This option blocks all out-of-tunnel communication on TCP/UDP port 53 (except
for OpenVPN itself), preventing DNS Leaks on Windows 8.1 and 10.
---
doc/openvpn.8 | 12 +++-
src/openvpn/Makefile.am | 2 +-
src/openvpn/init.c | 22 ++
src/openvpn/openvpn.vcxproj | 4 +-
src/openvpn/options.c | 14
src/openvpn/options.h | 1 +
src/openvpn/win32.c | 166
src/openvpn/win32.h | 56 +++
8 files changed, 272 insertions(+), 5 deletions(-)
mode change 100755 => 100644 src/openvpn/openvpn.vcxproj
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 2978b7f..dc7eea1 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1129,8 +1129,8 @@ When used with
.B \-\-client
or
.B \-\-pull,
-accept options pushed by server EXCEPT for routes and dhcp options
-like DNS servers.
+accept options pushed by server EXCEPT for routes, block-outside-dns and dhcp
+options like DNS servers.
When used on the client, this option effectively bars the
server from adding routes to the client's routing table,
@@ -5562,6 +5562,14 @@ adapter list to the syslog or log file after the TUN/TAP
adapter
has been brought up and any routes have been added.
.\"*
.TP
+.B \-\-block\-outside\-dns
+Block DNS servers on other network adapters to prevent
+DNS leaks. This option prevents any application from accessing
+TCP or UDP port 53 except one inside the tunnel. It uses +Windows Filtering
Platform (WFP) and works on Windows Vista or
+later.
+.\"*
+.TP
.B \-\-dhcp\-renew
Ask Windows to renew the TAP adapter lease on startup.
This option is normally unnecessary, as Windows automatically
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index c840f16..c55a520 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -127,5 +127,5 @@ openvpn_LDADD = \
$(OPTIONAL_DL_LIBS)
if WIN32
openvpn_SOURCES += openvpn_win32_resources.rc
-openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm
+openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm
-lfwpuclnt -lrpcrt4
endif
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index c5c0ab6..dfc1314 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1468,6 +1468,20 @@ do_open_tun (struct context *c)
"up",
c->c2.es);
+#if defined(WIN32)
+ if (c->options.block_outside_dns)
+ {
+ if (!win_wfp_init())
+msg (M_FATAL, "Initialising WFP failed!");
+else
+{
+dmsg (D_LOW, "Blocking outside DNS");
+if (!win_wfp_block_dns(c->c1.tuntap->adapter_index))
+msg (M_FATAL, "Blocking DNS failed!");
+}
+ }
+#endif
+
/* possibly add routes */
if ((route_order() == ROUTE_AFTER_TUN) &&
(!c->options.route_delay_defined))
do_route (>options, c->c1.route_list, c->c1.route_ipv6_list,
@@ -1596,6 +1610,14 @@ do_close_tun (struct context *c, bool force)
"down",
c->c2.es);
+#if defined(WIN32)
+if (c->options.block_outside_dns)
+{
+if (!win_wfp_uninit())
+msg (M_FATAL, "Uninitialising WFP failed!");
+}
+#endif
+
/* actually close tun/tap device based on --down-pre flag */
if (c->options.down_pre)
do_close_tun_simple (c);
diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj
old mode 100755
new mode 100644
index b117b0b..821c46c
--- a/src/openvpn/openvpn.vcxproj
+++ b/src/openvpn/openvpn.vcxproj
@@ -64,7 +64,7 @@
$(SOURCEBASE);%(AdditionalIncludeDirectories)
-
libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;%(AdditionalDependencies)
+
libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;%(AdditionalDependencies)
$(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories)
true
Console
@@ -89,7 +89,7 @@
$(SOURCEBASE);%(AdditionalIncludeDirectories)
-
libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;%(AdditionalDependencies)
+
libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;%(AdditionalDependencies)
$(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories)
true
Console
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 901d710..9cd83a7 100644
--- a/src/openvpn/options.c
+++