Open ahkole opened 1 year ago
Hi @ahkole
Can you please clarify: are you referring only to the search domains that are not applied when IVPN is connected? If so, would the following solution work for you: when the VPN is connected, the system-configured DNS search domains remain unchanged? This way, you would be able to make requests to your university websites and services using hostnames.
You wrote:
... this breaks all the university websites/services while connected to the VPN on the university network (DNS requests for university sites get blocked by the IVPN firewall because they are routed to the university's DNS servers due to the search domain instead of the IVPN DNS server).
This part is a bit confusing to me. The IVPN Firewall only blocks DNS requests to external servers that are not defined by the IVPN configuration; it does not interfere with search domains. If you want to use a specific DNS server, the IVPN app has an option under "Settings -> DNS -> Use custom DNS...".
Hi @stenya, thank you for replying! I will try to clarify the problem.
I use NetworkManager
to manage my WiFi connections on my Arch Linux system and systemd-resolve
for hostname resolution. By default, there is a per-connection setting called ipv4.ignore-auto-dns
(and similar for ipv6
) that is set to no
. With these default settings if I connect to my university network resolvectl status
gives the following output,
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
DNS Domain: <university domain>
Link 2 (wlp0s20f3)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: <university DNS server IP>
DNS Servers: <list of university DNS server IPs>
DNS Domain: <university domain>
Link 4 (wgivpn)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.0.254.2
DNS Servers: 10.0.254.2
DNS Domain: ~.
Let's now say that <university domain>
is myuni.countrycode
then I cannot access any domains that end with myuni.countrycode
. I.e. I would not be able to access the mail server at mail.myuni.countrycode
or the website at students.myuni.countrycode
. And I suspect that this has something to do with domain resolution, because if I try to resolve any domain ending in myuni.countrycode
with systemd-resolve
then I get a timeout. I.e. I expect that the laptop it trying to access the university DNS servers to resolve any domains ending in myuni.countrycode
but since I don't have these configured in IVPN these DNS requests get blocked. The only way to solve this atm is to change ipv4.ignore-auto-dns
to yes
after which the output of resolvectl status
is,
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
Link 2 (wlp0s20f3)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 4 (wgivpn)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.0.254.2
DNS Servers: 10.0.254.2
DNS Domain: ~.
And with this configuration accessing the university domains does work (I expect because it completely circumvents the university DNS servers). However, this does mean that it also ignores the university DNS servers when if I'm not connected to IVPN unless I manually change this ipv4.ignore-auto-dns
option again after disconnecting the VPN.
My preferred solution would be that IVPN manages the DNS in such a way that when I'm connected to IVPN it ignores the DNS servers from the university, also for domains ending in the domains listed under the DNS Domain
list in the output of resolvectl status
, but when not connected to IVPN it should restore any DNS settings configured by the connection so that then it uses the university DNS servers.
Does this make my problem/request more clear?
Thank you for the clarification. I'll need to perform some tests. I'll likely get back to you later.
@ahkole, I think I've found the root of the problem. It seems to be due to the aggressive rules of the IVPN firewall. Could you please help me confirm this?
Simply disable the IVPN firewall when the VPN is connected (using the default settings ipv4.ignore-auto-dns=no
). Now, you should be able to access the <university domain>
sites.
Please let me know the results, and then I'll implement the fix.
Technical details. Based on the configuration provided (see below),
All the <university domain>
DNS requests are sent to DNS Servers: <list of university DNS server IPs>
.
As expected, the IVPN Firewall is blocking these requests.
Solution/Change Description:
The priority of user Firewall exceptions has been increased.
In order to resolve hosts under <university domain>
, the <list of university DNS server IPs>
must be manually added to the Exceptions in the IVPN Firewall (through the IVPN app settings).
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net 8.8.8.8#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2620:fe::9#dns.quad9.net 2001:4860:4860::8888#dns.google
DNS Domain: <university domain>
Link 2 (wlp0s20f3)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: <university DNS server IP>
DNS Servers: <list of university DNS server IPs>
DNS Domain: <university domain>
Link 4 (wgivpn)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.0.254.2
DNS Servers: 10.0.254.2
DNS Domain: ~.
@gorkapernas v3.10.16
@ahkole, I think I've found the root of the problem. It seems to be due to the aggressive rules of the IVPN firewall. Could you please help me confirm this?
