Re: [Openvpn-users] DNS leak under Debian Testing
On 09/02/17 13:01, Matthias Müller wrote:
> Hi David,
>
> On 08/02/17 13:52, David Sommerseth wrote:
>> You need to check what the resolvconf script on your computer does, and
>> if there is a way to configure it to behave differently.
>>
>> Otherwise, you can try to uninstall that script. Then the
>> update-resolv-conf script (if it is based on the client.up script we
>> ship with OpenVPN), should rename /etc/resolv.conf, create a new one
>> with only the VPN provided DNS servers, and switch back afterwords. The
>> problem with this approach is if you use --user/--group in your OpenVPN
>> config, then you must run the client.down script via the down-root
>> plugin - otherwise the resolv.conf file is not restored properly.
>
> Thanks for your help. Debian's /etc/openvpn/update-resolv-conf script is a
> bit different from client.up/client.down -- it simply gives up if
> /sbin/resolvconf doesn't exist. Also I wouldn't want resolvconf as I guess
> it's needed when not running OpenVPN.
>
> But I now got it basically working by downloading the client.up/client.down
> scripts and modifying them to simply skip the call to resolvconf, using the
> fallback solution instead.
Great!
> However, I don't know how to compile the down-root plugin -- I cloned the
> repo and the README says I should simply invoke "make". But there is no
> "Makefile" in the src/plugins/down-root directory, only "Makefile.am".
> "automake" or "autoreconf" don't work either (they ask for 'configure.ac' or
> 'configure.in'). Any hints?
On Debian, the down-root plugin should already be installed. Try
looking into /usr/lib{,64}/openvpn/plugin/ ... or query the openvpn deb
package which files it have installed. (I'm a YUM/DNF/RPM type of guy,
don't know too much about the APT/DEB world)
--
kind regards,
David Sommerseth
signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] DNS leak under Debian Testing
On 09/02/17 12:01, Matthias Müller wrote: > However, I don't know how to compile the down-root plugin -- I cloned the > repo and the README says I should simply invoke "make". But there is no > "Makefile" in the src/plugins/down-root directory, only "Makefile.am". > "automake" or "autoreconf" don't work either (they ask for 'configure.ac' or > 'configure.in'). Any hints? See INSTALL in the root dir of your clone. -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] DNS leak under Debian Testing
Hi David, On 08/02/17 13:52, David Sommerseth wrote: > You need to check what the resolvconf script on your computer does, and > if there is a way to configure it to behave differently. > > Otherwise, you can try to uninstall that script. Then the > update-resolv-conf script (if it is based on the client.up script we > ship with OpenVPN), should rename /etc/resolv.conf, create a new one > with only the VPN provided DNS servers, and switch back afterwords. The > problem with this approach is if you use --user/--group in your OpenVPN > config, then you must run the client.down script via the down-root > plugin - otherwise the resolv.conf file is not restored properly. Thanks for your help. Debian's /etc/openvpn/update-resolv-conf script is a bit different from client.up/client.down -- it simply gives up if /sbin/resolvconf doesn't exist. Also I wouldn't want resolvconf as I guess it's needed when not running OpenVPN. But I now got it basically working by downloading the client.up/client.down scripts and modifying them to simply skip the call to resolvconf, using the fallback solution instead. However, I don't know how to compile the down-root plugin -- I cloned the repo and the README says I should simply invoke "make". But there is no "Makefile" in the src/plugins/down-root directory, only "Makefile.am". "automake" or "autoreconf" don't work either (they ask for 'configure.ac' or 'configure.in'). Any hints? Thanks Matthias -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] DNS leak under Debian Testing
On 08/02/17 13:39, Matthias Müller wrote: > Hi all, > > I've noticed that OpenVPN connections under Debian Testing have started to > leak DNS requests when they didn't in the past. I have an ovpn file to > connect to AirVPN which contains the lines: > > script-security 2 > up /etc/openvpn/update-resolv-conf > down /etc/openvpn/update-resolv-conf > > That used to work as it should. But now, before I start OpenVPN, my > /etc/resolv.conf looks as follows: > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.178.1 > search fritz.box > > And once the OpenVPN tunnel is active, it looks like this: > > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 10.4.0.1 > nameserver 192.168.178.1 > search fritz.box > > So the VPN nameserver (10.4.0.1) has been added correctly, but my local > nameservers are still there! And indeed https://ipleak.net/ finds two DNS > servers -- the AirVPN one which should be present, and the one of my local > provider, which shouldn't. > > What's going wrong there and how can I fix it? You need to check what the resolvconf script on your computer does, and if there is a way to configure it to behave differently. Otherwise, you can try to uninstall that script. Then the update-resolv-conf script (if it is based on the client.up script we ship with OpenVPN), should rename /etc/resolv.conf, create a new one with only the VPN provided DNS servers, and switch back afterwords. The problem with this approach is if you use --user/--group in your OpenVPN config, then you must run the client.down script via the down-root plugin - otherwise the resolv.conf file is not restored properly. -- kind regards, David Sommerseth signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
