Re: [Openvpn-users] DNS leak under Debian Testing
Hi David and all, On 10/02/17 13:53, David Sommerseth wrote: > On Debian, the down-root plugin should already be installed. Try > looking into /usr/lib{,64}/openvpn/plugin/ ... or query the openvpn deb > package which files it have installed. (I'm a YUM/DNF/RPM type of guy, > don't know too much about the APT/DEB world) All right, I found it and got things working as they should. Thanks a lot! Matthias -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] DNS leak under Debian Testing
On 09/02/17 13:01, Matthias Müller wrote: > Hi David, > > On 08/02/17 13:52, David Sommerseth wrote: >> You need to check what the resolvconf script on your computer does, and >> if there is a way to configure it to behave differently. >> >> Otherwise, you can try to uninstall that script. Then the >> update-resolv-conf script (if it is based on the client.up script we >> ship with OpenVPN), should rename /etc/resolv.conf, create a new one >> with only the VPN provided DNS servers, and switch back afterwords. The >> problem with this approach is if you use --user/--group in your OpenVPN >> config, then you must run the client.down script via the down-root >> plugin - otherwise the resolv.conf file is not restored properly. > > Thanks for your help. Debian's /etc/openvpn/update-resolv-conf script is a > bit different from client.up/client.down -- it simply gives up if > /sbin/resolvconf doesn't exist. Also I wouldn't want resolvconf as I guess > it's needed when not running OpenVPN. > > But I now got it basically working by downloading the client.up/client.down > scripts and modifying them to simply skip the call to resolvconf, using the > fallback solution instead. Great! > However, I don't know how to compile the down-root plugin -- I cloned the > repo and the README says I should simply invoke "make". But there is no > "Makefile" in the src/plugins/down-root directory, only "Makefile.am". > "automake" or "autoreconf" don't work either (they ask for 'configure.ac' or > 'configure.in'). Any hints? On Debian, the down-root plugin should already be installed. Try looking into /usr/lib{,64}/openvpn/plugin/ ... or query the openvpn deb package which files it have installed. (I'm a YUM/DNF/RPM type of guy, don't know too much about the APT/DEB world) -- kind regards, David Sommerseth signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] DNS leak under Debian Testing
On 09/02/17 12:01, Matthias Müller wrote: > However, I don't know how to compile the down-root plugin -- I cloned the > repo and the README says I should simply invoke "make". But there is no > "Makefile" in the src/plugins/down-root directory, only "Makefile.am". > "automake" or "autoreconf" don't work either (they ask for 'configure.ac' or > 'configure.in'). Any hints? See INSTALL in the root dir of your clone. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] DNS leak under Debian Testing
Hi David, On 08/02/17 13:52, David Sommerseth wrote: > You need to check what the resolvconf script on your computer does, and > if there is a way to configure it to behave differently. > > Otherwise, you can try to uninstall that script. Then the > update-resolv-conf script (if it is based on the client.up script we > ship with OpenVPN), should rename /etc/resolv.conf, create a new one > with only the VPN provided DNS servers, and switch back afterwords. The > problem with this approach is if you use --user/--group in your OpenVPN > config, then you must run the client.down script via the down-root > plugin - otherwise the resolv.conf file is not restored properly. Thanks for your help. Debian's /etc/openvpn/update-resolv-conf script is a bit different from client.up/client.down -- it simply gives up if /sbin/resolvconf doesn't exist. Also I wouldn't want resolvconf as I guess it's needed when not running OpenVPN. But I now got it basically working by downloading the client.up/client.down scripts and modifying them to simply skip the call to resolvconf, using the fallback solution instead. However, I don't know how to compile the down-root plugin -- I cloned the repo and the README says I should simply invoke "make". But there is no "Makefile" in the src/plugins/down-root directory, only "Makefile.am". "automake" or "autoreconf" don't work either (they ask for 'configure.ac' or 'configure.in'). Any hints? Thanks Matthias -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] DNS leak under Debian Testing
On 08/02/17 13:39, Matthias Müller wrote: > Hi all, > > I've noticed that OpenVPN connections under Debian Testing have started to > leak DNS requests when they didn't in the past. I have an ovpn file to > connect to AirVPN which contains the lines: > > script-security 2 > up /etc/openvpn/update-resolv-conf > down /etc/openvpn/update-resolv-conf > > That used to work as it should. But now, before I start OpenVPN, my > /etc/resolv.conf looks as follows: > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.178.1 > search fritz.box > > And once the OpenVPN tunnel is active, it looks like this: > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 10.4.0.1 > nameserver 192.168.178.1 > search fritz.box > > So the VPN nameserver (10.4.0.1) has been added correctly, but my local > nameservers are still there! And indeed https://ipleak.net/ finds two DNS > servers -- the AirVPN one which should be present, and the one of my local > provider, which shouldn't. > > What's going wrong there and how can I fix it? You need to check what the resolvconf script on your computer does, and if there is a way to configure it to behave differently. Otherwise, you can try to uninstall that script. Then the update-resolv-conf script (if it is based on the client.up script we ship with OpenVPN), should rename /etc/resolv.conf, create a new one with only the VPN provided DNS servers, and switch back afterwords. The problem with this approach is if you use --user/--group in your OpenVPN config, then you must run the client.down script via the down-root plugin - otherwise the resolv.conf file is not restored properly. -- kind regards, David Sommerseth signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users