What if the the author simply used 1.1.1.1 / 8.8.8.8 / any other public DNS outside of their country for all traffic? It's an easier solution (yeah, with some drawbacks)
That doesn't work unfortunately. I specifically DNAT addresses like those to my own local DNS on my home network to prevent apps with hard-coded DNS from hitting them.
If it can be done at a home network level, you bet it can be done at ISP/government level.
The only safe/working option is to tunnel everything down a VPN somewhere outside of the problem region, and go out from there. The VPN connection implicitly provides a cryptographic verification that the connection isn't being intercepted or redirected (when done right).
>Okay, at that point I was clueless. I tried changing the DNS settings of OpenVPN (i.e. dhcp-option DNS 1.1.1.1) but it didn't work. After a couple of iterations with ChatGPT, it finally led me to the correct path.
This line was no-op until the author started using the `up` script as they describe later.
> The OpenVPN server can push DHCP options such as DNS and WINS server addresses to clients (some caveats to be aware of). Windows clients can accept pushed DHCP options natively, while non-Windows clients can accept them by using a client-side up script which parses the foreign_option_n environmental variable list.
It's still not clear to me what the experience would have been if the author had only 1.1.1.1 set at the system level, not touching any OpenVPN options.
If it can be done at a home network level, you bet it can be done at ISP/government level.
The only safe/working option is to tunnel everything down a VPN somewhere outside of the problem region, and go out from there. The VPN connection implicitly provides a cryptographic verification that the connection isn't being intercepted or redirected (when done right).