search

webmastir / tunnelblick

Automatically exported from code.google.com/p/tunnelblick
0 stars 0 forks source link

On disconnect, Tunnelblick stays in status "Exiting", nameserver and routes are not reset #6

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
1. Start a VPN connection (in my case a routed TUN connection which has
   the redirect-gateway option set on server side) with the 
   "set nameserver" toggle activated. 
2. Wait until the VPN is active
3. Click on "Disconnect"

Instead of resetting the network configuration to the state before
activating the connection, the name server and network settings are not
reset. In detail:
- /etc/resolv.conf still lists the nameserver of the VPN. I have to execute
  client.up.osx.sh manually in order to get my old nameserver settings
  restored
- netstat -nr shows that the redirect-gateway routes are still active. I
  have to manually remove the net route to the OpenVPN server and add the
  default gateway for the current network in order to get it up again.

I used Tunnelblick 3.0b9 (with the correct version of client.up.osx.sh as
suggested in the discussion group) on Mac OS X 10.5.4

Original issue reported on code.google.com by kuy...@gmx.de on 26 Jul 2008 at 6:53

GoogleCodeExporter commented 9 years ago 
I forgot to mention that the "Details" dialog stays in status "Exiting". I 
guess it
should switch to something else.

Original comment by kuy...@gmx.de on 26 Jul 2008 at 6:54

GoogleCodeExporter commented 9 years ago 
Can you post your openvpn client config file please? My suspicion is that you 
might be using the user or group 
option which causes openvpn to drop privileges. In that case, openvpn is unable 
to reset its routes because it 
needs root privileges to do that. 

Thanks,
Angelo

Original comment by angelol...@gmail.com on 27 Jul 2008 at 5:23

GoogleCodeExporter commented 9 years ago 
Your perfectly right, the configuration drops root privileges. Sorry for filing 
a bug
when it's just a configuration error... :-) I'll try to change and test the new
configuration as soon as possible.

Thanks!

Original comment by kuy...@gmx.de on 27 Jul 2008 at 7:59

GoogleCodeExporter commented 9 years ago 
I'll mention this in the FAQ and maybe even warn the user about this in the 
GUI. The ticket will stay open until 
then.

Original comment by angelol...@gmail.com on 27 Jul 2008 at 8:06

GoogleCodeExporter commented 9 years ago 
also, even when not dropping privileges (which makes restoring DNS work 
instantly),
the tab in the detail window is still stuck at "EXITING". Additionally, I do 
not see
anything added to the log when disconnecting.

Should I open a new bug for this, cosmetic, issue? It's kind of related to this 
one
though.

Original comment by phofstet...@gmail.com on 28 Jul 2008 at 11:29

GoogleCodeExporter commented 9 years ago 
> Can you post your openvpn client config file please? My suspicion is that you 
might 
> be using the user or group option which causes openvpn to drop privileges.

I experience exactly the same issue.  My configuration does not now drop 
privileges
and I *still* experience exactly the issue above.  Please advise.  

> In that case, openvpn is unable to reset its routes because it 
> needs root privileges to do that. 

Can we not package in fake-root? I run this successfully on Fedora without 100%
success.  I don't like running my VPN as root, and I am slightly concerned 
people are
advised to not downgrade their privs.

Original comment by chris.bu...@gmail.com on 12 Aug 2008 at 10:12

GoogleCodeExporter commented 9 years ago 
I'm also experiencing this issue, I have commented out the downgrade privileges 
settings.

I'm running Mac OS 10.5.7 and Tunnelblick  3.0b10

Thanks

Original comment by carlitos...@gmail.com on 13 Jul 2009 at 11:58

GoogleCodeExporter commented 9 years ago 
> Can we not package in fake-root?

As I understand it, fake-root won't help because it doesn't actually elevate
privileges.  You could probably get this to work by downgrading to an openvpn 
user
and then giving that user privileges to change DNS, routes, and interfaces 
using sudo
with no password.  It theory you could give those privileges to nobody, but 
anonymous
users shouldn't be able to mess with interfaces, routes, and DNS since they 
still
make man-in-the-middle attack possible.

Original comment by kc7...@gmail.com on 6 Oct 2009 at 10:02

GoogleCodeExporter commented 9 years ago 
openvpn-down-root.so has been available since r225, in Tunnelblick version 
3.0b22.

Original comment by jkbull...@gmail.com on 24 Feb 2010 at 6:00