Creating "update-resolv-conf.sh" equivalent to plug openvpn DNS leaks

sunkai · November 18, 2020 at 12:00 AM

Greets,

It is typical to distribute an "update-resolv-conf.sh" script with an openvpn bin. LE does not.

The script is called on the "up" action of an openvpn connection. It inspects the VPN tunnel's DNS server values, and replaces the local values with these.

This prevents the local gateway's IP address being leaked to DNS providers outside of the VPN tunnel.

e.g. openvpn-update-resolv-conf/update-resolv-conf.sh at master · alfredopalhares/openvpn-update-resolv-conf · GitHub

LE does not have "/etc/resolv.conf", utilising connman to configure DNS addresses instead.

Has anyone written an equivalent script that plugs openvpn DNS leaks?

I believe it would largely be the same script, except that connmanctl, or configuration of connman via dbus, would replace calls to "/sbin/resolveconf".

sunkai · November 21, 2020 at 10:47 PM

No biters, so I've written a script myself:

Code

#!/usr/bin/env sh

# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
# foreign_option_4='dhcp-option DOMAIN-SEARCH bnc.local'

connman_service="$(connmanctl services | awk '/^\*/ {print $3}')"

case $script_type in

up)
  dns_nameservers=""
  dns_search=""
  option_count=1
  option_name="foreign_option_${option_count}"
  while eval "[ ! -z \"\${${option_name}+x}\" ]"; do
    eval "option=\"\$${option_name}\""
    echo $option
    part1=$(echo "$option" | cut -d " " -f 1)
    if [ "$part1" == "dhcp-option" ] ; then
      part2=$(echo "$option" | cut -d " " -f 2)
      part3=$(echo "$option" | cut -d " " -f 3)
      if [ "$part2" == "DNS" ] ; then
        dns_nameservers="$dns_nameservers $part3"
      fi
      if [[ "$part2" == "DOMAIN" || "$part2" == "DOMAIN-SEARCH" ]] ; then
        dns_search="$dns_search $part3"
      fi
    fi
    option_count=$((option_count+1))
    option_name="foreign_option_${option_count}"
  done
  connmanctl config "$connman_service" nameservers "$dns_nameservers"
  connmanctl config "$connman_service" domains "$dns_search"
  ;;
down)
  connmanctl config "$connman_service" nameservers ""
  connmanctl config "$connman_service" domains ""
  ;;

esac

Display More

However, a straight substitution of calls to `resolvconf' with calls to `connmanctl' appear to be breaking the semantics of the original script.

This script is successfully called by OpenVPN, and the default DNS server address (e.g. 8.8.8.8 for Google) is overwritten with the VPN provider's DNS server address(es) (e.g. 10.0.0.243 for PIA). This has been verified by inspecting the "/storage/.cache/connman/ethernet_xxxxxxxxxxxx_cable/settings" file.

But, DNS resolution no longer works after connman is updated, resulting in "bad address" errors when trying to ping known services, e.g. google.com.

The `resolvconf' calls in the original script specify DNS settings for the particular device of the OpenVPN connection, e.g. tun0. However, there is no additional settings directory created under "/storage/.cache/connman/" after connecting to OpenVPN (hence why the `connmanctl' commands in the script above are updating the ethernet service instead).

Under LibreELEC, how do you change the DNS server address settings for an OpenVPN device (i.e tunX/tapX)?

PiotrC · March 3, 2021 at 4:47 PM

Hi sunkai!

thanks for excellent script. With Zomboid VPN addons works very good (at least for NordVPN). However, connmanctl adding DNS server automaticaly adds route to this server via default gateway (ie. ethernet interface, not VPN interface). It creates problems with NordVPN where they derirect DNS according to IP address). My solutuion is to add ip route delete part. So the scrip looks following:

Code

#!/usr/bin/env sh

# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
# foreign_option_4='dhcp-option DOMAIN-SEARCH bnc.local'

connman_service="$(connmanctl services | awk '/^\*/ {print $3}')"

case $script_type in

up)
  dns_nameservers=""
  dns_search=""
  option_count=1
  option_name="foreign_option_${option_count}"
  while eval "[ ! -z \"\${${option_name}+x}\" ]"; do
    eval "option=\"\$${option_name}\""
    echo $option
    part1=$(echo "$option" | cut -d " " -f 1)
    if [ "$part1" == "dhcp-option" ] ; then
      part2=$(echo "$option" | cut -d " " -f 2)
      part3=$(echo "$option" | cut -d " " -f 3)
      if [ "$part2" == "DNS" ] ; then
        dns_nameservers="$dns_nameservers $part3"
      fi
      if [[ "$part2" == "DOMAIN" || "$part2" == "DOMAIN-SEARCH" ]] ; then
        dns_search="$dns_search $part3"
      fi
    fi
    option_count=$((option_count+1))
    option_name="foreign_option_${option_count}"
  done
  connmanctl config "$connman_service" nameservers "$dns_nameservers"
  connmanctl config "$connman_service" domains "."
  for dnsserver in ${dns_nameservers}; do
    ip route delete $dnsserver
  done
  ;;
down)
  connmanctl config "$connman_service" nameservers ""
  connmanctl config "$connman_service" domains ""
  ;;

esac

Display More

GarnR1 · August 31, 2021 at 4:24 AM

Hi PiotrC

Thanks for your work in providing this script. I am using a RPI 4B 4GB with Libreelec 9.2.8 along with "vpn manager for openvpn". The problem I'm having is every so often while connected to the network via ethernet or wlan the internet connection stops working. A dead giveaway is the time is usually incorrect and "VPN Manager" cannot connect. The RPI is accessible via the network but there is no internet connection. The only way to fix it is try disable wan/lan, reset and sometimes it will kick back into life, sometimes it wont.

This happens every so often and most of the time it works but when it goes down it can be days before I can get it going again by trying the above steps. Any help would be so appreciated.