#!/bin/bash # ============================================================ # Disable the OpenVPN client DNS override (CentOS 7) # Comments out the script-security / up / down hooks in the # client config so the VPN no longer rewrites /etc/resolv.conf. # Published by: helper.sh # ============================================================ set -euo pipefail RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' CONFIG_DIR="/etc/openvpn/client" CONFIG_NAME="client" DNS_HELPER_PATH="/etc/openvpn/update-resolv-conf" SET_DNS="" info() { echo -e "${BLUE}[INFO]${NC} $1"; } success() { echo -e "${GREEN}[OK]${NC} $1"; } warning() { echo -e "${YELLOW}[WARN]${NC} $1"; } error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; } usage() { cat <<'EOF' Usage: disable_openvpn_client_dns.sh [options] Options: --config-dir PATH Client config directory (default: /etc/openvpn/client) --config-name NAME Systemd instance name (default: client) --set-dns "a b" Also write /etc/resolv.conf with these nameservers -h, --help Show this help message EOF } while [ $# -gt 0 ]; do case "$1" in --config-dir) CONFIG_DIR="$2" shift 2 ;; --config-name) CONFIG_NAME="$2" shift 2 ;; --set-dns) SET_DNS="$2" shift 2 ;; -h|--help) usage exit 0 ;; *) error "Unknown argument: $1" ;; esac done if [ "${EUID}" -ne 0 ]; then error "Run this script with root privileges: sudo bash $0" fi TARGET_CONF="${CONFIG_DIR}/${CONFIG_NAME}.conf" SERVICE_NAME="openvpn-client@${CONFIG_NAME}" if [ ! -f "${TARGET_CONF}" ]; then error "Config not found: ${TARGET_CONF}. Pass --config-dir / --config-name if it lives elsewhere." fi BACKUP="${TARGET_CONF}.bak.$(date +%Y%m%d%H%M%S)" cp -f "${TARGET_CONF}" "${BACKUP}" info "Backed up ${TARGET_CONF} to ${BACKUP}" info "Commenting out DNS hooks in ${TARGET_CONF} ..." sed -i -E \ -e 's|^([[:space:]]*)(script-security 2)[[:space:]]*$|\1#\2|' \ -e "s|^([[:space:]]*)(up ${DNS_HELPER_PATH})[[:space:]]*\$|\1#\2|" \ -e "s|^([[:space:]]*)(down ${DNS_HELPER_PATH})[[:space:]]*\$|\1#\2|" \ "${TARGET_CONF}" success "DNS hooks disabled (re-running this script is safe / idempotent)" if systemctl cat "${SERVICE_NAME}" >/dev/null 2>&1; then info "Restarting ${SERVICE_NAME} ..." systemctl restart "${SERVICE_NAME}" || true sleep 3 if systemctl is-active --quiet "${SERVICE_NAME}"; then success "${SERVICE_NAME} is active" else warning "${SERVICE_NAME} is not active. Review: journalctl -u ${SERVICE_NAME} -n 100 --no-pager" fi else warning "${SERVICE_NAME} not found; skipped restart. Start it yourself once OpenVPN is set up: systemctl restart ${SERVICE_NAME}" fi if [ -n "${SET_DNS}" ]; then info "Writing /etc/resolv.conf with: ${SET_DNS}" : > /etc/resolv.conf for ns in ${SET_DNS}; do echo "nameserver ${ns}" >> /etc/resolv.conf done success "/etc/resolv.conf updated" fi echo "" echo -e "${GREEN}============================================================${NC}" echo -e "${GREEN} OpenVPN DNS override disabled ${NC}" echo -e "${GREEN}============================================================${NC}" echo "" echo -e " ${BLUE}Config:${NC} ${TARGET_CONF}" echo -e " ${BLUE}Backup:${NC} ${BACKUP}" echo "" if [ -z "${SET_DNS}" ]; then echo -e " ${YELLOW}/etc/resolv.conf was NOT changed.${NC} It may still hold the old VPN DNS." echo -e " Set your own resolver, e.g.:" echo " printf 'nameserver 114.114.114.114\\nnameserver 223.5.5.5\\n' > /etc/resolv.conf" echo -e " Or re-run with: --set-dns \"114.114.114.114 223.5.5.5\"" echo "" fi echo -e " ${BLUE}Verify:${NC} cat /etc/resolv.conf" echo -e " ${BLUE}Re-enable later:${NC} remove the leading # from script-security/up/down in the config, then restart." echo ""