Re: openvpn client DNS security
- Date: Fri, 6 Apr 2018 07:57:47 +0900
- From: Mark Fletcher <mark27q1@xxxxxxxxx>
- Subject: Re: openvpn client DNS security
On Thu, Apr 05, 2018 at 11:48:51AM +0200, Roger Price wrote:
> Hi, I had a problem setting up DNS on an openvpn client. I'll describe it
> here before submitting a bug report - I would appreciate comment on the
> security aspects.
> Looking more closely at script /etc/openvpn/update-resolv-conf, it begins
> with the line
> [ -x /sbin/resolvconf ] || exit 0
> File /sbin/resolvconf is not present, because package resolvconf is not a
> prerequisite for openvpn, so the script fails silently! This looks to me
> like a serious security problem. Joe Road-Warrior is out there, connected
> to the "free" Wifi. He follows corporate instructions to turn on his
> openvpn client, but because of the exit 0 he is still using the local
> thoroughly compromised DNS server.
apt-cache rdepends resolvconf shows a dependency of openvpn on
openresolv, which according to apt-file provides /sbin/resolvconf (and
also, if I am reading apt-cache output correctly, depends on
I can only assume one of the dependencies in that stack is a "suggests"
rather than a "depends". If you are going to report a bug probably worth
acknowledging this so you don't get turned away at the door.
... Yep, checking apt show openvpn, resolvconf is indeed a "suggests".