Search the Community
Showing results for tags 'prevention'.
Found 1 result
Hello! The idea of bringing this up is a result of many questions lately, that some devices or clients override OS settings and query their own DNS servers without the users permission. I would like to suggest a small enhancement, which will potentially prevent all user mistakes in the future, and will allow an even better VPN experience with less configuration. The idea is to have 2 additional options in the config generator section of the Client Area, where the user would be able to "opt-in" in case he wants the feature. One is something like "Force all applications use Air's VPN server", in which case you will have to add something like this: iptables -t nat -A PREROUTING -s 10.4.12.34 -p udp --dport 53 -j DNAT --to 10.4.0.1 iptables -t nat -A PREROUTING -s 10.4.12.34 -p tcp --dport 53 -j DNAT --to 10.4.0.1 The internal IP of the client is known to you, here is just examples of how I assume it should look on the server side. The second option in the Client Area, can be called something like "Prevent all potential DNS leaks, I will configure Air's DNS manually" Then, a rule like this can come in place: iptables -A OUTPUT -p udp -s 10.4.12.34 -d 10.0.0.0/8 --dport 53 -j ACCEPT iptables -A OUTPUT -p tcp -s 10.4.12.34 -d 10.0.0.0/8 --dport 53 -j ACCEPT iptables -A OUTPUT -p udp -s 10.4.12.34 --dport 53 -j DROP iptables -A OUTPUT -p tcp -s 10.4.12.34 --dport 53 -j DROP All the examples are made up, I am sure that a more elegant way of achieving this can take place, such as a special subnet for all users of each group. Today these methods are used in corporate VPNs mainly to enforce whitelisting/blacklisting of URLs, but I don't see a reason why we can't do the same here. Please share your comments zhang888