search

ivpn / desktop-app

Official IVPN Desktop app
https://www.ivpn.net/apps/
GNU General Public License v3.0
351 stars 48 forks source link

[Arch Linux] Improved handling of DNS search domains #267

Open ahkole opened 1 year ago

ahkole commented 1 year ago

Feature request

Description

Right now the IVPN desktop app doesn't play together nicely with NetworkManager on connections that automatically set some additional DNS search domains. I.e., on my university network NetworkManager automatically sets a search domain for all domains ending in the suffix associated with my university and this breaks all the university websites/services while connected to the VPN on the university network (DNS requests for university sites get blocked by the IVPN firewall because they are routed to the university's DNS servers due to the search domain instead of the IVPN DNS server). Currently the only workaround is setting ignore-auto-dns to yes in the settings of the connection but this also means that you lose the search domain when not connected to the VPN.

Describe the solution you'd like

It would be nice if there would be a better handling of these search domains by the IVPN desktop app. I don't yet know what the best solution would be. Maybe you could also take into account the Allow LAN traffic when connected to the VPN setting? I.e. if it's switched off you probably don't want to use any additional DNS search domains so you should remove any existing ones when connecting to the VPN and route all DNS requests to the IVPN DNS servers. But if this is switched on maybe you could keep the search domains and allow DNS requests to other (automatically detected or user-specified) DNS servers for domains in the search domain through the firewall?

Describe alternatives you've considered

I could try myself to write scripts that automatically switch the DNS resolver settings or NetworkManager settings depending on the VPN state but this can get hacky very quickly.

stenya commented 1 year ago

Hi @ahkole

Can you please clarify: are you referring only to the search domains that are not applied when IVPN is connected? If so, would the following solution work for you: when the VPN is connected, the system-configured DNS search domains remain unchanged? This way, you would be able to make requests to your university websites and services using hostnames.

You wrote:

... this breaks all the university websites/services while connected to the VPN on the university network (DNS requests for university sites get blocked by the IVPN firewall because they are routed to the university's DNS servers due to the search domain instead of the IVPN DNS server).

This part is a bit confusing to me. The IVPN Firewall only blocks DNS requests to external servers that are not defined by the IVPN configuration; it does not interfere with search domains. If you want to use a specific DNS server, the IVPN app has an option under "Settings -> DNS -> Use custom DNS...".

ahkole commented 1 year ago

Hi @stenya, thank you for replying! I will try to clarify the problem.

I use NetworkManager to manage my WiFi connections on my Arch Linux system and systemd-resolve for hostname resolution. By default, there is a per-connection setting called ipv4.ignore-auto-dns (and similar for ipv6) that is set to no. With these default settings if I connect to my university network resolvectl status gives the following output,

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
          DNS Domain: <university domain>
Link 2 (wlp0s20f3)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: <university DNS server IP>
       DNS Servers: <list of university DNS server IPs>
        DNS Domain: <university domain>

Link 4 (wgivpn)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.0.254.2
       DNS Servers: 10.0.254.2
        DNS Domain: ~.

Let's now say that <university domain> is myuni.countrycode then I cannot access any domains that end with myuni.countrycode. I.e. I would not be able to access the mail server at mail.myuni.countrycode or the website at students.myuni.countrycode. And I suspect that this has something to do with domain resolution, because if I try to resolve any domain ending in myuni.countrycode with systemd-resolve then I get a timeout. I.e. I expect that the laptop it trying to access the university DNS servers to resolve any domains ending in myuni.countrycode but since I don't have these configured in IVPN these DNS requests get blocked. The only way to solve this atm is to change ipv4.ignore-auto-dns to yes after which the output of resolvectl status is,

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google

Link 2 (wlp0s20f3)
    Current Scopes: LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 4 (wgivpn)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.0.254.2
       DNS Servers: 10.0.254.2
        DNS Domain: ~.

And with this configuration accessing the university domains does work (I expect because it completely circumvents the university DNS servers). However, this does mean that it also ignores the university DNS servers when if I'm not connected to IVPN unless I manually change this ipv4.ignore-auto-dns option again after disconnecting the VPN.

My preferred solution would be that IVPN manages the DNS in such a way that when I'm connected to IVPN it ignores the DNS servers from the university, also for domains ending in the domains listed under the DNS Domain list in the output of resolvectl status, but when not connected to IVPN it should restore any DNS settings configured by the connection so that then it uses the university DNS servers.

Does this make my problem/request more clear?

stenya commented 1 year ago

Thank you for the clarification. I'll need to perform some tests. I'll likely get back to you later.

stenya commented 1 year ago

@ahkole, I think I've found the root of the problem. It seems to be due to the aggressive rules of the IVPN firewall. Could you please help me confirm this?

