Setting DNS servers using OpenVPN client config file

You can add the following to the client config file.

dhcp-option DNS <dns_server_ip_address>

On the server side it would have been :

push "dhcp-option DNS <dns_server_ip_address>"

It seems it's using dhcp-option on both sides. You can do the same with route.


In addition to either of the two below:

dhcp-option DNS <dns_server_ip_address>          (add to client config)

or

push "dhcp-option DNS <dns_server_ip_address>"   (add to server config)

Add these to the client config as well, to force Windows to use the configured DNS:

register-dns
block-outside-dns

The 1st forces Windows to prefer the configured DNS server over any other it may have received from DHCP. The 2nd prevents DNS leakage to any DNS server other than the configured one.


Apparently there is problem with a faulty binding order in Windows, at least including Windows 2000/XP/7. This will cause Windows OpenVPN clients to use the default network adapter's DNS settings rather than the VPN adapter's settings.

To fix this you need to place your VPN TUN or TAP device above your local network adapter in the bind order:

  1. Identify your VPN device by looking at the output from ipconfig. For me this was "Local Area Connection 2". Remember your IP address for this adapter.
  2. Open regedit.exe and find the key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces which matches your VPN adapter's IP address. Remember the GUID for this adapter.
  3. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage and double click on Bind. This will contain a list of GUIDs for the adapters. Cut and paste the line corresponding to your VPN device's GUID to the top of the list and save the list.

This will cause the DNS entries for your VPN device to be used (and only while the VPN connection is active). You can set them according to the answer by @brunoqc. While you're at it, you should probably also add the openvpn option block-outside-dns, to ensure that DNS queries are not leaking.

This answer is based upon this very useful blog post.