Posts by sunkai

    Greets,

    I am using the "/storage/.config/system.d/openvpn.service.example" as the basis for auto launching OpenVPN at boot.

    However, when used in conjunction with LibreELEC's Custom Firewall setting in Kodi, my "/storage/.config/iptables/rules.v4" configuration is preventing OpenVPN from creating its tunX/tapX device (i.e. it's missing from `ifconfig').

    My "/storage/.config/iptables/rules.v4" constitutes a VPN kill switch, only allowing traffic in and out of the VPN connection, or across the LAN:

    Oddly, if I flush iptables (`iptables -F'), I can restart OpenVPN (`systemctl restart openvpn.service"), which successfully creates the "tun0" device, and then run the exact same `iptables' commands to create the VPN kill switch. Both OpenVPN and the iptables VPN kill switch work as expected with this execution order.

    It seems that the iptables rules must not be implemented before executing OpenVPN?

    How can I ensure this at boot?

    No biters, so I've written a script myself:

    However, a straight substitution of calls to `resolvconf' with calls to `connmanctl' appear to be breaking the semantics of the original script.

    This script is successfully called by OpenVPN, and the default DNS server address (e.g. 8.8.8.8 for Google) is overwritten with the VPN provider's DNS server address(es) (e.g. 10.0.0.243 for PIA). This has been verified by inspecting the "/storage/.cache/connman/ethernet_xxxxxxxxxxxx_cable/settings" file.

    But, DNS resolution no longer works after connman is updated, resulting in "bad address" errors when trying to ping known services, e.g. google.com.

    The `resolvconf' calls in the original script specify DNS settings for the particular device of the OpenVPN connection, e.g. tun0. However, there is no additional settings directory created under "/storage/.cache/connman/" after connecting to OpenVPN (hence why the `connmanctl' commands in the script above are updating the ethernet service instead).

    Under LibreELEC, how do you change the DNS server address settings for an OpenVPN device (i.e tunX/tapX)?

    Greets,

    It is typical to distribute an "update-resolv-conf.sh" script with an openvpn bin. LE does not.

    The script is called on the "up" action of an openvpn connection. It inspects the VPN tunnel's DNS server values, and replaces the local values with these.

    This prevents the local gateway's IP address being leaked to DNS providers outside of the VPN tunnel.

    e.g. openvpn-update-resolv-conf/update-resolv-conf.sh at master · alfredopalhares/openvpn-update-resolv-conf · GitHub

    LE does not have "/etc/resolv.conf", utilising connman to configure DNS addresses instead.

    Has anyone written an equivalent script that plugs openvpn DNS leaks?

    I believe it would largely be the same script, except that connmanctl, or configuration of connman via dbus, would replace calls to "/sbin/resolveconf".