From patchwork Thu Jun 26 09:19:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4291 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:3846:b0:671:5a2c:6455 with SMTP id n6csp83342mal; Thu, 26 Jun 2025 02:20:17 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUY6N78xGuq3Kx+LV1AvWf8cfIlWKNszY9vArlUXW+uMCKULQCqYMyEwL5oce+yEkCLeV7bHCZ5wp4=@openvpn.net X-Google-Smtp-Source: AGHT+IEC6niwAJVNwUW+nxd619Te+Po/byQtpqHNTV7n2w9wDzD+Wt7Lwy+mMNe5kymgJraPdlk7 X-Received: by 2002:a05:6808:1820:b0:406:6671:6d1f with SMTP id 5614622812f47-40b05a6325bmr4734292b6e.16.1750929617583; Thu, 26 Jun 2025 02:20:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750929617; cv=none; d=google.com; s=arc-20240605; b=EolXEqONbUUohlVElisG/JUahAymNqkLUut1ElhgNCYqSj7479mzjQwmxTN+OPalGH xei2EGHP8mcl1E85ruDi/QNuAutQRwx/SAPUcjX8XgW/MQK351kzCDVLv3PeoFTJtRRW BdH0DKfIUDfR2NmHQ42xnumehmHQC2O0Jz+KGSIbhNA1eCqnINl4VoZYeVHHRIv1cDuy C1hOSE11+DIro5ICJlxAYGO+K3+K5Zwhny/dTVjg+foo13B+8r7EbG9nvXI9us0/foT7 XmmAPM0lo6Wh4KZp97cYCrFEb83e/TIx0skY6J2dncnLpWuf0xf0XyeR1D+F4AZ6xj44 l+Iw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=Zql1PB7uxP1XLg1QghX30FHWviSHFIbs+G6DdOtiTbA=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=VJLMC3mB828RxWknslHEJtujFE5/h6H5cWd5a47ML+d1nYkj6eiyITUvLb0XS094V6 jH1InLZvEgaX41cjMPYfkuU9QqZF4YiAOw26P5Yqu1LTBhaj99p51qvQsTxjU2ZibokS BlBv9FJ/tP+YjWGXLrg5JMHtNutEFS7g+WjBE+x3VtdslN7UQQE58Wz7byIx3aNkCjIr yyWQcFXMZrmDz+vhUnLL2Y5Ey095BgyhWZKUQ2naiyU0gm6BlGbzg506PjeH0P2+f987 yx3afnZ8aPFPGZNj9JUkC+lmSz2Nk7hmm2pe0oDvO+AiA42LEgfsHp/17tHeAlwwYbXW XHHA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=ZjOoeX2d; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BHoOLQ8g; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OQLqAmsB; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-40ac6d72906si8998477b6e.261.2025.06.26.02.20.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jun 2025 02:20:17 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=ZjOoeX2d; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BHoOLQ8g; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OQLqAmsB; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=Zql1PB7uxP1XLg1QghX30FHWviSHFIbs+G6DdOtiTbA=; b=ZjOoeX2dpUWoqCyvG2ZgwtRo2L 2VXDDLNRzqDg5EJ0Pcuu0BgJRT85PJsrwNgVYLID4XjA6oRrcg6oTOGst1KhWDzbqUBs8YbOWGyoQ Gg+PZSdGMeAw84j4aVkerCP1v9TfzJ80XtCzQRyrnKUjuHMxyDvWHvhwBz2JK8ZnnULU=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uUimE-0004pj-RQ; Thu, 26 Jun 2025 09:20:14 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uUimC-0004pS-Ux for openvpn-devel@lists.sourceforge.net; Thu, 26 Jun 2025 09:20:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=0pveTg1hJs38b6hXAEoZxN5Rvz3gEUZAyrznbuKWygA=; b=BHoOLQ8gOV/TrVw07IQqIy1Gw2 Kqt5gFWtULAObZZQ8NnLLuYli5eE9NUcobgFrtuc2SlmNWC3lTarzqPrS8z91VOZdY6JQL+FMfWVo 4BEMFp0wnxN+cL4bdSiJtZnZ+OAs2bkhXlr5WMcLSPccWkCQtDDJE6eBSpUcY9PoniGs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=0pveTg1hJs38b6hXAEoZxN5Rvz3gEUZAyrznbuKWygA=; b=OQLqAmsBv193OYig3QgCxL8Ty8 uIoJ+9a6FXb8UXDJNUDucJEZFIiVA7DhkonTxsCqVDgyuW+DJuehCq0tiAko5Ew2h0EWq5gxrUCfW +h+j2unpv04j/FvCUiEQJ3Zu0SR3kwxzyyjKZyz9oxlmvD+xuehx/JfBSoZ0mTo/5Tjk=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uUimB-0005V4-PJ for openvpn-devel@lists.sourceforge.net; Thu, 26 Jun 2025 09:20:12 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 55Q9K0kf023530 for ; Thu, 26 Jun 2025 11:20:00 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 55Q9K0bC023529 for openvpn-devel@lists.sourceforge.net; Thu, 26 Jun 2025 11:20:00 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 26 Jun 2025 11:19:52 +0200 Message-ID: <20250626091959.23505-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Heiko Hund The script didn't handle scenarios well where two or more parallel VPN connections want to replace the default DNS server. The DNS configuration has a chance to get broken by the connections going dow [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1uUimB-0005V4-PJ Subject: [Openvpn-devel] [PATCH v2] fix macOS dns-updown handling of parallel full redirects X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1835982774800461009?= X-GMAIL-MSGID: =?utf-8?q?1835982774800461009?= From: Heiko Hund The script didn't handle scenarios well where two or more parallel VPN connections want to replace the default DNS server. The DNS configuration has a chance to get broken by the connections going down in a different order than they came up in. Disallowing all but the first connection to modify the default DNS server will effectively prevent this issue. While it may break DNS for the latter connections, it is the best we can do without knowing specifics about the configurations. Change-Id: I7b413578a8fc0c65fca26f72b901a9f7bc34b137 Signed-off-by: Heiko Hund Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1066 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh index 89d6882..c15abaa 100644 --- a/distro/dns-scripts/macos-dns-updown.sh +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -30,6 +30,7 @@ itf_dns_key="State:/Network/Service/openvpn-${dev}/DNS" dns_backup_key="State:/Network/Service/openvpn-${dev}/DnsBackup" +dns_backup_key_pattern="State:/Network/Service/openvpn-.*/DnsBackup" function primary_dns_key { local uuid=$(echo "show State:/Network/Global/IPv4" | /usr/sbin/scutil | grep "PrimaryService" | cut -d: -f2 | xargs) @@ -166,6 +167,11 @@ echo -e "${cmds}" | /usr/sbin/scutil set_search_domains "$search_domains" else + echo list ${dns_backup_key_pattern} | /usr/sbin/scutil | grep -q 'no key' || { + echo "setting DNS failed, already redirecting to another tunnel" + exit 1 + } + local cmds="" cmds+="get $(primary_dns_key)\n" cmds+="set ${dns_backup_key}\n" @@ -200,6 +206,9 @@ echo "remove ${itf_dns_key}" | /usr/sbin/scutil unset_search_domains "$search_domains" else + # Do not unset if this tunnel did not set/backup DNS before + echo list ${dns_backup_key} | /usr/sbin/scutil | grep -qv 'no key' || return + local cmds="" cmds+="get ${dns_backup_key}\n" cmds+="set $(primary_dns_key)\n"