OpenVPN - adding hosts to DNS so they can be resolved


it would be pretty nice if an appropriate DNS entry is created once a new client is connected to Omnia via OpenVPN. Deletion is not important to me. For now I did a workaround which checks and parses openvpn-status.log in minute intervals but I am looking for a better solution. Anyone?

Script below (additional kresd configuration is required as well)



from datetime import datetime
import time
import re
import os

STATUS_FILE = '/tmp/openvpn-status.log'
HOSTS_FILE = '/etc/kresd/hosts.custom'

with open(STATUS_FILE) as f:
    data =
    host_data ='Last Ref.(.+).GLOBAL STATS.*', data, re.S).group(1)
    host_data = host_data.splitlines()
    conn_data ='Connected Since.(.+).ROUTING TABLE.*', data, re.S).group(1)
    conn_data = conn_data.splitlines()

latest_client = max([int(datetime.strptime(x.split(',')[4], '%c').strftime('%s')) for x in conn_data])
latest_client -= GMTIMEDIFF
    latest_update = int(time.strftime('%s', time.gmtime(os.stat(HOSTS_FILE).st_mtime)))
    latest_update = 0


if latest_update < latest_client:
    # we have a new client connected since last HOSTS_FILE modification
    with open(HOSTS_FILE, 'w') as f:
        # populate HOSTS_FILE with entries from openvpn-status.log
        for entry in host_data:
            ip, hostname, ip2, date = entry.strip().split(',')
            f.write('%s %s\n' % (ip, hostname))

If you don’t want to parse the status file, openvpn has a configuration option to run a script at client connection. This is from the man page.

–client-connect cmd
Run command cmd on client connection.

          cmd consists of a path to script (or executable program), optionally followed by arguments. The path and arguments may be single- or double-quoted and/or escaped using  a
          backslash, and should be separated by one or more spaces.

          The  command is passed the common name and IP address of the just-authenticated client as environmental variables (see environmental variable section below).  The command
          is also passed the pathname of a freshly created temporary file as the last argument (after any arguments specified in cmd ), to be used by the command  to  pass  dynami-
          cally generated config file directives back to OpenVPN.

          If the script wants to generate a dynamic config file to be applied on the server when the client connects, it should write it to the file named by the last argument.

          See the --client-config-dir option below for options which can be legally used in a dynamically generated config file.

          Note that the return value of script is significant.  If script returns a non-zero error status, it will cause the client to be disconnected.

Adding another dynamic source of local DNS hints is a little complex to do reliably, as there’s a script that regenerates the hints in case the dynamic_domains option is set, so these two would clash if done directly.

Personally I run a local authoritative bind server and use nsupdate to dynamically update things as needed. I don’t know anything about knot and the difference between the knot resolver and the knot server so I don’t know if the same this is possible. I see there is a knsupdate utility for the knot authoritative server.

The other thing the OP could try is to get the openvpn server to always assign the same address to the same client and then he wouldn’t need dynamic updates. The openvpn documentation tells how to do that.

Configuring such things in knot-resolver is completely unrelated to the autoritative-only knot-dns server. Documentation link for the kresd side, but note that Omnia scripts do some stuff with it, as linked above…