I got a weired issue with Linux clients while it worked fine with Windows machines. For some reason, the /etc/resolv.conf did not get updated. I found out a workaround thanks to this page. Of course, your server configuration file must contain (if 192.168.1.1 is your DNS server):
push "dhcp-option DNS 192.168.1.1"
First, you will need the resolvconf program. In debian :
$ apt-get install resolvconf
Then, you will need to add these lines into the configuration file of your Linux client (let’s say /etc/openvpn/client.conf) :
up /etc/openvpn/domain.up plugin /usr/lib/openvpn/openvpn-down-root.so /etc/openvpn/domain.down
The plugin provided by OpenVpn gives back root privilege (when initialized, OpenVPN needs root access but drops it soon).
Now let’s create the scripts :
/etc/openvpn/domain.up :
#!/bin/sh
# really naff script to add nameserver entry on up
DEV=$1
set | sed -n " s/^foreign_option_.* DNS \(.*\)'/nameserver \1/; T next; p;
:next; s/^foreign_option_.* DOMAIN \(.*\)'/domain \1/; T; p;
" | resolvconf -a $DEV
resolvconf -u
/etc/openvpn/domain.down :
#!/bin/sh # really naff script to delete nameserver entry on down DEV=$1 resolvconf -d $DEV resolvconf -u
Now let’s give them the suitable rights :
$ chmod +x domain*
Finally, just restart openvpn and that should be fine !
UPDATE 2008/07/11 : The two scripts above are kind of obsolete, because, at least in Debian Etch, a similar script is included in the OpenVPN package.
There it is :
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
# and Chris Hanson
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# 05/2006 chlauber@bnc.ch
#
# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
[ -x /sbin/resolvconf ] || exit 0
case $script_type in
up)
for optionname in ${!foreign_option_*} ; do
option="${!optionname}"
echo $option
part1=$(echo "$option" | cut -d " " -f 1)
if [ "$part1" == "dhcp-option" ] ; then
part2=$(echo "$option" | cut -d " " -f 2)
part3=$(echo "$option" | cut -d " " -f 3)
if [ "$part2" == "DNS" ] ; then
IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
fi
if [ "$part2" == "DOMAIN" ] ; then
IF_DNS_SEARCH="$part3"
fi
fi
done
R=""
if [ "$IF_DNS_SEARCH" ] ; then
R="${R}search $IF_DNS_SEARCH"
fi
for NS in $IF_DNS_NAMESERVERS ; do
R="${R}nameserver $NS"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.inet"
;;
down)
/sbin/resolvconf -d "${dev}.inet"
;;
esac
Related posts:
Thank you very much. I had the same problem and this page provided the solution.
The domain.down script looks like it has some formatting problems. It has everything on the comment line; how is it suppose to be?
David
It is fixed now. It got broken due to my recent theme update.
Also check the update I just posted, it is worth using it now.
On the ASUS EEEPC 901, the Problem STILL exists and the so called Tech support at WITOPIA are Totally Freakin CLUELESS.
They have run me around the block on this problem, which is a MAJOR Security hole, and the folks at witopia just don’t seem to care.
The problem is that your BROWSER sesson gets encrypted
BUT
your DNS queries DO NOT !!!
So if you did this in CHINA and set up your Supposedly Secure Witopia session, where you Thought all was secure and then went to
say “www.freetibet.org” your DNS lookup is IN THE CLEAR !!! Your session once yiu Got To the site is encrypted
BUT
Now its to late – You DIE
witopia sucks SO MASSIVELY that they have ZERO mention on their WEB site and their tech support has ZERO Clue about the problem.
worse – witopia tech support cops such a huge attitude with you – like YOU are the problem – NOT their product – NOT their lack of documentation
THX SO MUCH for the HELP !!!!
Bubba,
I don’t think that is correct about Witopia, or any decent VPN service provider worth its salt, but you are correct about DNS being a potential security hole that you need to keep an eye on. Witopia does provide secure DNS and says you should use their DNS servers for best security in the e-mail you receive after ordering.
