qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
8.02k stars 371 forks source link

Feature request: allow openvpn provider to push dns servers #687

Open ismay opened 3 years ago

ismay commented 3 years ago

What's the feature 🧐

It seems that currently gluetun uses cloudflare as upstream dns by default (though over TLS). I would prefer using the dns that my openvpn provider pushes to me (which is protonvpn for me).

Extra information and references

What I'm trying to achieve is redirect some of the traffic on my local network over a protonvpn tunnel, and also have adblocking via a local adguard container. The setup is as follows:

Now I was hoping that by connecting adguard to gluetun, gluetun would by default route any dns requests adguard makes to the dns providers supplied by protonvpn. But it seems that that's not the case. Even with DOT=off and DNS_PLAINTEXT_ADDRESS=127.0.0.1 dns still seems to be routed outside of protonvpn.

Is there anything I've overlooked or misunderstood? Or is the above currently just not possible with gluetun?

These issues seem somewhat related (to me):

ismay commented 3 years ago

I guess the next best thing would be to manually set protonvpn's dns providers: 10.8.8.1 for UDP connections and 10.7.7.1 for TCP connections. However, that would introduce an extra bit of configuration to keep up to date, so automatically relying on the providers pushed by protonvpn seems preferable to me.

qdm12 commented 3 years ago

What I'm trying to achieve is redirect some of the traffic on my local network over a protonvpn tunnel, and also have adblocking via a local adguard container.

I think you can already do that as mentioned there: https://github.com/qdm12/gluetun/issues/128#issuecomment-657246482. If you set DOT=off and DNS_PLAINTEXT_ADDRESS=127.0.0.1, then it will use whatever DNS server you have connected to gluetun and running on port udp 53. Note that Adguard will make requests through the VPN, but that doesn't necessarily mean it will do requests using the VPN providers' DNS server(s), that depends on your Adguard configuration. You might have to configure Adguard to use 10.8.8.1 or 10.7.7.1. If you want to use Adguard, I am not sure you can do this automatically and OpenVPN pushing DNS options to the host won't really help, it might even conflict with Adguard (are you using `127.0.0.1 - adguard - or the VPN pushed DNS servers?).

Even with DOT=off and DNS_PLAINTEXT_ADDRESS=127.0.0.1 dns still seems to be routed outside of protonvpn.

They still go through the VPN tunnel. They might not go through their DNS depending on your Adguard configuration.

that would introduce an extra bit of configuration to keep up to date

I could hardcode these DNS addresses if it's just one for TCP and one for UDP, for all servers. But really, I would rather not (no time, a ton more issues and it might break whenever ProtonVPN decides to change them).

allow openvpn provider to push dns servers

The problem is, pushing DNS options seems to only work (AFAIK, feel free to correct me) using shell scripts. One of my main milestones is #588 (which involves no shell), so that goes against it unfortunately. If there is a no-shell, built-in OpenVPN way to do it I'm happy to explore it!

Regarding referenced issues:

Finally, maybe ProtonVPN's DNS allows you to go around some restrictions, but I would not trust my VPN provider that much to hand them all my DNS data. They might collect it. I know ProtonVPN is more or less trustable, but why trust when you can not trust πŸ€” With the current DoT setup, you can already split your DNS traffic to multiple large providers (like cloudflare, google, quad9 etc.). Plus they don't know who you are really unlike your VPN provider which matches your IP address to some of your personal details. Just my 2 cents πŸ˜‰

ismay commented 3 years ago

Thanks for the elaborate reply.

Finally, maybe ProtonVPN's DNS allows you to go around some restrictions, but I would not trust my VPN provider that much to hand them all my DNS data. They might collect it. I know ProtonVPN is more or less trustable, but why trust when you can not trust

This does not really hold true for me. You're already trusting them with your http traffic for the same domain you're using their DNS for. So say I visit google.com through protonvpn, if I use their DNS they'll have my request for an ip for google.com via their DNS, and subsequently a GET to that ip via 80/443. No extra information for proton, just two different channels. They know I'm trying to connect to google.com regardless if I use their DNS or not.

Now using an external DNS introduces an extra party, e.g. cloudflare or whatever other dns provider you're using. Technically it's leaking dns to cloudflare. Previously I only had to trust proton, whereas now I'm trusting proton and cloudflare.

With regards to the main purpose of this feature request, in response to what you mentioned here:

The problem is, pushing DNS options seems to only work (AFAIK, feel free to correct me) using shell scripts. One of my main milestones is #588 (which involves no shell), so that goes against it unfortunately. If there is a no-shell, built-in OpenVPN way to do it I'm happy to explore it!

So this is the response proton sends when connecting via openvpn for example:

ovpn-client1[24551]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.20.0.1,...

The openvpn server pushing dns to an openvpn client is native to openvpn, no shell scripting needed. That's also the functionality I was referring to. To simplify this issue we could maybe leave my specific usecase for what it is, core of my request is if gluetun respects (or potentially can be configured to respect) the dns servers pushed via openvpn. Because during my tests it seemed like it didn't. Maybe my tests were flawed though. What do you think?

qdm12 commented 3 years ago

You're already trusting them with your http traffic for the same domain you're using their DNS for.

Well yes they can see the IP address you connect to, but that makes their task of matching it to a domain more difficult. Especially since some of these IP assignments change over time. But yes I get your point too. If you use HTTP, then it makes zero difference indeed.

Technically it's leaking dns to cloudflare

Yes, but as I mentioned, you can split your DNS traffic, that helps privacy-wise. Not perfect, but unfortunately today you still have to trust some parties to an extent πŸ˜‰ Also I get your point to only have to trust protonvpn πŸ‘

core of my request is if gluetun respects (or potentially can be configured to respect) the dns servers pushed via openvpn.

Definitely. Maybe you can find the OpenVPN option missing for that DNS pushing by comparing one of ProtonVPN's file with those lines

Or just attach one of their files here and I'll figure it out πŸ˜‰

ismay commented 3 years ago

Ok, so in the protonvpn openvpn files pull is set as an option. But I see that you're setting client, which expands to pull and tls-client. So it seems as if the settings are correct for accepting a dns server. I think I'll have to do more testing to see what's going on exactly (i.e. if the dns servers are pushed and set correctly locally).

qdm12 commented 3 years ago

I'll check. Maybe the program still removes set name servers from /etc/hosts even when DOT=off, since it uses DNS_PLAINTEXT_ADDRESS. That's likely the problem here.

ismay commented 3 years ago

Ah, yeah would be good to know if that's happening.