Created attachment 155712 [details] patch OpenVPN suffers from DNS leaks. Currently port leaks DNS all the time if user connects by running 'openvpn spec.ovpn'. client.up/client.down that are supposed to be used for DNS resolution adjustment weren't even included in the port. This patch does two things: 1. Adds client.up/client.down to the port 2. Fixes client.up: removes '-p' option, because the new DNS doesn't take effect for when 'private' DNS added. In case of VPN DNS shouldn't be private CAVEAT: Even with this patch some DNS queries still fall through to the old server (left on the second position in /etc/resolv.conf). I am not sure if there is the cure for that, except for disabling resolvconf(8) altogether. Also, pkg-message is long, much longer than 80 characters, but I think it is much more important to have user informed about the correct command line to prevent DNS leaks than to keep the line within 80 characters.
Thanks, will look at the patch, but it will be a few days before I get around to it.
Thanks.
Created attachment 155758 [details] updated patch I added openpn-client command to have the long command. This is much better than what it is now. User can use one command to connect to VPN.
Not being a resolvconf user myself, what is the purpose of removing the "-p" ("mark interface as private") flag from resolvconf?
Currently OpenVPN (or this script) isn't using resolvconf properly. They supply empty domain name with "domain" directive and -p and this causes resolvconf to delete all DNS servers. So it works w/out -p and doesn't work with it. I am working with resolvconf, and made them implement the new option "-x" for an exclusive VPN, and will work with OpenVPN to make them officially supply the working scripts. But now, as it is, it is better to supply the script suggested in this bug report, so users at least will have DNS going through VPN as it should.
Thanks. I've committed this to portrevision 4.
A commit references this bug: Author: mandree Date: Mon May 4 23:08:06 UTC 2015 New revision: 385432 URL: https://svnweb.freebsd.org/changeset/ports/385432 Log: + Update patch set for crypto engine fix [1]. Change option name so it is presented anew, default disabled. + Add openvpn-client wrapper script and up/down scripts to trigger resolvconf, with minor edits. [2] + Set proper PLUGIN_LIBDIR so that plugins in the default directory can be found with relative paths. + Compile shipped plugins with -fPIC. PR: 195004 [1] PR: 199529 [2] Submitted by: yuri@rawbw.com [2] Obtained from: https://community.openvpn.net/openvpn/ticket/480#comment:21 Changes: head/security/openvpn/Makefile head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch head/security/openvpn/files/EF1.patch head/security/openvpn/files/EF2.patch head/security/openvpn/files/EF3.patch head/security/openvpn/files/openvpn-client.in head/security/openvpn/files/patch-sample__sample-config-files__loopback-client head/security/openvpn/files/patch-sample__sample-config-files__loopback-server head/security/openvpn/files/patch-tests__t_cltsrv.sh head/security/openvpn/files/pkg-message.in head/security/openvpn/pkg-plist