Simply disable the IVPN firewall when the VPN is connected (using the default settings
ipv4.ignore-auto-dns=no
). Now, you should be able to access the<university domain>
sites.Please let me know the results, and then I'll implement the fix.
I tested this and can confirm that the IVPN firewall is the culprit. Switching it off allows one to access the university domains with the default NetworkManager configuration.
Solution/Change Description: The priority of user Firewall exceptions has been increased. In order to resolve hosts under
<university domain>
, the<list of university DNS server IPs>
must be manually added to the Exceptions in the IVPN Firewall (through the IVPN app settings).
This still requires the user to manually change the settings to make it work, right? Just this time it is the IVPN settings instead of the NetworkManager or DNS settings. Is there no way to have IVPN automatically manage this? It should be possible to request a list of currently configured DNS search domains as well as the associated DNS server IPs using the system's DNS resolver service right?
This still requires the user to manually change the settings to make it work, right? Just this time it is the IVPN settings instead of the NetworkManager or DNS settings.
Yes. But you need to configure firewall exceptions once, and then you will be able to access your university domains regardless of the VPN state. I do not want to enable this functionality automatically (as you suggested, when "Allow LAN traffic..." is enabled) because this can lead to unexpected DNS leaks for users who also use these settings. Everyone who allows communication with DNS resolvers from the local network (and bypassing the IVPN-defined server) must understand what they are doing.
Okay, I understand not wanting to automatically add DNS servers to the exclusion list to prevent unintended DNS leaks.
There is still the problem though that with the default configuration (no DNS servers added to the IVPN firewall exceptions and ipv4.ignore-auto-dns
set to no
) accessing any domain that ends in <university domain>
does not work. If you don't add exceptions in the IVPN firewall or don't change the ipv4.ignore-auto-dns
option in NetworkManager you are unable to access any website or service that has to resolve a domain ending in <university domain>
when connected to the VPN. Is there a way to fix this for users that want to avoid using any other DNS servers, including the university ones, when connected to the VPN without having to change the configuration of IVPN or NetworkManger? For example, by IVPN setting some sort of catch-all DNS search domain so that all DNS requests are first routed to IVPN's DNS server when connected to the VPN? Or by IVPN clearing all previously set DNS search domains upon connecting to the VPN (and restoring them when disconnecting)?
For example, by IVPN setting some sort of catch-all DNS search domain so that all DNS requests are first routed to IVPN's DNS server when connected to the VPN? Or by IVPN clearing all previously set DNS search domains upon connecting to the VPN (and restoring them when disconnecting)?
In this case, the <university domains>
will not be accessible if those domains can only be resolved by the <university DNS server>
.
By the way, this issue is more complex than I initially anticipated. I see that the solution I have already implemented is not ideal and may lead to DNS leaks. I am reverting all the changes. I need to think a little more about it...
In this case, the
<university domains>
will not be accessible if those domains can only be resolved by the<university DNS server>
.
Not only that. Also domains that can be resolved by any DNS server but that end in <university domain>
are inaccessible under the default configuration. For example, I cannot access the university webmail under the default configuration at the university because the DNS requests get blocked while I can access it at home because then the DNS requests are sent to the IVPN servers.
Feature request
Description
Right now the IVPN desktop app doesn't play together nicely with NetworkManager on connections that automatically set some additional DNS search domains. I.e., on my university network NetworkManager automatically sets a search domain for all domains ending in the suffix associated with my university and this breaks all the university websites/services while connected to the VPN on the university network (DNS requests for university sites get blocked by the IVPN firewall because they are routed to the university's DNS servers due to the search domain instead of the IVPN DNS server). Currently the only workaround is setting
ignore-auto-dns
toyes
in the settings of the connection but this also means that you lose the search domain when not connected to the VPN.Describe the solution you'd like
It would be nice if there would be a better handling of these search domains by the IVPN desktop app. I don't yet know what the best solution would be. Maybe you could also take into account the
Allow LAN traffic when connected to the VPN
setting? I.e. if it's switched off you probably don't want to use any additional DNS search domains so you should remove any existing ones when connecting to the VPN and route all DNS requests to the IVPN DNS servers. But if this is switched on maybe you could keep the search domains and allow DNS requests to other (automatically detected or user-specified) DNS servers for domains in the search domain through the firewall?Describe alternatives you've considered
I could try myself to write scripts that automatically switch the DNS resolver settings or NetworkManager settings depending on the VPN state but this can get hacky very quickly.