Tutorial: Configure Domain Routing Settings Using the Access Server CLI
Configure Domain Routing in OpenVPN Access Server using CLI commands. Learn how to manage DNS proxy settings, IPv4/IPv6 routing behavior, and optimize domain-based access control.
Overview
This tutorial shows how to configure and manage domain routing-related settings in Access Server using the command-line interface (CLI).
Domain routing allows you to control how DNS queries are handled and routed for specific domains. To support this, Access Server uses a DNS proxy to intercept client DNS queries and return VPN-routable IP addresses for matched domains.
When domain routing rules are active, the DNS proxy ensures that clients resolve those domains to addresses that can be routed through the VPN. For all other domains, DNS queries are handled normally using the configured DNS server.
Prerequisites
Access Server 3.1.0 or newer.
Root privileges on your Access Server's console.
Decide which DNS proxy mode to use:
auto(default): Uses DNS proxy only when domain-based access rules are active; otherwise, queries go directly to configured DNS servers.always: Forces all DNS queries through Access Server.never: Disables DNS proxy (also disables domain-based routing rules).
Run the following command:
sacli --key "dnsproxy.mode" --value "<VALUE>" ConfigPut sacli start
Important
In Access Server 3.1.0+, DNS proxy is enabled by default (
auto).In some upgrade scenarios, it may remain disabled (
never).DNS proxy can only be disabled when using split tunnel.
Set the IPv4 subnet used for DNS-mapped addresses:
sacli --key "dnsproxy.ipv4_pool_net" --value "<VALUE>" ConfigPut sacli start
Important
The default value is
100.64.0.0/10.You don't typically need to change this unless it conflicts with your network.
Set the DNS proxy listening port:
sacli --key "dnsproxy.listen_port" --value "<VALUE>" ConfigPut sacli start
Important
The default port is
953. Only change if there's a port conflict. Ensure you configure a port that won't conflict with Access Server port settings.
Set the timeout (in seconds) for DNS responses:
sacli --key "dnsproxy.forwarder_timeout" --value "<VALUE>" ConfigPut sacli start
Important
The default is
15seconds. This usually doesn't need adjustment.
Set the IPv6 subnet:
sacli --key "dnsproxy.ipv6_pool_net" --value "<VALUE>" ConfigPut sacli start
Important
The default is
fd15:6e1d:c3ab:49c3::/64.This applies only if IPv6 is enabled.
Only change this if there's a subnet conflict. Ensure you configure a subnet that won't conflict with your existing configuration.
Decide how AAAA responses are handled:
routed(default): Allows IPv6 responses only when IPv6 routing is configured.all: Discards all AAAA responses.
Apply the setting:
sacli --key "dnsproxy.strip_aaaa" --value "<VALUE>" ConfigPut sacli start
Important
With
routed(default):If IPv6 routing isn't configured, AAAA responses aren't sent to VPN clients, even if a domain routing rule exists.
If IPv6 routing is configured, AAAA responses are allowed, and clients receive IPv6 addresses from the configured subnet.
In most cases, the default setting is sufficient and doesn't require changes.