0

Can you setup a VPN server which forces the client to use a specific i.e. local DNS server? Otherwise the client should not be able to resolve domain names. I do not want to involve any proxy servers and I cannot setup DNS servers on the clients themselves. It needs to be done on the server.

TomTom
  • 129
  • 1
  • 1
  • 4

1 Answers1

1

If the clients perform DNS resolution through the VPN link, you can redirect all requests to port 53 to your server:

iptables -t nat -A PREROUTING -s vpn_network -p udp --dport 53 -j DNAT \
    --to-destination your_DNS_server
iptables -t nat -A PREROUTING -s vpn_network -p tcp --dport 53 -j DNAT \
    --to-destination your_DNS_server

where vpn_network is the subnetwork of your VPN clients (e.g. 10.8.0.0/24, you can also filter by interface instead) and your_DNS_server is the IP of your DNS server.

If they resolve hosts through their normal connection, however, you can't do anything.

Piotr P. Karwasz
  • 5,748
  • 2
  • 11
  • 21
  • I'm running dnsmasq and https://github.com/hwdsl2/setup-ipsec-vpn. Since dnsmasq runs locally I put 127.0.0.1 as the address. But I'm not sure what I should put as `vpn_network`? – TomTom Mar 12 '20 at 13:49
  • `vpn_network` stands for the subnetwork, which contains your VPN clients (e.g. `10.8.0.0/24`). On VPN servers that use `tun/tap` interfaces, you can also use `-i interface` instead. You didn't specify what kind of VPN server are you running (VPN is a generic term). – Piotr P. Karwasz Mar 12 '20 at 14:02
  • I'm running Libreswan. I'm guessing the `vpn_network` would then be `192.168.42.0/24`? – TomTom Mar 12 '20 at 14:16
  • Use whatever you added as `remote_ts` in `swanctl.conf` or `left|rightsubnet` in `ipsec.conf`. – Piotr P. Karwasz Mar 12 '20 at 14:19
  • I used `leftsubnet` from `/etc/ipsec.conf` which was `0.0.0.0/0` and it worked! Thank you. – TomTom Mar 12 '20 at 14:25