Posts by sunkai

I solved the order of execution by:

1) Altering this section in my "openvpn.service":

[Install]
#WantedBy=kodi.target
WantedBy=multi-user.target

2) By scripting the desired modification of the iptables rules, and then using the "--up" option of `openvpn' to run the script (which executes scripts after the OpenVPN device tunX/tapX has been enabled).

Greets,

I am using the "/storage/.config/system.d/openvpn.service.example" as the basis for auto launching OpenVPN at boot.

However, when used in conjunction with LibreELEC's Custom Firewall setting in Kodi, my "/storage/.config/iptables/rules.v4" configuration is preventing OpenVPN from creating its tunX/tapX device (i.e. it's missing from `ifconfig').

My "/storage/.config/iptables/rules.v4" constitutes a VPN kill switch, only allowing traffic in and out of the VPN connection, or across the LAN:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -p udp -m udp --sport 1197 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1197 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
-A OUTPUT -j DROP
COMMIT

Oddly, if I flush iptables (`iptables -F'), I can restart OpenVPN (`systemctl restart openvpn.service"), which successfully creates the "tun0" device, and then run the exact same `iptables' commands to create the VPN kill switch. Both OpenVPN and the iptables VPN kill switch work as expected with this execution order.

It seems that the iptables rules must not be implemented before executing OpenVPN?

How can I ensure this at boot?

No biters, so I've written a script myself:

#!/usr/bin/env sh

# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
# foreign_option_4='dhcp-option DOMAIN-SEARCH bnc.local'

connman_service="$(connmanctl services | awk '/^\*/ {print $3}')"

case $script_type in

up)
  dns_nameservers=""
  dns_search=""
  option_count=1
  option_name="foreign_option_${option_count}"
  while eval "[ ! -z \"\${${option_name}+x}\" ]"; do
    eval "option=\"\$${option_name}\""
    echo $option
    part1=$(echo "$option" | cut -d " " -f 1)
    if [ "$part1" == "dhcp-option" ] ; then
      part2=$(echo "$option" | cut -d " " -f 2)
      part3=$(echo "$option" | cut -d " " -f 3)
      if [ "$part2" == "DNS" ] ; then
        dns_nameservers="$dns_nameservers $part3"
      fi
      if [[ "$part2" == "DOMAIN" || "$part2" == "DOMAIN-SEARCH" ]] ; then
        dns_search="$dns_search $part3"
      fi
    fi
    option_count=$((option_count+1))
    option_name="foreign_option_${option_count}"
  done
  connmanctl config "$connman_service" nameservers "$dns_nameservers"
  connmanctl config "$connman_service" domains "$dns_search"
  ;;
down)
  connmanctl config "$connman_service" nameservers ""
  connmanctl config "$connman_service" domains ""
  ;;

esac

However, a straight substitution of calls to `resolvconf' with calls to `connmanctl' appear to be breaking the semantics of the original script.

This script is successfully called by OpenVPN, and the default DNS server address (e.g. 8.8.8.8 for Google) is overwritten with the VPN provider's DNS server address(es) (e.g. 10.0.0.243 for PIA). This has been verified by inspecting the "/storage/.cache/connman/ethernet_xxxxxxxxxxxx_cable/settings" file.

But, DNS resolution no longer works after connman is updated, resulting in "bad address" errors when trying to ping known services, e.g. google.com.

The `resolvconf' calls in the original script specify DNS settings for the particular device of the OpenVPN connection, e.g. tun0. However, there is no additional settings directory created under "/storage/.cache/connman/" after connecting to OpenVPN (hence why the `connmanctl' commands in the script above are updating the ethernet service instead).

Under LibreELEC, how do you change the DNS server address settings for an OpenVPN device (i.e tunX/tapX)?

Greets,

It is typical to distribute an "update-resolv-conf.sh" script with an openvpn bin. LE does not.

The script is called on the "up" action of an openvpn connection. It inspects the VPN tunnel's DNS server values, and replaces the local values with these.

This prevents the local gateway's IP address being leaked to DNS providers outside of the VPN tunnel.

e.g. openvpn-update-resolv-conf/update-resolv-conf.sh at master · alfredopalhares/openvpn-update-resolv-conf · GitHub

LE does not have "/etc/resolv.conf", utilising connman to configure DNS addresses instead.

Has anyone written an equivalent script that plugs openvpn DNS leaks?

I believe it would largely be the same script, except that connmanctl, or configuration of connman via dbus, would replace calls to "/sbin/resolveconf".