0

OpenVPN show the DNS server in clear when you connect but i want to hide that from public. ( It shows that in logs and network adapter in Windows for example )

DNS server alreadly have rules to receive DNS request only from the VPN IP address. ( i alreadly protect the DNS server with IP Tables to receive request from the verified VPNs IP Address ) now i want to hide the IP from DDoS or other type of malicious attack.

Why?

Because all VPN server have only 2 server but if those two goes down, VPNs stop working.

I alreadly try to do a route, but without success.

That's my actual iptables rules.

iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s cc.cc.cc.cc -j ACCEPT
iptables -A INPUT -p udp --dport 22 -s cc.cc.cc.cc -j ACCEPT
iptables -A INPUT -p udp --dport 53 -s xx.xx.xx.81 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -s xx.xx.xx.81 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p udp --dport 22 -j DROP
iptables -A INPUT -p udp --dport 53 -s xx.xx.xx.81 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -s xx.xx.xx.81 -j ACCEPT
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to yy.yy.yy.120:53
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to yy.yy.yy.120:53
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 443 -j REDIRECT --to-port 20303
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 13019

OpenVPN server.conf

server 10.8.0.0 255.255.255.0
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS yy.yy.yy.120"

NB: xx.81 is the VPN server and yy.120 is the DNS Server.

rayjhp
  • 1
  • 2
  • Can you explain what you mean by _"hiding the DNS server"_? You want the server to stop sending the DNS server configuration to clients? That can be configured with the `push` option, but you need to edit your question and include the OpenVPN server's config. – Piotr P. Karwasz Feb 16 '20 at 08:53
  • Actually on server.conf there is `push dhcp-option DNS xx.xx.xx.120` and when someone connect to the OpenVPN network, for example on Windows, on the tun interface it show the IP **xx.xx.xx.120**. What i want to do is hide that. For example route traffic to a internal interface like **10.10.0.1** who is doing DNS server and then route the DNS request to the **xx.xx.xx.120** – rayjhp Feb 16 '20 at 09:08
  • I assume **xx.xx.xx.120** is a public IP address and that the `DNS` server should only resolve `VPN` client queries. Why don't you give it a private IP address (e.g. `10.8.53.53` and push that value to clients? You might also consider pushing a bigger route prefix: `push "route 10.8.0.0 255.255.0.0"`. – Piotr P. Karwasz Feb 16 '20 at 12:04
  • I have installed dnsmasq, into the config i put `listen-address=127.0.0.1,xx.xx.xx.81,10.80.0.0,10.90.0.0`, routed the port 53 of those ip into eth0 but still no working. Yes. **xx.xx.xx.120** is a public ip. – rayjhp Feb 18 '20 at 06:57

1 Answers1

0

You can't hide it per say, as clients will need to be provided with a DNS server if you want DNS to work for clients. You could set up a DNS server on the VPN endpoint (x.x.x.81) and tell it to just forward all queries upstream to x.x.x.120, that way your clients only see the VPN endpoint, which they are already aware of.

Stuggi
  • 3,506
  • 4
  • 19
  • 36
  • I alreadly try to route on the endpoint but without success with 'iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to yy.yy.yy.120:53 iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to yy.yy.yy.120:53' 'iptables -t nat -A POSTROUTING -j MASQUERADE i'. But i didnt install any dns server. Just route the traffic from XX.81 to xx.120. So first i need to install DNS server and then route? I can't do only route without install a DNS server? PS: sorry for not write with code syntax but on mobile app is not work propely i think. – rayjhp Feb 16 '20 at 09:35
  • You're trying to NAT the traffic, which is another option if you can get it to work, but then your clients should be served the x.x.x.81 IP as the DNS, not the actual DNS server. – Stuggi Feb 16 '20 at 09:57
  • Yes. I alreadly try to set in server.conf the DNS server the IP XX.81 and i put those routes but without success. Maybe wrong ip tables rules. Actually my brain is going burn because i'm trying to do this from 6h and i know i'm doing some mistake but i don't know where. – rayjhp Feb 16 '20 at 10:18
  • That's why I recommended running the a DNS server on the VPN endpoint, it's a lot cleaner, and very simple to set up, as you're just forwarding everything along. NAT is hard to get to work, and a bit of a hack even when it does. – Stuggi Feb 16 '20 at 10:22