openvpn client DNS security
- Date: Thu, 5 Apr 2018 11:48:51 +0200 (CEST)
- From: Roger Price <debian@xxxxxxxxxxxxxx>
- Subject: openvpn client DNS security
Hi, I had a problem setting up DNS on an openvpn client. I'll describe it here before submitting a bug report - I would appreciate comment on the security aspects.
In the stretch openvpn server (2.4.0-6+deb9u2) the configuration file server.conf contains the declarations:
push "dhcp-option DNS 212.27.40.241" push "dhcp-option DNS 212.27.40.240"In the stretch 32 bit client the openvpn (2.4.0-6+deb9u2) configuration file clent.conf contains the declarations:
# OpenVPN DNS resolution needs extra help # See https://forums.openvpn.net/viewtopic.php?t=21678 script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf When the client connects, the log reports: Wed Apr 4 13:32:01 2018 us=398019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1, dhcp-option DNS 212.27.40.241,dhcp-option DNS 212.27.40.240, route 10.8.0.1,topology net30,ping 10,ping-restart 120, ifconfig 10.8.0.6 10.8.0.5,peer-id 0' ... Wed Apr 4 13:32:01 2018 us=400146 ROUTE_GATEWAY 10.218.0.1/255.255.255.0 IFACE=wlan0 HWADDR=74:f0:6d:02:b2:4c Wed Apr 4 13:32:01 2018 us=408087 TUN/TAP device tun0 opened Wed Apr 4 13:32:01 2018 us=408365 TUN/TAP TX queue length set to 100 Wed Apr 4 13:32:01 2018 us=408467 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Wed Apr 4 13:32:01 2018 us=408551 /sbin/ip link set dev tun0 up mtu 1500 Wed Apr 4 13:32:01 2018 us=421630 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 Wed Apr 4 13:32:01 2018 us=461961 /etc/openvpn/update-resolv-conf tun0 1500 1561 10.8.0.6 10.8.0.5 init Note the absence of any DNS error message. I tested for correct DNS setup: rprice@kananga ~ dig debian.org | grep SERVER ;; SERVER: 10.218.0.1#53(10.218.0.1) Clearly not the required DNS server. The file /etc/resolv.conf still contains: # Generated by NetworkManager nameserver 10.218.0.1Looking more closely at script /etc/openvpn/update-resolv-conf, it begins with the line
[ -x /sbin/resolvconf ] || exit 0File /sbin/resolvconf is not present, because package resolvconf is not a prerequisite for openvpn, so the script fails silently! This looks to me like a serious security problem. Joe Road-Warrior is out there, connected to the "free" Wifi. He follows corporate instructions to turn on his openvpn client, but because of the exit 0 he is still using the local thoroughly compromised DNS server.
The exit 0 needs to be replaced by 1. A notification to Joe that his openvpn setup is broken. 2. An e-mail to his sysadmin to alert to a security problem. 3. An exit 1 to assure that the openvpn client cannot start. Roger
- Follow-Ups:
- Re: openvpn client DNS security
- From: Mark Fletcher
- Re: openvpn client DNS security
- Prev by Date: Re: utf
- Next by Date: Re: utf
- Previous by thread: tcp_probe module missing
- Next by thread: Re: openvpn client DNS security
- Index(es):