On 08/02/17 13:39, Matthias Müller wrote: > Hi all, > > I've noticed that OpenVPN connections under Debian Testing have started to > leak DNS requests when they didn't in the past. I have an ovpn file to > connect to AirVPN which contains the lines: > > script-security 2 > up /etc/openvpn/update-resolv-conf > down /etc/openvpn/update-resolv-conf > > That used to work as it should. But now, before I start OpenVPN, my > /etc/resolv.conf looks as follows: > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.178.1 > search fritz.box > > And once the OpenVPN tunnel is active, it looks like this: > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 10.4.0.1 > nameserver 192.168.178.1 > search fritz.box > > So the VPN nameserver (10.4.0.1) has been added correctly, but my local > nameservers are still there! And indeed https://ipleak.net/ finds two DNS > servers -- the AirVPN one which should be present, and the one of my local > provider, which shouldn't. > > What's going wrong there and how can I fix it?
You need to check what the resolvconf script on your computer does, and if there is a way to configure it to behave differently. Otherwise, you can try to uninstall that script. Then the update-resolv-conf script (if it is based on the client.up script we ship with OpenVPN), should rename /etc/resolv.conf, create a new one with only the VPN provided DNS servers, and switch back afterwords. The problem with this approach is if you use --user/--group in your OpenVPN config, then you must run the client.down script via the down-root plugin - otherwise the resolv.conf file is not restored properly. -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users