Le Fri, Feb 27, 2026 at 07:27:34PM +0100, Jeremie Courreges-Anglas a écrit :
>
> Here's a diff that enables the - new in 2.7.0 - support for
> configuring on the client nameservers possibly sent by the server.
>
> At first I disabled the default script because it interferes with
> resolvd(8), but it turns out hacking up a script for handling the
> resolvd(8) case was easy. If resolvd is running, use route(8)
> nameserver, else let the default script do the resolv.conf mangling.
one of the cases where i use openvpn, i have resolvd *and* unwind
running, because i have an unwind.conf to force certain domains on my
vpn-provided forwarder, and accept some bogus domains.
forwarder { 10.10.10.254 }
force forwarder { work.fqdn }
force accept bogus forwarder { drac vpn.centipede }
so far, resolvd creates this 'static' resolv.conf:
nameserver 127.0.0.1 # resolvd: unwind
#nameserver dhcp-provided-dns # resolvd: trunk0
manually doing 'route nameserver tun1 10.10.10.254' (as, to my
understanding, would be what the updown script do) just adds a
commented out line to resolv.conf:
nameserver 127.0.0.1 # resolvd: unwind
#nameserver 10.10.10.254 # resolvd: tun1
#nameserver dhcp-provided-dns # resolvd: trunk0
my guess is that resolvd (rightfully ?) priorizes unwind over any other
nameserver, and thus this doesnt break this (quite complicated, to me)
workflow (which is good).
i've tested the updown script (where the server sends dhcp-option DNS)
on another host where only resolvd is running (and only sets
nameservers coming from dhcp, the default) and it did the right thing
upon connection, eg add the openvpn-sent DNS to the top of resolv.conf,
as expected.
nameserver 10.10.10.254 # resolvd: tun1
nameserver dhcp-provided-dns # resolvd: iwm0
nameserver xx:xx:xx:xx:: # resolvd: iwm0
and from that point the client uses the vpn-provided DNS.
on the client debug output, one can see the script being called:
2026-03-02 11:00:51 us=332006 /usr/local/libexec/openvpn/dns-updown
2026-03-02 11:00:51 us=343351 dns up command exited with status 0
so afaict, this does the right thing. ok with me.
