Server push `route 10.4.0.1`

[benfitita 39]

Simplified situation:

- AirVPN on a router (pfSense)

- router DHCP sets DNS 10.4.0.1 to local devices

- ISP connection is the default gateway

 

Problem:

Without special firewall rules or additional OpenVPN client configuration, 10.4.0.1 is routed via ISP connection. In my case it seemed to work, because probably that my ISP is NAT redirecting/forwarding all DNS requests to probably their server.

 

Idea:

How about tightening this up by server-pushing `route 10.4.0.1` to OpenVPN client? This way we can be pretty sure AirVPN DNS is actually used. In situations where 10.4.0.1 address is used for something else,  `pull-filter` can be used to ignore this pushed route.

 

Other notes:

As far as I know, there's no easy way to set the VPN gateway as a DNS Forwarder/Resolver upstream server, which I guess would be ideal.

[OpenSourcerer 1435]

How about tightening this up by server-pushing `route 10.4.0.1` to OpenVPN client? This way we can be pretty sure AirVPN DNS is actually used. In situations where 10.4.0.1 address is used for something else,  `pull-filter` can be used to ignore this pushed route.

 

10.4.0.1 is only there for backwards compatibility. The right way of handling DNS is to use the VPN gateway address as the DNS server to thwart DNS hijacking attacks, and this has been done so since before I registered here. Example:

Tue Jan 15 14:55:24 2019 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.25.164.1,dhcp-option DNS6 fde6:7a:7d20:15a4::1,tun-ipv6,route-gateway 10.25.164.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:7a:7d20:15a4::10ec/64 fde6:7a:7d20:15a4::1,ifconfig 10.25.164.238 255.255.255.0,peer-id 3,cipher AES-256-GCM'

Unless, of course, I didn't exactly get the gist.

 

As far as I know, there's no easy way to set the VPN gateway as a DNS Forwarder/Resolver upstream server, which I guess would be ideal.

 

Yes, unfortunately, but you can't simply go on and push 10.4.0.1 to any connected client as well...

[Staff 9972]

Other notes:

As far as I know, there's no easy way to set the VPN gateway as a DNS Forwarder/Resolver upstream server, which I guess would be ideal.

 

Hello!

 

But that's exactly what happens in our service. Check the pushed DNS by the OpenVPN server and make sure that your client takes care of the DNS push (of course our software "Eddie" takes care of it).

 

Having DNS and VPN gateway addresses match will make attacks based on DNS hijack through route-injection doomed to fail (this is a vulnerability which affects as far as we know almost all of our competitors).

 

Kind regards

[benfitita 39]

Unfortunalely pfSense doesn’t out of the box accept pushed DNS, so most guides end up using public DNS over the tunnel or 10.4.0.1. Perhaps at least adding this static route to Config generator for routers would avoid some dns leaks for folks out there.

[Staff 9972]

Hello!

 

OpenVPN for Unix-like systems can't process the DNS push, so you need to process them by yourself. Since OpenVPN allows execution of your own scripts, some Linux-related ideas (they need resolvconf or openresolv, or systemd, which luckily has never spread into *BSD systems) are here:

https://wiki.archlinux.org/index.php/OpenVPN#Update_resolv-conf_script

 

In general: a script launched by OpenVPN event "up" (launched by OpenVPN directive "up") finds the DNS push from the server, stores the current DNS settings, and change the system DNS according to the push. A script at VPN event "down" (triggered by directive "down") must restore the previous DNS settings of the system.

 

Kind regards

[Wolke68 5]

I found this

 

https://github.com/graudeejs/openvpn-update-resolv-conf-freebsd

 

is this the right way?

For dhcp-DNS push in pfsense

[Staff 9972]

Hello!

 

YES, the script rewrite for BSD looks like a perfectly suitable solution.

 

Kind regards