Web lists-archives.com

Re: openvpn client DNS security




On Thu, Apr 05, 2018 at 11:48:51AM +0200, Roger Price wrote:
> Hi, I had a problem setting up DNS on an openvpn client.  I'll describe it
> here before submitting a bug report - I would appreciate comment on the
> security aspects.
> 
<snip>
> 
> Looking more closely at script /etc/openvpn/update-resolv-conf, it begins
> with the line
> 
>  [ -x /sbin/resolvconf ] || exit 0
> 
> File /sbin/resolvconf is not present, because package resolvconf is not a
> prerequisite for openvpn, so the script fails silently!  This looks to me
> like a serious security problem.  Joe Road-Warrior is out there, connected
> to the "free" Wifi.  He follows corporate instructions to turn on his
> openvpn client, but because of the exit 0 he is still using the local
> thoroughly compromised DNS server.
> 

apt-cache rdepends resolvconf shows a dependency of openvpn on 
openresolv, which according to apt-file provides /sbin/resolvconf (and 
also, if I am reading apt-cache output correctly, depends on 
resolvconf...)

I can only assume one of the dependencies in that stack is a "suggests" 
rather than a "depends". If you are going to report a bug probably worth 
acknowledging this so you don't get turned away at the door.

... Yep, checking apt show openvpn, resolvconf is indeed a "suggests".

Mark