Web lists-archives.com

openvpn client DNS security

Hi, I had a problem setting up DNS on an openvpn client. I'll describe it here before submitting a bug report - I would appreciate comment on the security aspects.

In the stretch openvpn server (2.4.0-6+deb9u2) the configuration file server.conf contains the declarations:

 push "dhcp-option DNS"
 push "dhcp-option DNS"

In the stretch 32 bit client the openvpn (2.4.0-6+deb9u2) configuration file clent.conf contains the declarations:

 # OpenVPN DNS resolution needs extra help
 # See https://forums.openvpn.net/viewtopic.php?t=21678
 script-security 2
 up /etc/openvpn/update-resolv-conf
 down /etc/openvpn/update-resolv-conf

When the client connects, the log reports:

 Wed Apr  4 13:32:01 2018 us=398019
     PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,
     dhcp-option DNS,dhcp-option DNS,
     route,topology net30,ping 10,ping-restart 120,
     ifconfig,peer-id 0'
 Wed Apr  4 13:32:01 2018 us=400146 ROUTE_GATEWAY
     IFACE=wlan0 HWADDR=74:f0:6d:02:b2:4c
 Wed Apr  4 13:32:01 2018 us=408087 TUN/TAP device tun0 opened
 Wed Apr  4 13:32:01 2018 us=408365 TUN/TAP TX queue length set to 100
 Wed Apr  4 13:32:01 2018 us=408467 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
 Wed Apr  4 13:32:01 2018 us=408551 /sbin/ip link set dev tun0 up mtu 1500
 Wed Apr  4 13:32:01 2018 us=421630 /sbin/ip addr add dev tun0 local
 Wed Apr  4 13:32:01 2018 us=461961 /etc/openvpn/update-resolv-conf tun0 1500
     1561 init

Note the absence of any DNS error message.  I tested for correct DNS setup:

 rprice@kananga ~ dig debian.org | grep SERVER

Clearly not the required DNS server. The file /etc/resolv.conf still contains:

 # Generated by NetworkManager

Looking more closely at script /etc/openvpn/update-resolv-conf, it begins with the line

 [ -x /sbin/resolvconf ] || exit 0

File /sbin/resolvconf is not present, because package resolvconf is not a prerequisite for openvpn, so the script fails silently! This looks to me like a serious security problem. Joe Road-Warrior is out there, connected to the "free" Wifi. He follows corporate instructions to turn on his openvpn client, but because of the exit 0 he is still using the local thoroughly compromised DNS server.

The exit 0 needs to be replaced by

 1. A notification to Joe that his openvpn setup is broken.
 2. An e-mail to his sysadmin to alert to a security problem.
 3. An exit 1 to assure that the openvpn client cannot start.