Simply disable the IVPN firewall when the VPN is connected (using the default settings ipv4.ignore-auto-dns=no). Now, you should be able to access the <university domain> sites.

Please let me know the results, and then I'll implement the fix.

stenya commented 1 year ago

Technical details. Based on the configuration provided (see below),

All the <university domain> DNS requests are sent to DNS Servers: <list of university DNS server IPs>. As expected, the IVPN Firewall is blocking these requests.

Solution/Change Description: The priority of user Firewall exceptions has been increased. In order to resolve hosts under <university domain>, the <list of university DNS server IPs> must be manually added to the Exceptions in the IVPN Firewall (through the IVPN app settings).

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: foreign
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
          DNS Domain: <university domain>
Link 2 (wlp0s20f3)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: <university DNS server IP>
       DNS Servers: <list of university DNS server IPs>
        DNS Domain: <university domain>

Link 4 (wgivpn)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.0.254.2
       DNS Servers: 10.0.254.2
        DNS Domain: ~.
stenya commented 1 year ago

@gorkapernas v3.10.16

ahkole commented 1 year ago

@ahkole, I think I've found the root of the problem. It seems to be due to the aggressive rules of the IVPN firewall. Could you please help me confirm this?

Simply disable the IVPN firewall when the VPN is connected (using the default settings ipv4.ignore-auto-dns=no). Now, you should be able to access the <university domain> sites.

Please let me know the results, and then I'll implement the fix.

I tested this and can confirm that the IVPN firewall is the culprit. Switching it off allows one to access the university domains with the default NetworkManager configuration.

Solution/Change Description: The priority of user Firewall exceptions has been increased. In order to resolve hosts under <university domain>, the <list of university DNS server IPs> must be manually added to the Exceptions in the IVPN Firewall (through the IVPN app settings).

This still requires the user to manually change the settings to make it work, right? Just this time it is the IVPN settings instead of the NetworkManager or DNS settings. Is there no way to have IVPN automatically manage this? It should be possible to request a list of currently configured DNS search domains as well as the associated DNS server IPs using the system's DNS resolver service right?

stenya commented 1 year ago

This still requires the user to manually change the settings to make it work, right? Just this time it is the IVPN settings instead of the NetworkManager or DNS settings.

Yes. But you need to configure firewall exceptions once, and then you will be able to access your university domains regardless of the VPN state. I do not want to enable this functionality automatically (as you suggested, when "Allow LAN traffic..." is enabled) because this can lead to unexpected DNS leaks for users who also use these settings. Everyone who allows communication with DNS resolvers from the local network (and bypassing the IVPN-defined server) must understand what they are doing.

ahkole commented 1 year ago

Okay, I understand not wanting to automatically add DNS servers to the exclusion list to prevent unintended DNS leaks.

There is still the problem though that with the default configuration (no DNS servers added to the IVPN firewall exceptions and ipv4.ignore-auto-dns set to no) accessing any domain that ends in <university domain> does not work. If you don't add exceptions in the IVPN firewall or don't change the ipv4.ignore-auto-dns option in NetworkManager you are unable to access any website or service that has to resolve a domain ending in <university domain> when connected to the VPN. Is there a way to fix this for users that want to avoid using any other DNS servers, including the university ones, when connected to the VPN without having to change the configuration of IVPN or NetworkManger? For example, by IVPN setting some sort of catch-all DNS search domain so that all DNS requests are first routed to IVPN's DNS server when connected to the VPN? Or by IVPN clearing all previously set DNS search domains upon connecting to the VPN (and restoring them when disconnecting)?

stenya commented 1 year ago

For example, by IVPN setting some sort of catch-all DNS search domain so that all DNS requests are first routed to IVPN's DNS server when connected to the VPN? Or by IVPN clearing all previously set DNS search domains upon connecting to the VPN (and restoring them when disconnecting)?

In this case, the <university domains> will not be accessible if those domains can only be resolved by the <university DNS server>.

By the way, this issue is more complex than I initially anticipated. I see that the solution I have already implemented is not ideal and may lead to DNS leaks. I am reverting all the changes. I need to think a little more about it...

ahkole commented 1 year ago

In this case, the <university domains> will not be accessible if those domains can only be resolved by the <university DNS server>.

Not only that. Also domains that can be resolved by any DNS server but that end in <university domain> are inaccessible under the default configuration. For example, I cannot access the university webmail under the default configuration at the university because the DNS requests get blocked while I can access it at home because then the DNS requests are sent to the IVPN servers.