openvpn client DNS security

To: debian-user Mailing List <debian-user@lists.debian.org>
Subject: openvpn client DNS security
From: Roger Price <debian@rogerprice.org>
Date: Thu, 5 Apr 2018 11:48:51 +0200 (CEST)
Message-id: <[🔎] alpine.DEB.2.20.1804051139360.4750@maria.rogerprice.org>

Hi, I had a problem setting up DNS on an openvpn client. I'll describe it herebefore submitting a bug report - I would appreciate comment on the securityaspects.

In the stretch openvpn server (2.4.0-6+deb9u2) the configuration fileserver.conf contains the declarations:


 push "dhcp-option DNS 212.27.40.241"
 push "dhcp-option DNS 212.27.40.240"

In the stretch 32 bit client the openvpn (2.4.0-6+deb9u2) configuration fileclent.conf contains the declarations:


 # OpenVPN DNS resolution needs extra help
 # See https://forums.openvpn.net/viewtopic.php?t=21678
 script-security 2
 up /etc/openvpn/update-resolv-conf
 down /etc/openvpn/update-resolv-conf

When the client connects, the log reports:

 Wed Apr  4 13:32:01 2018 us=398019
     PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,
     dhcp-option DNS 212.27.40.241,dhcp-option DNS 212.27.40.240,
     route 10.8.0.1,topology net30,ping 10,ping-restart 120,
     ifconfig 10.8.0.6 10.8.0.5,peer-id 0'
 ...
 Wed Apr  4 13:32:01 2018 us=400146 ROUTE_GATEWAY 10.218.0.1/255.255.255.0
     IFACE=wlan0 HWADDR=74:f0:6d:02:b2:4c
 Wed Apr  4 13:32:01 2018 us=408087 TUN/TAP device tun0 opened
 Wed Apr  4 13:32:01 2018 us=408365 TUN/TAP TX queue length set to 100
 Wed Apr  4 13:32:01 2018 us=408467 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
 Wed Apr  4 13:32:01 2018 us=408551 /sbin/ip link set dev tun0 up mtu 1500
 Wed Apr  4 13:32:01 2018 us=421630 /sbin/ip addr add dev tun0 local 10.8.0.6
     peer 10.8.0.5
 Wed Apr  4 13:32:01 2018 us=461961 /etc/openvpn/update-resolv-conf tun0 1500
     1561 10.8.0.6 10.8.0.5 init

Note the absence of any DNS error message.  I tested for correct DNS setup:

 rprice@kananga ~ dig debian.org | grep SERVER
 ;; SERVER: 10.218.0.1#53(10.218.0.1)

Clearly not the required DNS server. The file /etc/resolv.conf still contains:

 # Generated by NetworkManager
 nameserver 10.218.0.1

Looking more closely at script /etc/openvpn/update-resolv-conf, it begins withthe line


 [ -x /sbin/resolvconf ] || exit 0

File /sbin/resolvconf is not present, because package resolvconf is not aprerequisite for openvpn, so the script fails silently! This looks to me like aserious security problem. Joe Road-Warrior is out there, connected to the"free" Wifi. He follows corporate instructions to turn on his openvpn client,but because of the exit 0 he is still using the local thoroughly compromised DNSserver.


The exit 0 needs to be replaced by

 1. A notification to Joe that his openvpn setup is broken.
 2. An e-mail to his sysadmin to alert to a security problem.
 3. An exit 1 to assure that the openvpn client cannot start.

Roger

Reply to:

Follow-Ups:
- Re: openvpn client DNS security
  - From: Mark Fletcher <mark27q1@gmail.com>

Prev by Date: Re: utf
Next by Date: Re: utf
Previous by thread: Re: tcp_probe module missing
Next by thread: Re: openvpn client DNS security
Index(es):
- Date
- Thread