alfredopalhares / openvpn-update-resolv-conf Goto Github PK

according to #5, you added the exclusive flag (-x) by default.

Since this prevent some form of dns leak (in fact, it prevent your ISP to get every dns query), it introduces another form of dns leak: the DNS targeted by your vpn will get all the queries, which is not always needed (imagine the case where the vpn is a corporate one, you do not want your private stuff to be resolved through this corporate network…)
I think these lines should be surrounded by comments explaining the result of every flag so that everyone can personalize the line to its needs

The REAMDE.md currently says that this project is licensed under GNU GPL.

Is this GPLv2 or GPLv3?

I've created a fork of this project that updates bind instead of resolvconf, and I want to make sure I publish my fork under the correct version of the GPL.

Hey, unfortunately I've had some troubles with this script. The problem is that, however I configure my system, the IP of my local nameserver still appears in /etc/resolve.conf. For example with my VPN disabled:

# Generated by resolvconf
nameserver 192.168.0.1

And enabled:

# Generated by resolvconf
nameserver 209.222.18.222
nameserver 209.222.18.218
nameserver 192.168.0.1

While the second version looks good, it isn't at all:

If there are multiple servers, the resolver library queries them in the order listed. If no nameserver entries are present, the default is to use the name server on the local machine. (The algorithm used is to try a name server, and if the query times out, try the next, until out of name servers, then repeat trying all the name servers until a maximum number of retries are made.)

(Source: http://man7.org/linux/man-pages/man5/resolv.conf.5.html)

So as I understand it, the only thing required for DNS leaks to happen is that the VPN's DNS servers aren't reachable, until eventually the local DNS nameserver entry is cycled to and used.

Also see this discussion about the same issue. I suspected too that dhcpdc might be the cause for the nameserver entry, but it isn't:

$ resolvconf -l
# resolv.conf from NetworkManager
# Generated by NetworkManager
nameserver 209.222.18.222
nameserver 209.222.18.218
nameserver 192.168.0.1

Seemingly all entries are provided by the NetworkManager. The local nameserver is provided by the configured wired connection I am using, and the others by the DNS server I subsequently connect to. Considering this, OpenVPN seems to popualte the foreign_option_* environment variables in reverse order, which results in the current behavior. The (imho) correct behavior would be to have the local nameserver completely removed and only list the VPN's DNS servers.

Is this my fault? Am I misconfiguring or misunderstand something?

EDIT: I just read some more about the environment variables set by OpenVPN, and even ran OpenVPN manually with my configured VPN -- Only the two addresses are pushed by my VPN after all, I'm not sure how my local DNS address even ends up in /etc/resolv.conf. Any ideas?

EDIT2: Seems like this NetworkManager's fault -- The update-resolv-conf script doesn't even seem to be needed when connecting to the VPN using it, it automatically sets the pushed VPN DNS addresses, unfortunately it doesn't remove the local DNS addresses.

Hi,

first of all, this script has been working for me very well in the past. Thanks for your effort :)

Yesterday, I upgraded to Fedora 29 and my /etc/resolv.conf does not get updated anymore.

My versions:
OpenVPN 2.4.6 x86_64-redhat-linux-gnu
Fedora release 29 (Twenty Nine)

Maybe this log message helps as well:
Wed Nov 28 09:05:54 2018 /etc/openvpn/update-resolv-conf.sh tun0 1500 1604 10.242.2.21 255.255.255.0 init Unknown interface 'tun0': No such device Wed Nov 28 09:05:54 2018 SIGINT[hard,] received, process exiting

Regards,
Thomas

Currently, update-systemd-network.sh script creates .network files and restarts systemd-networkd. I asked on #systemd if this is the right way of doing this and got response from @grawity:

the proper way to make it work is to call org.freedesktop.resolve1.Manager.SetLinkDNS() via DBus

When using dbus there's no need to restart any service and create any files.
Docs for dbus API of resolved are at https://www.freedesktop.org/wiki/Software/systemd/resolved/

Compare RFE: please consider pushing DNS information into systemd-resolved

cc @WGH-

I'm running dnsmasq on my server and in order to do this I need to disable systemd-resolved for it to work properly and resolve internal and external IPs. So if I have this disabled (resolved), is there a way to still have this script update or restart openvpn when I get a disconnection and then a re-connection? My main issue if my /etc/resolv.conf gets updated when openvpn starts to use the vpn's DNS IP, but when there is a lag in ping and openvpn wants to restart, it doesn't update the /etc/resolv.conf to be my service provider's DNS IP and it doesn't resolve the vpn's connection IP because it's using it's internal IP from resolv.conf.

This script is causing DNS leaks.

echo -n "$R" | $RESOLVCONF -a "${dev}.inet"
Does not remove the old DNS servers from resolv.conf.

Adding the exclusive flag (-x) to resolvconf will stop the old DNS from being used.
echo -n "$R" | $RESOLVCONF -a -x "${dev}.inet"

delete this please

I have an Ubuntu 14.04 and interface-order file with the following contents

# interface-order(5)
lo.inet*
lo.dnsmasq
lo.pdnsd
lo.!(pdns|pdns-recursor)
lo
tap*
hso*
em+([0-9])?(_+([0-9]))*
p+([0-9])p+([0-9])?(_+([0-9]))*
eth*
ath*
wlan*
ppp*
tun*
tun+([0-9])?*
*

When connecting via openvpn, my tun0 interface dns server always has the highest priority, which leads to it being asks first to resolv hostnames. It seems like the order is not being applied.

