tomjamescn / tunnelblick

Automatically exported from code.google.com/p/tunnelblick
0 stars 0 forks source link

DOMAIN-SEARCH dhcp options are not handled properly. #220

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Set up VPN server to submit the following options:
DOMAIN example.com
DOMAIN-SEARCH mysearch1.example.com
DOMAIN-SEARCH mysearch2.example.com
2. Connect to the VPN
3. Run scutil --dns, or cat /etc/resolv.conf

What is the expected output?
You should see a domain of example.com, and search of mysearch1.example.com 
mysearch2.example.com

What do you see instead?

A domain of mysearch2.example.com and a search of mysearch2.example.com

What version of Tunnelblick are you using? On what version of OS X?
TunnelBlick 3.28 (build 2891.3099 ) on 10.6.8

Please provide any additional information below. Please include your
configuration file and the contents of the OpenVPN Log window (including
the first few lines with version information), but remember to remove any
sensitive information such as IP addresses.

This has to do with globbing on *DOMAIN* and applying the sDomainName as the 
SEARCH_DOMAIN.

I have attached a unified diff with a start at fixing this. It probably needs 
more handling for cases when no domain-search option is specified. 

Original issue reported on code.google.com by geoff.fr...@gmail.com on 15 Nov 2012 at 2:53

Attachments:

GoogleCodeExporter commented 9 years ago
First, a belated thanks for reporting this.

I think this is related to Issue 144 
(http://code.google.com/p/tunnelblick/issues/detail?id=144), but it isn't 
exactly a duplicate.

I have a question about the original post of this issue: What is 
"DOMAIN-SEARCH"? I don't find it mentioned on the OpenVPN 2.3 man page [2]. nor 
do I find it in the OpenVPN source code.

Does OpenVPN accept it as a parameter of the --dhcp-option option, and just 
pass it to scripts as a $foreign_option_n variable?

[1] http://code.google.com/p/tunnelblick/issues/detail?id=144
[2] https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

Original comment by jkbull...@gmail.com on 19 Feb 2013 at 6:11

GoogleCodeExporter commented 9 years ago
domain-search is a dhcp option for supplying the domain name search path 
(http://linux.die.net/man/5/dhcp-options). 

Server-side, it's configured in openvpn via the push command as a dhcp option. 
Here's an example from our config file:

push "dhcp-option DOMAIN domain.com"
push "dhcp-option DOMAIN-SEARCH subdomain.domain.com"
push "dhcp-option DOMAIN-SEARCH domain.com"

Hope that helps!

Original comment by geoff.fr...@gmail.com on 19 Feb 2013 at 11:52

GoogleCodeExporter commented 9 years ago
I suppose it would be nice to have the option to handle it, since OS X (and 
many Linux distros) do use DHCP option 119 (DOMAIN-SEARCH) for system network 
connections, but the "Prepend domain name to search domains" option already 
takes care of my needs since I only have one internal domain.

This does not appear to be widely supported; in testing this OpenVPN on other 
operating systems, I found the following:
* Windows 7: prepends DOMAIN to search list, DOMAIN-SEARCH ignored, complained 
about unknown option
(note that Windows ignores this DHCP option entirely, so not surprising)
* Ubuntu 12.10: connecting via Network Manager prepends DOMAIN and ignores 
DOMAIN-SEARCH
Same for connecting via cmdline, although a one-line patch to the 
update-resolv-conf script does make it behave as desired.

Original comment by andrew.d...@gmail.com on 13 Mar 2013 at 8:36

GoogleCodeExporter commented 9 years ago
Tunnelblick 3.3beta34 includes the following changes, which I think should 
close this Issue and Issue 144:

   * Multiple "DOMAIN-SEARCH" entries are allowed, and are set, prepended, or ignored, like DNS or WINS servers.

   * "DOMAIN" is used (A) as the "domain" and (B) if no DOMAIN-SEARCH entries are specified, as the "search domain"

   * Only the last "DOMAIN" entry is used (like Windows)

(But I'll leave this Issue and Issue 144 open for a while.)

Original comment by jkbull...@gmail.com on 27 Mar 2013 at 10:55

GoogleCodeExporter commented 9 years ago

Original comment by jkbull...@gmail.com on 10 Apr 2013 at 6:41