Re: [Openvpn-devel] [PATCH v3] add support for --dns option

[Heiko Hund]

On Mittwoch, 23. März 2022 15:34:52 CET Heiko Hund wrote:
> +static void
> +setenv_dns_option(struct env_set *es,
> +  const char *format, int i, int j,
> +  const char *value)
> +{
> +char name[64];
> +bool name_ok = false;
> +
> +if (j < 0)
> +{
> +name_ok = openvpn_snprintf(name, sizeof(name), format, i);
> +}
> +else
> +{
> +name_ok = openvpn_snprintf(name, sizeof(name), format, i, j);
> +}
> +
> +if (!name_ok)
> +{
> +msg(M_WARN, "WARNING: dns option setenv name buffer overflow");
> +}
> +
> +setenv_str(es, name, value);
> +}

Here's the helper function Gert was asking for. It's somewhat special in how 
the 'j' parameter is handled, but since it's local and very specialized, I can 
live with that.

Regards, Heiko




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v3] add support for --dns option

[Heiko Hund]

As a first step towards DNS configuration in openvpn and a unified way
to push DNS related settings to clients in v2 and v3, this commit adds
support for parsing the new --dns option. Later commits will add support
for setting up DNS on different platforms.

For now, --dns and DNS related --dhcp-option can be used together for
smoother transition. Settings from --dns will override ones --dhcp-option
where applicable.

For detailed information about the option consult the documentation in
this commit.

Signed-off-by: Heiko Hund 
---
 doc/man-sections/client-options.rst |  59 
 doc/man-sections/script-options.rst |  19 ++
 doc/man-sections/server-options.rst |   2 +-
 src/openvpn/Makefile.am |   1 +
 src/openvpn/dns.c   | 510 
 src/openvpn/dns.h   | 164 +
 src/openvpn/openvpn.vcxproj |   4 +-
 src/openvpn/openvpn.vcxproj.filters |   8 +-
 src/openvpn/options.c   | 221 
 src/openvpn/options.h   |   7 +
 src/openvpn/push.c  |   4 +
 src/openvpn/socket.c|  11 +
 src/openvpn/socket.h|   2 +
 13 files changed, 1009 insertions(+), 3 deletions(-)
 create mode 100644 src/openvpn/dns.c
 create mode 100644 src/openvpn/dns.h

diff --git a/doc/man-sections/client-options.rst 
b/doc/man-sections/client-options.rst
index e53b5262..8e0e4f18 100644
--- a/doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -154,6 +154,65 @@ configuration.
 --connect-timeout n
   See ``--server-poll-timeout``.
 
+--dns args
+  Client DNS configuration to be used with the connection.
+
+  Valid syntaxes:
+  ::
+
+ dns search-domains domain [domain ...]
+ dns server n address addr[:port] [addr[:port]]
+ dns server n resolve-domains|exclude-domains domain [domain ...]
+ dns server n dnssec yes|optional|no
+ dns server n transport DoH|DoT|plain
+ dns server n sni server-name
+
+  The ``--dns search-domains`` directive takes one or more domain names
+  to be added as DNS domain suffixes. If it is repeated multiple times within
+  a configuration the domains are appended, thus e.g. domain names pushed by
+  a server will amend locally defined ones.
+
+  The ``--dns server`` directive is used to configure DNS server ``n``.
+  The server id ``n`` must be a value between -128 and 127. For pushed
+  DNS server options it must be between 0 and 127. The server id is used
+  to group options and also for ordering the list of configured DNS servers;
+  lower numbers come first. DNS servers being pushed to a client replace
+  already configured DNS servers with the same server id.
+
+  The ``address`` option configures the IPv4 and / or IPv6 address of
+  the DNS server. Optionally a port can be appended after a colon. IPv6
+  addresses need to be enclosed in brackets if a port is appended.
+
+  The ``resolve-domains`` and ``exclude-domains`` options take one or
+  more DNS domains which are explicitly resolved or explicitly not resolved
+  by a server. Only one of the options can be configured for a server.
+  ``resolve-domains`` is used to define a split-dns setup, where only
+  given domains are resolved by a server. ``exclude-domains`` is used to
+  define domains which will never be resolved by a server (e.g. domains
+  which can only be resolved locally). Systems which do not support fine
+  grained DNS domain configuration, will ignore these settings.
+
+  The ``dnssec`` option is used to configure validation of DNSSEC records.
+  While the exact semantics may differ for resolvers on different systems,
+  ``yes`` likely makes validation mandatory, ``no`` disables it, and 
``optional``
+  uses it opportunistically.
+
+  The ``transport`` option enables DNS-over-HTTPS (``DoH``) or DNS-over-TLS 
(``DoT``)
+  for a DNS server. The ``sni`` option can be used with them to specify the
+  ``server-name`` for TLS server name indication.
+
+  Each server has to have at least one address configured for a configuration
+  to be valid. All the other options can be omitted.
+
+  Note that not all options may be supported on all platforms. As soon support
+  for different systems is implemented, information will be added here how
+  unsupported options are treated.
+
+  The ``--dns`` option will eventually obsolete the ``--dhcp-option`` 
directive.
+  Until then it will replace configuration at the places ``--dhcp-option`` 
puts it,
+  so that ``--dns`` overrides ``--dhcp-option``. Thus, ``--dns`` can be used 
today
+  to migrate from ``--dhcp-option``.
+
 --explicit-exit-notify n
   In UDP client mode or point-to-point mode, send server/peer an exit
   notification if tunnel is restarted or OpenVPN process is exited. In
diff --git a/doc/man-sections/script-options.rst 
b/doc/man-sections/script-options.rst
index 77877a5d..6be0686d 100644
--- a/doc/man-sections/script-options.rst
+++ b/doc/man-sections/script-options.rst
@@ -588,6 +588,25 

[Openvpn-devel] OpenVPN 2.4.12 released

[Samuli Seppänen]

OpenVPN 2.4.12 was released last week. It will be the last release in 
the 2.4.x series, so we encourage you to migrate to latest 2.5.x release 
if you can.


Source code and Windows installers can be downloaded from our download page:



Linux packages are not provided for this release.


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel