benfitita 39 Posted ... Simplified situation:- AirVPN on a router (pfSense)- router DHCP sets DNS 10.4.0.1 to local devices- ISP connection is the default gateway Problem:Without special firewall rules or additional OpenVPN client configuration, 10.4.0.1 is routed via ISP connection. In my case it seemed to work, because probably that my ISP is NAT redirecting/forwarding all DNS requests to probably their server. Idea:How about tightening this up by server-pushing `route 10.4.0.1` to OpenVPN client? This way we can be pretty sure AirVPN DNS is actually used. In situations where 10.4.0.1 address is used for something else, `pull-filter` can be used to ignore this pushed route. Other notes:As far as I know, there's no easy way to set the VPN gateway as a DNS Forwarder/Resolver upstream server, which I guess would be ideal. Quote Share this post Link to post
OpenSourcerer 1435 Posted ... How about tightening this up by server-pushing `route 10.4.0.1` to OpenVPN client? This way we can be pretty sure AirVPN DNS is actually used. In situations where 10.4.0.1 address is used for something else, `pull-filter` can be used to ignore this pushed route. 10.4.0.1 is only there for backwards compatibility. The right way of handling DNS is to use the VPN gateway address as the DNS server to thwart DNS hijacking attacks, and this has been done so since before I registered here. Example: Tue Jan 15 14:55:24 2019 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.25.164.1,dhcp-option DNS6 fde6:7a:7d20:15a4::1,tun-ipv6,route-gateway 10.25.164.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:7a:7d20:15a4::10ec/64 fde6:7a:7d20:15a4::1,ifconfig 10.25.164.238 255.255.255.0,peer-id 3,cipher AES-256-GCM' Unless, of course, I didn't exactly get the gist. As far as I know, there's no easy way to set the VPN gateway as a DNS Forwarder/Resolver upstream server, which I guess would be ideal. Yes, unfortunately, but you can't simply go on and push 10.4.0.1 to any connected client as well... Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
Staff 9973 Posted ... Other notes:As far as I know, there's no easy way to set the VPN gateway as a DNS Forwarder/Resolver upstream server, which I guess would be ideal. Hello! But that's exactly what happens in our service. Check the pushed DNS by the OpenVPN server and make sure that your client takes care of the DNS push (of course our software "Eddie" takes care of it). Having DNS and VPN gateway addresses match will make attacks based on DNS hijack through route-injection doomed to fail (this is a vulnerability which affects as far as we know almost all of our competitors). Kind regards Quote Share this post Link to post
benfitita 39 Posted ... Unfortunalely pfSense doesn’t out of the box accept pushed DNS, so most guides end up using public DNS over the tunnel or 10.4.0.1. Perhaps at least adding this static route to Config generator for routers would avoid some dns leaks for folks out there. Quote Share this post Link to post
Staff 9973 Posted ... Hello! OpenVPN for Unix-like systems can't process the DNS push, so you need to process them by yourself. Since OpenVPN allows execution of your own scripts, some Linux-related ideas (they need resolvconf or openresolv, or systemd, which luckily has never spread into *BSD systems) are here:https://wiki.archlinux.org/index.php/OpenVPN#Update_resolv-conf_script In general: a script launched by OpenVPN event "up" (launched by OpenVPN directive "up") finds the DNS push from the server, stores the current DNS settings, and change the system DNS according to the push. A script at VPN event "down" (triggered by directive "down") must restore the previous DNS settings of the system. Kind regards Quote Share this post Link to post
Wolke68 5 Posted ... I found this https://github.com/graudeejs/openvpn-update-resolv-conf-freebsd is this the right way?For dhcp-DNS push in pfsense Quote Share this post Link to post
Staff 9973 Posted ... Hello! YES, the script rewrite for BSD looks like a perfectly suitable solution. Kind regards 1 Wolke68 reacted to this Quote Share this post Link to post