Hi, It has been reported (Trac 718) that --block-outside-dns on multiple tunnels blocks all DNS traffic. My tests appear to confirm this.
Apparently this is due to each openvpn instance adding filters to independent sublayers. With two tunnels we get port 53 filters in two sublayers: sublayer 1: permit openvpn, permit tap1, block all (in that order) sublayer 2: permit openvpn, permit tap2, block all Filter arbitration works roughly like this: filters in each sublayer are parsed in order of priority and stops at the first match. Then the result from all sublayers are considered in order of priority in determining the final action: a block is final and by default a permit may be overridden by block in lower priority sublayers. So for traffic through tap1, we get permit from sublayer 1 and block from sublayer 2 leading to a block etc. This could partially mitigated by making the permit tap1/tap2 filters hard (they are soft by default -- i.e may be overridden). I say partially because only one of the "permit tap" filters can be thus protected. I see two ways to allow dns traffic through all tunnels for which --block-outside-dns is set 1. Add all filters to a the default sublayer --- this is the easiest option but not ideal: cluttering the default sublayer with custom filters may not not be considered a good practice. 2. Add all filters to a common custom sublayer. This requires a pre-defined UUID that could be used to define the sublayer and shared between all instances of openvpn. For UUID, (a) generate a machine-specific UUID at install time, save in the registry and use it as the sublayer key OR (b) hard code a UUID in the executable and use it as the sublayer key I prefer (b) as its simpler. Note that each additional instances will add duplicate filters like "permit openvpn" or a low priority "block all". This is required as these filters are added in a dynamic session so that they disappear if the process terminates or crashes without removing the filters. As parsing filters within a sublayer stops as soon as a match (permit or block) is found, no performance penalty is expected. In any case it will have less overhead than the current situation with multiple sublayers. Any suggestions? Selva
