Discussion:
[Openvpn-users] DNS leak under Debian Testing
Matthias Müller
2017-02-08 12:39:15 UTC
Permalink
Hi all,

I've noticed that OpenVPN connections under Debian Testing have started to
leak DNS requests when they didn't in the past. I have an ovpn file to
connect to AirVPN which contains the lines:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

That used to work as it should. But now, before I start OpenVPN, my
/etc/resolv.conf looks as follows:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.178.1
search fritz.box

And once the OpenVPN tunnel is active, it looks like this:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.4.0.1
nameserver 192.168.178.1
search fritz.box

So the VPN nameserver (10.4.0.1) has been added correctly, but my local
nameservers are still there! And indeed https://ipleak.net/ finds two DNS
servers -- the AirVPN one which should be present, and the one of my local
provider, which shouldn't.

What's going wrong there and how can I fix it?

Thanks
Matthias
David Sommerseth
2017-02-08 12:52:49 UTC
Permalink
Post by Matthias Müller
Hi all,
I've noticed that OpenVPN connections under Debian Testing have started to
leak DNS requests when they didn't in the past. I have an ovpn file to
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
That used to work as it should. But now, before I start OpenVPN, my
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.178.1
search fritz.box
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.4.0.1
nameserver 192.168.178.1
search fritz.box
So the VPN nameserver (10.4.0.1) has been added correctly, but my local
nameservers are still there! And indeed https://ipleak.net/ finds two DNS
servers -- the AirVPN one which should be present, and the one of my local
provider, which shouldn't.
What's going wrong there and how can I fix it?
You need to check what the resolvconf script on your computer does, and
if there is a way to configure it to behave differently.

Otherwise, you can try to uninstall that script. Then the
update-resolv-conf script (if it is based on the client.up script we
ship with OpenVPN), should rename /etc/resolv.conf, create a new one
with only the VPN provided DNS servers, and switch back afterwords. The
problem with this approach is if you use --user/--group in your OpenVPN
config, then you must run the client.down script via the down-root
plugin - otherwise the resolv.conf file is not restored properly.


--
kind regards,

David Sommerseth
Matthias Müller
2017-02-09 12:01:32 UTC
Permalink
Hi David,
Post by David Sommerseth
You need to check what the resolvconf script on your computer does, and
if there is a way to configure it to behave differently.
Otherwise, you can try to uninstall that script. Then the
update-resolv-conf script (if it is based on the client.up script we
ship with OpenVPN), should rename /etc/resolv.conf, create a new one
with only the VPN provided DNS servers, and switch back afterwords. The
problem with this approach is if you use --user/--group in your OpenVPN
config, then you must run the client.down script via the down-root
plugin - otherwise the resolv.conf file is not restored properly.
Thanks for your help. Debian's /etc/openvpn/update-resolv-conf script is a
bit different from client.up/client.down -- it simply gives up if
/sbin/resolvconf doesn't exist. Also I wouldn't want resolvconf as I guess
it's needed when not running OpenVPN.

But I now got it basically working by downloading the client.up/client.down
scripts and modifying them to simply skip the call to resolvconf, using the
fallback solution instead.

However, I don't know how to compile the down-root plugin -- I cloned the
repo and the README says I should simply invoke "make". But there is no
"Makefile" in the src/plugins/down-root directory, only "Makefile.am".
"automake" or "autoreconf" don't work either (they ask for 'configure.ac' or
'configure.in'). Any hints?

Thanks
Matthias
debbie10t
2017-02-09 13:47:13 UTC
Permalink
Post by Matthias Müller
However, I don't know how to compile the down-root plugin -- I cloned the
repo and the README says I should simply invoke "make". But there is no
"Makefile" in the src/plugins/down-root directory, only "Makefile.am".
"automake" or "autoreconf" don't work either (they ask for 'configure.ac' or
'configure.in'). Any hints?
See INSTALL in the root dir of your clone.
David Sommerseth
2017-02-10 12:53:53 UTC
Permalink
Post by Matthias Müller
Hi David,
Post by David Sommerseth
You need to check what the resolvconf script on your computer does, and
if there is a way to configure it to behave differently.
Otherwise, you can try to uninstall that script. Then the
update-resolv-conf script (if it is based on the client.up script we
ship with OpenVPN), should rename /etc/resolv.conf, create a new one
with only the VPN provided DNS servers, and switch back afterwords. The
problem with this approach is if you use --user/--group in your OpenVPN
config, then you must run the client.down script via the down-root
plugin - otherwise the resolv.conf file is not restored properly.
Thanks for your help. Debian's /etc/openvpn/update-resolv-conf script is a
bit different from client.up/client.down -- it simply gives up if
/sbin/resolvconf doesn't exist. Also I wouldn't want resolvconf as I guess
it's needed when not running OpenVPN.
But I now got it basically working by downloading the client.up/client.down
scripts and modifying them to simply skip the call to resolvconf, using the
fallback solution instead.
Great!
Post by Matthias Müller
However, I don't know how to compile the down-root plugin -- I cloned the
repo and the README says I should simply invoke "make". But there is no
"Makefile" in the src/plugins/down-root directory, only "Makefile.am".
"automake" or "autoreconf" don't work either (they ask for 'configure.ac' or
'configure.in'). Any hints?
On Debian, the down-root plugin should already be installed. Try
looking into /usr/lib{,64}/openvpn/plugin/ ... or query the openvpn deb
package which files it have installed. (I'm a YUM/DNF/RPM type of guy,
don't know too much about the APT/DEB world)


--
kind regards,

David Sommerseth
Matthias Müller
2017-02-10 14:09:06 UTC
Permalink
Hi David and all,
Post by David Sommerseth
On Debian, the down-root plugin should already be installed. Try
looking into /usr/lib{,64}/openvpn/plugin/ ... or query the openvpn deb
package which files it have installed. (I'm a YUM/DNF/RPM type of guy,
don't know too much about the APT/DEB world)
All right, I found it and got things working as they should.
Thanks a lot!

Matthias

Loading...