openvpn client DNS security
Hi, I had a problem setting up DNS on an openvpn client. I'll describe it here
before submitting a bug report - I would appreciate comment on the security
In the stretch openvpn server (2.4.0-6+deb9u2) the configuration file
server.conf contains the declarations:
push "dhcp-option DNS 220.127.116.11"
push "dhcp-option DNS 18.104.22.168"
In the stretch 32 bit client the openvpn (2.4.0-6+deb9u2) configuration file
clent.conf contains the declarations:
# OpenVPN DNS resolution needs extra help
# See https://forums.openvpn.net/viewtopic.php?t=21678
When the client connects, the log reports:
Wed Apr 4 13:32:01 2018 us=398019
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,
dhcp-option DNS 22.214.171.124,dhcp-option DNS 126.96.36.199,
route 10.8.0.1,topology net30,ping 10,ping-restart 120,
ifconfig 10.8.0.6 10.8.0.5,peer-id 0'
Wed Apr 4 13:32:01 2018 us=400146 ROUTE_GATEWAY 10.218.0.1/255.255.255.0
Wed Apr 4 13:32:01 2018 us=408087 TUN/TAP device tun0 opened
Wed Apr 4 13:32:01 2018 us=408365 TUN/TAP TX queue length set to 100
Wed Apr 4 13:32:01 2018 us=408467 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Apr 4 13:32:01 2018 us=408551 /sbin/ip link set dev tun0 up mtu 1500
Wed Apr 4 13:32:01 2018 us=421630 /sbin/ip addr add dev tun0 local 10.8.0.6
Wed Apr 4 13:32:01 2018 us=461961 /etc/openvpn/update-resolv-conf tun0 1500
1561 10.8.0.6 10.8.0.5 init
Note the absence of any DNS error message. I tested for correct DNS setup:
rprice@kananga ~ dig debian.org | grep SERVER
;; SERVER: 10.218.0.1#53(10.218.0.1)
Clearly not the required DNS server. The file /etc/resolv.conf still contains:
# Generated by NetworkManager
Looking more closely at script /etc/openvpn/update-resolv-conf, it begins with
[ -x /sbin/resolvconf ] || exit 0
File /sbin/resolvconf is not present, because package resolvconf is not a
prerequisite for openvpn, so the script fails silently! This looks to me like a
serious security problem. Joe Road-Warrior is out there, connected to the
"free" Wifi. He follows corporate instructions to turn on his openvpn client,
but because of the exit 0 he is still using the local thoroughly compromised DNS
The exit 0 needs to be replaced by
1. A notification to Joe that his openvpn setup is broken.
2. An e-mail to his sysadmin to alert to a security problem.
3. An exit 1 to assure that the openvpn client cannot start.