Re: openvpn client DNS security

To: debian-user@lists.debian.org
Subject: Re: openvpn client DNS security
From: Mark Fletcher <mark27q1@gmail.com>
Date: Fri, 6 Apr 2018 07:57:47 +0900
Message-id: <[🔎] 20180405225747.s6iykznaj53fhdug@kazuki.local>
In-reply-to: <[🔎] alpine.DEB.2.20.1804051139360.4750@maria.rogerprice.org>
References: <[🔎] alpine.DEB.2.20.1804051139360.4750@maria.rogerprice.org>

On Thu, Apr 05, 2018 at 11:48:51AM +0200, Roger Price wrote:
> Hi, I had a problem setting up DNS on an openvpn client.  I'll describe it
> here before submitting a bug report - I would appreciate comment on the
> security aspects.
> 
<snip>
> 
> Looking more closely at script /etc/openvpn/update-resolv-conf, it begins
> with the line
> 
>  [ -x /sbin/resolvconf ] || exit 0
> 
> File /sbin/resolvconf is not present, because package resolvconf is not a
> prerequisite for openvpn, so the script fails silently!  This looks to me
> like a serious security problem.  Joe Road-Warrior is out there, connected
> to the "free" Wifi.  He follows corporate instructions to turn on his
> openvpn client, but because of the exit 0 he is still using the local
> thoroughly compromised DNS server.
> 

apt-cache rdepends resolvconf shows a dependency of openvpn on 
openresolv, which according to apt-file provides /sbin/resolvconf (and 
also, if I am reading apt-cache output correctly, depends on 
resolvconf...)

I can only assume one of the dependencies in that stack is a "suggests" 
rather than a "depends". If you are going to report a bug probably worth 
acknowledging this so you don't get turned away at the door.

... Yep, checking apt show openvpn, resolvconf is indeed a "suggests".

Mark

Reply to:

References:
- openvpn client DNS security
  - From: Roger Price <debian@rogerprice.org>

Prev by Date: Re: Recipient address rejected
Next by Date: Re: apt{-cache,-get,itude} show wrong version of package after update
Previous by thread: openvpn client DNS security
Next by thread: Recipient address rejected
Index(es):
- Date
- Thread