From: Landry Breuil Subject: Re: net/openvpn: improve and enable DNS up/down script To: ports@openbsd.org Date: Mon, 2 Mar 2026 11:07:11 +0100 Le Fri, Feb 27, 2026 at 07:27:34PM +0100, Jeremie Courreges-Anglas a écrit : > > Here's a diff that enables the - new in 2.7.0 - support for > configuring on the client nameservers possibly sent by the server. > > At first I disabled the default script because it interferes with > resolvd(8), but it turns out hacking up a script for handling the > resolvd(8) case was easy. If resolvd is running, use route(8) > nameserver, else let the default script do the resolv.conf mangling. one of the cases where i use openvpn, i have resolvd *and* unwind running, because i have an unwind.conf to force certain domains on my vpn-provided forwarder, and accept some bogus domains. forwarder { 10.10.10.254 } force forwarder { work.fqdn } force accept bogus forwarder { drac vpn.centipede } so far, resolvd creates this 'static' resolv.conf: nameserver 127.0.0.1 # resolvd: unwind #nameserver dhcp-provided-dns # resolvd: trunk0 manually doing 'route nameserver tun1 10.10.10.254' (as, to my understanding, would be what the updown script do) just adds a commented out line to resolv.conf: nameserver 127.0.0.1 # resolvd: unwind #nameserver 10.10.10.254 # resolvd: tun1 #nameserver dhcp-provided-dns # resolvd: trunk0 my guess is that resolvd (rightfully ?) priorizes unwind over any other nameserver, and thus this doesnt break this (quite complicated, to me) workflow (which is good). i've tested the updown script (where the server sends dhcp-option DNS) on another host where only resolvd is running (and only sets nameservers coming from dhcp, the default) and it did the right thing upon connection, eg add the openvpn-sent DNS to the top of resolv.conf, as expected. nameserver 10.10.10.254 # resolvd: tun1 nameserver dhcp-provided-dns # resolvd: iwm0 nameserver xx:xx:xx:xx:: # resolvd: iwm0 and from that point the client uses the vpn-provided DNS. on the client debug output, one can see the script being called: 2026-03-02 11:00:51 us=332006 /usr/local/libexec/openvpn/dns-updown 2026-03-02 11:00:51 us=343351 dns up command exited with status 0 so afaict, this does the right thing. ok with me.