diff mbox series

[Openvpn-devel,v2] fix macOS dns-updown handling of parallel full redirects

Message ID 20250626091959.23505-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v2] fix macOS dns-updown handling of parallel full redirects | expand

Commit Message

Gert Doering June 26, 2025, 9:19 a.m. UTC 
From: Heiko Hund <heiko@ist.eigentlich.net>

The script didn't handle scenarios well where two or more parallel VPN
connections want to replace the default DNS server. The DNS configuration
has a chance to get broken by the connections going down in a different
order than they came up in.

Disallowing all but the first connection to modify the default DNS server
will effectively prevent this issue. While it may break DNS for the
latter connections, it is the best we can do without knowing specifics
about the configurations.

Change-Id: I7b413578a8fc0c65fca26f72b901a9f7bc34b137
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1066
This mail reflects revision 2 of this Change.

Acked-by according to Gerrit (reflected above):
Arne Schwabe <arne-openvpn@rfc2549.org>

Comments

Gert Doering June 26, 2025, 9:26 a.m. UTC | #1 
I have just stared a bit at the code ("looks reasonable"), thanks to
Arne for confirming that it fixes the observed problem ("two VPN
connections active at the same time, both trying to redirect all DNS
queries").  Basically this will do nothing but print an error for the
second VPN to come up - and there is not much else we can do in this
scenario.

Your patch has been applied to the master branch.

commit 7a2b814fee06ab1edeb5f9ad104880f0fef5b0ba
Author: Heiko Hund
Date:   Thu Jun 26 11:19:52 2025 +0200

     fix macOS dns-updown handling of parallel full redirects

     Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
     Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
     Message-Id: <20250626091959.23505-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31988.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh
index 89d6882..c15abaa 100644
--- a/distro/dns-scripts/macos-dns-updown.sh
+++ b/distro/dns-scripts/macos-dns-updown.sh
@@ -30,6 +30,7 @@ 
 
 itf_dns_key="State:/Network/Service/openvpn-${dev}/DNS"
 dns_backup_key="State:/Network/Service/openvpn-${dev}/DnsBackup"
+dns_backup_key_pattern="State:/Network/Service/openvpn-.*/DnsBackup"
 
 function primary_dns_key {
     local uuid=$(echo "show State:/Network/Global/IPv4" | /usr/sbin/scutil | grep "PrimaryService" | cut -d: -f2 | xargs)
@@ -166,6 +167,11 @@ 
         echo -e "${cmds}" | /usr/sbin/scutil
         set_search_domains "$search_domains"
     else
+        echo list ${dns_backup_key_pattern} | /usr/sbin/scutil | grep -q 'no key' || {
+            echo "setting DNS failed, already redirecting to another tunnel"
+            exit 1
+        }
+
         local cmds=""
         cmds+="get $(primary_dns_key)\n"
         cmds+="set ${dns_backup_key}\n"
@@ -200,6 +206,9 @@ 
         echo "remove ${itf_dns_key}" | /usr/sbin/scutil
         unset_search_domains "$search_domains"
     else
+        # Do not unset if this tunnel did not set/backup DNS before
+        echo list ${dns_backup_key} | /usr/sbin/scutil | grep -qv 'no key' || return
+
         local cmds=""
         cmds+="get ${dns_backup_key}\n"
         cmds+="set $(primary_dns_key)\n"