot of fire-walling and such that's WAY outside the scope of any beginners guide (and you should sure as shit know your stuff because any mistake means you're fucked). Or 2) you're looking up some sort of honeypot domain that's only mentioned in one or two places on the net so what the fucking hell were you looking up? I'm not sure I want to help that person... although chances are they already know their shit anyway.
An alternative (which I'd totally agree with, but currently have no motivation to create) would be an "advanced customization of OpenVPN" -guide that was linked to at the end of the beginners guide. The explanation of DNS pushing and other features would be plenty appropriate in such a location. I wonder about the utility of such a guide though, since the users who would need such features are likely able to interpret the relevant manuals directly and probably don't need a step by step guide.