As usual forgot Cc: list ---------- Forwarded message ---------- From: Selva Nair <selva.n...@gmail.com> Date: Tue, Aug 23, 2016 at 4:57 PM Subject: Re: [Openvpn-devel] block-outside-dns and multiple tunnels To: Gert Doering <g...@greenie.muc.de>
On Tue, Aug 23, 2016 at 4:44 PM, Gert Doering <g...@greenie.muc.de> wrote: > On Tue, Aug 23, 2016 at 11:23:29AM -0400, Selva Nair wrote: > > It was agreed to move this forward by looking into the approaches > > suggested by Selva, and by giving him feedback. > > > > So what is the consensus? Should we support DNS through all tunnels for > > which block-outside-dns is specified or just make sure DNS works through > at > > least one of the tunnels if the option is used on multiple ones? > > "principle of least astonishment" (POLA) would be "DNS inside the tunnels > works, outside the tunnels doesn't, no matter which tunnel was opened > first. "DNS does not work at all" is the worst variant, because a normal > user (including most "client admins") will not be able to see why this > would be happening - I can already see this with normal users, Win10 and > OpenVPN that they never attribute to DNS failures if "outlook does not > work"... > > You had some suggestions upthread how to change the WFP stuff to make > it cooperate (and perform) better - so "feature-ACK" on that approach :-) I did make a patch along those lines and appears to work fine. Will do some more testing before I post it. Fully respecting "least surprise" is hard, though. Consider this: 1. Two tunnels both with block-outside-dns: my approach will support dns through both and that sounds not surprising 2. Two tunnels, one says block-outside-dns, the other doesn't: in my planned approach the first one will block DNS thorough all interfaces except itself, the second one will not add any firewall rules. So dns will work through tunnel 1, not through tunnel 2. That may surprise some. To resolve this every openvpn tunnel will have to add a "permit dns through my tunnel interface" rule no matter block-outside-dns is specified or not. Eventually it boils down to what is meant by "outside". Selva
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