Hey, thanks for uploading this. Just to clarify, this solves DNS resolution so domain names cannot be resolved through your ISP's DNS?

Also, do you know a way of testing that this is working?

Recently installed openresolv at ubuntu16.04 and ran into error:

...
Fri Mar 20 11:58:52 2020 TUN/TAP TX queue length set to 100
Fri Mar 20 11:58:52 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Mar 20 11:58:52 2020 /sbin/ip link set dev tun0 up mtu 1500
Fri Mar 20 11:58:52 2020 /sbin/ip addr add dev tun0 192.168.26.38/24 broadcast 192.168.26.255
Fri Mar 20 11:58:52 2020 /usr/share/openvpn/scripts/update-resolv-conf.sh tun0 1500 1556 192.168.26.38 255.255.255.0 init
dhcp-option DNS 172.18.4.150
dhcp-option DNS 172.18.4.151
dhcp-option DOMAIN xxxxxxxx
Too few arguments.
Too few arguments.
...

any ideas?

I'm trying to use Protonvpn with Openvpn with this script. I have openresolv installed and edited the .ovpn file as per the instructions said here and all other things. But still it's not changing resolv.conf with protonvpn's dns server. I am on Gentoo stable.

I want to set my DOMAIN-SEARCH, but when I use the following code in client.ovpn, the script can't read it

setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
foreign_option_4='dhcp-option DOMAIN-SEARCH bnc.local'
up /etc/openvpn/scripts/openvpn-update-resolv-conf/update-resolv-conf.sh
down /etc/openvpn/scripts/openvpn-update-resolv-conf/update-resolv-conf.sh
down-pre

Is the only way is to set vars in /etc/openvpn/scripts/openvpn-update-resolv-conf/update-resolv-conf.sh ?

resolvconf: Error: Command not recognized
Usage: resolvconf (-d IFACE|-a IFACE|-u|--enable-updates|--disable-updates|--updates-are-enabled)

yet in the script I see $RESOLVCONF -x -a "${dev}.inet"
There is no -x flag above.
What's wrong?

Just a small hint: You can't use this in combination with downgrading the group and user. When you quit OpenVPN or disconnect the script gets run as nobody, who does not have any permissions to change /etc/resolv.conf.

The script isn't working anymore on my system. I've tracked the issue down to commit 994574f. I don't know what's the problem right now. The script works flawless if I revert commit 994574f.

$ which resolvconf
/usr/bin/resolvconf

$ pacman -Qi openvpn-update-resolv-conf-git
Name            : openvpn-update-resolv-conf-git
Version         : r24.994574f-1
Description     : OpenVPN Update resolvconf
Architecture    : any
URL             : https://github.com/masterkorp/openvpn-update-resolv-conf
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : openvpn  openresolv  bash
Optional Deps   : None
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 3.00 KiB
Packager        : Unknown Packager
Build Date      : Tue 19 Apr 2016 09:20:54 PM CEST
Install Date    : Tue 19 Apr 2016 09:20:59 PM CEST
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : None

$ pacman -Qi openresolv
Name            : openresolv
Version         : 3.7.2-1
Description     : resolv.conf management framework (resolvconf)
Architecture    : any
URL             : http://roy.marples.name/projects/openresolv
Licenses        : custom:BSD
Groups          : None
Provides        : resolvconf
Depends On      : bash
Optional Deps   : None
Required By     : openvpn-update-resolv-conf-git
Optional For    : networkmanager  vpnc
Conflicts With  : None
Replaces        : None
Installed Size  : 48.00 KiB
Packager        : Jan Alexander Steffens (heftig) <[email protected]>
Build Date      : Mon 23 Nov 2015 01:12:47 AM CET
Install Date    : Mon 14 Dec 2015 08:57:40 PM CET
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

$ bash --version
GNU bash, version 4.3.42(1)-release (x86_64-unknown-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

$ uname -a
Linux nyx 4.5.1-1-ARCH #1 SMP PREEMPT Thu Apr 14 19:19:32 CEST 2016 x86_64 GNU/Linux

Hi,

i have finally successully used your problem. However i encountered one problem:
you have lately added the exclusive flag, which does not work for me, since i am on a old
distro. As you can see the flag was added in ubuntu in 15.10. however i am still on 14.04 LTS.
Maybe you can make this more dynamic via calling (lsb_release -c) to check the version.
Unfortunately the resolvconf itself does not show a version, so it is not so easy to find out
if the resolvconf supports the -x or not.

http://manpages.ubuntu.com/manpages/trusty/en/man8/resolvconf.8.html
http://manpages.ubuntu.com/manpages/wily/en/man8/resolvconf.8.html

Another thing i noticed is this.

You might need to set the path manually here, i.e.

RESOLVCONF=/sbin/resolvconf

why not use
RESOLVCONF=$(type -p resolvconf)
this will find the path to the resolvconf by itself.