search

alfredopalhares / openvpn-update-resolv-conf

Script that updates DNS settings are pushed by the OpenVPN server
462 stars 129 forks source link

DNS leaks still appear #14

Closed cryzed closed 8 years ago

cryzed commented 8 years ago

Hey, unfortunately I've had some troubles with this script. The problem is that, however I configure my system, the IP of my local nameserver still appears in /etc/resolve.conf. For example with my VPN disabled:

# Generated by resolvconf
nameserver 192.168.0.1

And enabled:

# Generated by resolvconf
nameserver 209.222.18.222
nameserver 209.222.18.218
nameserver 192.168.0.1

While the second version looks good, it isn't at all:

If there are multiple servers, the resolver library queries them in the order listed. If no nameserver entries are present, the default is to use the name server on the local machine. (The algorithm used is to try a name server, and if the query times out, try the next, until out of name servers, then repeat trying all the name servers until a maximum number of retries are made.)

(Source: http://man7.org/linux/man-pages/man5/resolv.conf.5.html)

So as I understand it, the only thing required for DNS leaks to happen is that the VPN's DNS servers aren't reachable, until eventually the local DNS nameserver entry is cycled to and used.

Also see this discussion about the same issue. I suspected too that dhcpdc might be the cause for the nameserver entry, but it isn't:

$ resolvconf -l
# resolv.conf from NetworkManager
# Generated by NetworkManager
nameserver 209.222.18.222
nameserver 209.222.18.218
nameserver 192.168.0.1

Seemingly all entries are provided by the NetworkManager. The local nameserver is provided by the configured wired connection I am using, and the others by the DNS server I subsequently connect to. Considering this, OpenVPN seems to popualte the foreign_option_* environment variables in reverse order, which results in the current behavior. The (imho) correct behavior would be to have the local nameserver completely removed and only list the VPN's DNS servers.

Is this my fault? Am I misconfiguring or misunderstand something?

EDIT: I just read some more about the environment variables set by OpenVPN, and even ran OpenVPN manually with my configured VPN -- Only the two addresses are pushed by my VPN after all, I'm not sure how my local DNS address even ends up in /etc/resolv.conf. Any ideas?

EDIT2: Seems like this NetworkManager's fault -- The update-resolv-conf script doesn't even seem to be needed when connecting to the VPN using it, it automatically sets the pushed VPN DNS addresses, unfortunately it doesn't remove the local DNS addresses.

maximbaz commented 7 years ago

If someone is interested, I solved this issue with the following workaround:

#!/bin/bash
#/etc/NetworkManager/dispatcher.d/pia-vpn

interface="$1"
status=$2

case $status in
  vpn-up)
    if [[ $interface == "tun0" ]]; then
      chattr -i /etc/resolv.conf
      echo -e "nameserver 209.222.18.222\nnameserver 209.222.18.218" > /etc/resolv.conf
      chattr +i /etc/resolv.conf
    fi
    ;;
  vpn-down)
    if [[ $interface == "tun0" ]]; then
      chattr -i /etc/resolv.conf
    fi
    ;;
esac

This is hacky though, it would be really cool if we found a proper fix, so that providing the exclusive flag -x is enough.

On another side, using this method instead of -x flag somewhat helps with #18, in my case the corporate VPN run on ppp0 interface, while PIA VPN runs on tun0, and so given the conditions in the script the DNS is not exlusive for the corporate VPN.

QasimK commented 7 years ago

EDIT2: Seems like this NetworkManager's fault -- The update-resolv-conf script doesn't even seem to be needed when connecting to the VPN using it, it automatically sets the pushed VPN DNS addresses, unfortunately it doesn't remove the local DNS addresses.

@cryzed Is there an open issue for NetworkManager or discussion thread concerning this?

cryzed commented 7 years ago

Yes, I created an issue somewhere in the NetworkManager bugtracker (which doesn't allow Google to index it so I can't find the issue), and similar problems can be found all over the internet. I decided that using NetworkManager for VPN things is completely unreliable for many reasons, not just this one.

I set # chattr +i /etc/resolv.conf and ended up running my own local Unbound DNS resolver and use OpenVPN systemd units directly to turn the VPS on/off now, which works and forces all applications to use the single entry specified in my resolv.conf.

The NetworkManager bug tracker seems completely dead and no one really pays attention to it, IIRC.