[Bug 199529] [security/openvpn] Added client.up/client.down to port to help prevent DNS leaks

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=199529

            Bug ID: 199529
           Summary: [security/openvpn] Added client.up/client.down to port
                    to help prevent DNS leaks
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: mandree at FreeBSD.org
          Reporter: yuri at rawbw.com
             Flags: maintainer-feedback?(mandree at FreeBSD.org)
          Assignee: mandree at FreeBSD.org

Created attachment 155712
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=155712&action=edit
patch

OpenVPN suffers from DNS leaks. Currently port leaks DNS all the time if user
connects by running 'openvpn spec.ovpn'. client.up/client.down that are
supposed to be used for DNS resolution adjustment weren't even included in the
port.

This patch does two things:
1. Adds client.up/client.down to the port
2. Fixes client.up: removes '-p' option, because the new DNS doesn't take
effect for when 'private' DNS added. In case of VPN DNS shouldn't be private

CAVEAT: Even with this patch some DNS queries still fall through to the old
server (left on the second position in /etc/resolv.conf). I am not sure if
there is the cure for that, except for disabling resolvconf(8) altogether.

Also, pkg-message is long, much longer than 80 characters, but I think it is
much more important to have user informed about the correct command line to
prevent DNS leaks than to keep the line within 80 characters.

-- 
You are receiving this mail because:
You are the assignee for the bug.