search

jonathanio / update-systemd-resolved

Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus.
Other
765 stars 94 forks source link

I am using a split tunnel and the vpn-user does not use the vpn DNS? #87

Closed JesperLindberg closed 4 years ago

JesperLindberg commented 4 years ago

So I tried to setup a split tunnel on my server (my server is the vpn-client). Where a vpn-user would only be able to access the internet with the VPN interface (tun0).

I've followed and tried to "translate" a ubuntu guide to CentOS 8. The guide I have been following is Force Torrent which has been inspired by Force Torrent Traffic through VPN Split Tunnel Debian 8 + Ubuntu 16.04 and then I applied the updates I found in Split Tunnel Guide for Ubuntu 18.04.

This resulted in the following files:

Code/Scripts: (Results below)

/etc/systemd/system/openvpn@openvpn.service:

Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
After=network.target

[Service]
RuntimeDirectory=openvpn
PrivateTmp=true
KillMode=mixed
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
Restart=on-failure
RestartSec=3
ProtectSystem=yes
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw

[Install]
WantedBy=multi-user.target

/etc/openvpn/openvpn.conf:

client
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
dev tun
proto udp
remote pool-1.prd.se.ovpn.com 1194
remote pool-1.prd.se.ovpn.com 1195
remote pool-2.prd.se.ovpn.com 1194
remote pool-2.prd.se.ovpn.com 1195
remote pool-3.prd.se.ovpn.com 1194
remote pool-3.prd.se.ovpn.com 1195
remote pool-4.prd.se.ovpn.com 1194
remote pool-4.prd.se.ovpn.com 1195
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth-user-pass /etc/openvpn/credentials
auth-nocache
comp-lzo
route-noexec

remote-cert-tls server
pull
reneg-sec 0
verb 3
mute-replay-warnings
replay-window 256
ca /etc/openvpn/ovpn-ca.crt
tls-auth /etc/openvpn/ovpn-tls.key 1
log /tmp/openvpn.log

script-security 2
up /etc/openvpn/firewllad.sh
up-restart
down /etc/openvpn/scripts/update-systemd-resolved
down-pre

dhcp-option DOMAIN-ROUTE .

/etc/openvpn/firewalld.sh:

#! /bin/bash

export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="192.168.1.10"
export NETIF="enp1s0"

# Flush alll rules
firewall-cmd --direct --remove-rules ipv4 mangle OUTPUT
firewall-cmd --direct --remove-rules ipv4 mangle INPUT
firewall-cmd --direct --remove-rules ipv4 filter INPUT
firewall-cmd --direct --remove-rules ipv4 filter OUTPUT
firewall-cmd --direct --remove-rules ipv4 nat POSTROUTING

#firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 ! -o lo -m owner --uid-owner vpn -j DROP

# Mark packets from $VPNUSER
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 -j CONNMARK --restore-mark
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1

# Added local open ports (since I do not use these services I have not opened these ports)
#firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 --src $LOCALIP -p tcp -m tcp -m multiport --sports 6800,7777 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x0

# Continue marking
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 ! --src $LOCALIP -j MARK --set-mark 0x1
firewall-cmd --direct --add-rule ipv4 mangle OUTPUT 0 -j CONNMARK --save-mark

# Allow responses
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Block everything incoming on $INTERFACE to prevent accdiental exposing of ports
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -i $INTERFACE -j REJECT

# Let $VPNUSER access lo and $INTERFACE
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT

# All packets on $INTERFACE needs to be masqueraded
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o $INTERFACE -j MASQUERADE

# Reject connection from predator IP going over $NETIF
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 ! --src $LOCALIP -o $NETIF -j REJECT

#ADD YOUR OWN RULES HERE

# Start routing script
/etc/openvpn/routing.sh

exit 0

/etc/openvpn/routing.sh:

#! /bin/bash

VPNIF="tun0"
VPNUSER="vpn"
GATEWAYIP=$(ip address show $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1)
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPNUSER
fi
ip route replace default via $GATEWAYIP table $VPNUSER
ip route append default via 127.0.0.1 dev lo table $VPNUSER
ip route flush cache

# run update-resolv-conf script to set VPN DNS
/etc/openvpn/scripts/update-systemd-resolved

exit 0

/etc/iproute2/rt_tables:

#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
200     vpn

/etc/sysctl.d/9999-vpn.conf:

net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.enp1s0.rp_filter = 2

Results:

Using the command to check for DNS: systemd-resolve --status

Link 9 (tun0)
     Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
      LLMNR setting: yes
MulticastDNS setting: no
 DNSOverTLS setting: no
     DNSSEC setting: allow-downgrade
   DNSSEC supported: yes
 Current DNS Server: 192.165.9.158
        DNS Servers: 192.165.9.158
                     46.227.67.134
         DNS Domain: ~.

Checking VPN public IP with: sudo -u vpn -i -- curl ipinfo.io gave me: curl: (6) Could not resolve host: ipinfo.io. While sudo curl ipinfo.io --interface tun0 works fine. I also get issues when ping www.google.se as the vpn-user, but if I instead use the IP of that domain, it works fine.

JesperLindberg commented 4 years ago

The problem is that CentOS 8 does not set DNS with systemd-resolved even though the service is running. For setting the dns with systemd-resolved and thereby use the script update-systemd-resolved, you have to edit /etc/NetworkManager/NetworkManager.conf and in the [main] section, set: dns=systemd-resolved.

More information on the topic: CHAPTER 33. USING DIFFERENT DNS SERVERS FOR DIFFERENT DOMAINS.