Please comment back, but it’s my understanding that if you’re set up to automatically detect settings from your iSP, Witopia should function as your “virtual ISP” while VPN is connected and provides the Witopia IP address as well as DNS information from Witopia DNS servers over the encrypted tunnel.
Witopia supplies DNS as part of their service and will also let you manually enter the server addresses (I have done this and it seems to improve performance and, as you mention, security). The DNS server info is on their FAQ, http://www.wiki.witopia.net/wiki/FAQ …#6).
So, as I understand it, DNS queries while using Witopia are secure if you use their DNS servers, which you should automatically, if your machine is set up to auto-detect settings or you can manually set them as they suggest.
Then, all DNS queries are encrypted over witopia VPN (outside of China..or any country) to and from Witopia servers unless you purposely enter your local ISP’s DNS servers (in China that wouldn’t be too good) or someone else’s. Which, as you mention, isn’t the optimal security setup and should be avoided.
Many howtos and docs before i left any hope about VPN&DNS… But this article helped me. I was only about trying to edit correctly /etc/resolv.conf (as I remember, even with correct DNS coming with push command from server), thought it’s anougth, but no luck.
Thnx a lot. =)
感谢
让我找到解决方案
billybux,
Road Warrior VPN.com does include a nice how to set up their VPN client on Linux and automatically send all DNS requests to the VPN server in order to keep the DNS requests just as secure as the rest of the trafic.
https://www.roadwarriorvpn.com/configure_install/Linux_CLI.php
Here is the ubuntu script modified to work with OpenSuSE’s netconfig instead of resolvconf
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as ‘up’ and ‘down’ script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood
# and Chris Hanson
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# 05/2006 chlauber@bnc.ch
#
# Example envs set from openvpn:
# foreign_option_1=’dhcp-option DNS 193.43.27.132′
# foreign_option_2=’dhcp-option DNS 193.43.27.133′
# foreign_option_3=’dhcp-option DOMAIN be.bnc.ch’
NETCONFIG=”/sbin/netconfig”
#OPTIONS=”–verbose –force-replace”
[ -x $NETCONFIG ] || exit 0
case $script_type in
up)
for optionname in ${!foreign_option_*} ; do
option=”${!optionname}”
#echo $option
part1=$(echo “$option” | cut -d ” ” -f 1)
if [ "$part1" == "dhcp-option" ] ; then
part2=$(echo “$option” | cut -d ” ” -f 2)
part3=$(echo “$option” | cut -d ” ” -f 3)
if [ "$part2" == "DNS" ] ; then
if [ "$IF_DNS_NAMESERVERS" ] ; then
IF_DNS_NAMESERVERS=”$IF_DNS_NAMESERVERS $part3″
else
IF_DNS_NAMESERVERS=”$part3″
fi
fi
if [ "$part2" == "DOMAIN" ] ; then
IF_DNS_SEARCH=”$part3″
fi
fi
done
R=”"
if [ "$IF_DNS_SEARCH" ] ; then
R=”${R} DNSSEARCH=’$IF_DNS_SEARCH’”
fi
if [ "$IF_DNS_NAMESERVERS" ] ; then
R=”${R} DNSSERVERS=’$IF_DNS_NAMESERVERS’”
fi
echo -n “$R” | $NETCONFIG modify $OPTIONS -i “${dev}” -s openvpn
;;
down)
$NETCONFIG remove $OPTIONS -i “${dev}” -s openvpn
;;
esac
Thanks a lot, Tom.
Thanks JC !
Finding this and implementing accordingly, saved me quite a bit of hassle mocking around with /etc/hosts and/or bind slaves.
Thanks a lot!
The easiest way (which is a little expensive) is to buy 2 VPN capable Routers, with statics public IP addressed on both ends…. with those setup it will be like both computers are networked at the same location