How to force resolving of dns before reconnect after network change?

[AnAnalogGuy]

My OpenVPN server is running on opnsense. It is listening on the WAN interface as well as on the WLAN interface. The WAN interface has a static public IP4 address while the WAN interface has a static private IP4 address. Both interfaces share the same DNS like firewall.example.com. However, if the smartphone is connected to the WLAN interface, firewall.example.com resolves to the WLANs interface private IP while if the smartphone is connected to the Mobile Network, the public DNS servers return the WAN IP address. Like this, from a configuration point of view, the VPN server can be reached under the same dns no matter which network the smartphone is connected to.

When I manually connect and deconnect while i switch networks, this is working fine. However, there is a problem with this configuration:. Automatic reconnect. When i.e. the vpn tunnel was established when connected to the WLAN, leaving the WLAN area, the smartphone is switching to the mobile network and openvpn client for android detects that there was a change in the network. It therefore starts to reconnect. However it fails. It seems, the reason for this is that the openvpn client does not force a new dns lookup while reconnecting, so when trying to reach firewall.example.com it still is using the WLAN ip that has been resolved earlier. When I say the openvpn client is doing this, I guess it's rather the underlying dns client caching from Androids DNS client. However, when manually connecting and reconnecting, the correct IP is used, so in this case the client is able to trigger/force a DNS lookup.

Does this observation sound consistent with OpenVPN for Android's implemenation? Is there something i can do configuration-wise to solve this issue? Or would it need a change in the code to force a dns lookup on reconnect?

[schwabe]

if you enable persist-tun the implementation will cache DNS lookups as you cannot do DNS resolution if persist-tun is enabled.

[AnAnalogGuy]

Hallo Arne. Verstehe ich.

Aber: Wenn der client merkt, dass das Netz resp. das Interface geändert hat, handelt es sich ja nicht mehr um einen persist-tun case, denn durch den Interface-Wechsel ist implizit klar, dass der bestehende Tunnel nicht mehr wieder etabliert werden kann. Ergo muss beim Wechsel des Interface ein neuer Tunnel aufgebaut werden und dann ist ein DNS Lookup nicht nur sinnvoll sondern fast immer notwendig.

[AnAnalogGuy]

Oder noch etwas anderes formuliert: persist-tun ist doch dazu da, bei connectivity timeouts OHNE Wechsel des Interface den Tunnel weiter offen zu halten und einen reconnect zu versuchen. Wenn aber die connectivity verloren geht weil das Interface gewechselt wird, dann ist das nicht mehr der persist-tun case.

[schwabe]

You have to pick between persistent interface and DNS reresolution. persist-tun blocks DNS while the VPN is reconnecting, therefore it is caching DNS when persist-tun is enabled.

[AnAnalogGuy]

Okay, then i will check if I can implement a workaround that detects the network change and automatically turns off the current vpn connection and turns it on again.