Jump to content
Not connected, Your IP: 3.133.138.129
benfitita

Server push `route 10.4.0.1`

Recommended Posts

Simplified situation:

- AirVPN on a router (pfSense)

- router DHCP sets DNS 10.4.0.1 to local devices

- ISP connection is the default gateway

 

Problem:

Without special firewall rules or additional OpenVPN client configuration, 10.4.0.1 is routed via ISP connection. In my case it seemed to work, because probably that my ISP is NAT redirecting/forwarding all DNS requests to probably their server.

 

Idea:

How about tightening this up by server-pushing `route 10.4.0.1` to OpenVPN client? This way we can be pretty sure AirVPN DNS is actually used. In situations where 10.4.0.1 address is used for something else,  `pull-filter` can be used to ignore this pushed route.

 

Other notes:

As far as I know, there's no easy way to set the VPN gateway as a DNS Forwarder/Resolver upstream server, which I guess would be ideal.

Share this post


Link to post

How about tightening this up by server-pushing `route 10.4.0.1` to OpenVPN client? This way we can be pretty sure AirVPN DNS is actually used. In situations where 10.4.0.1 address is used for something else,  `pull-filter` can be used to ignore this pushed route.

 

10.4.0.1 is only there for backwards compatibility. The right way of handling DNS is to use the VPN gateway address as the DNS server to thwart DNS hijacking attacks, and this has been done so since before I registered here. Example:

Tue Jan 15 14:55:24 2019 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.25.164.1,dhcp-option DNS6 fde6:7a:7d20:15a4::1,tun-ipv6,route-gateway 10.25.164.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:7a:7d20:15a4::10ec/64 fde6:7a:7d20:15a4::1,ifconfig 10.25.164.238 255.255.255.0,peer-id 3,cipher AES-256-GCM'

Unless, of course, I didn't exactly get the gist.

 

As far as I know, there's no easy way to set the VPN gateway as a DNS Forwarder/Resolver upstream server, which I guess would be ideal.

 

Yes, unfortunately, but you can't simply go on and push 10.4.0.1 to any connected client as well...


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Other notes:

As far as I know, there's no easy way to set the VPN gateway as a DNS Forwarder/Resolver upstream server, which I guess would be ideal.

 

Hello!

 

But that's exactly what happens in our service. Check the pushed DNS by the OpenVPN server and make sure that your client takes care of the DNS push (of course our software "Eddie" takes care of it).

 

Having DNS and VPN gateway addresses match will make attacks based on DNS hijack through route-injection doomed to fail (this is a vulnerability which affects as far as we know almost all of our competitors).

 

Kind regards

Share this post


Link to post

Unfortunalely pfSense doesn’t out of the box accept pushed DNS, so most guides end up using public DNS over the tunnel or 10.4.0.1. Perhaps at least adding this static route to Config generator for routers would avoid some dns leaks for folks out there.

Share this post


Link to post

Hello!

 

OpenVPN for Unix-like systems can't process the DNS push, so you need to process them by yourself. Since OpenVPN allows execution of your own scripts, some Linux-related ideas (they need resolvconf or openresolv, or systemd, which luckily has never spread into *BSD systems) are here:

https://wiki.archlinux.org/index.php/OpenVPN#Update_resolv-conf_script

 

In general: a script launched by OpenVPN event "up" (launched by OpenVPN directive "up") finds the DNS push from the server, stores the current DNS settings, and change the system DNS according to the push. A script at VPN event "down" (triggered by directive "down") must restore the previous DNS settings of the system.

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...