diff mbox series

[Openvpn-devel,v4] mac dns: compare servers before restoring backup

Message ID 20250711152309.286177-1-frank@lichtenheld.com
State New
Headers show
Series [Openvpn-devel,v4] mac dns: compare servers before restoring backup | expand

Commit Message

Frank Lichtenheld July 11, 2025, 3:23 p.m. UTC 
From: Heiko Hund <heiko@ist.eigentlich.net>

In case anything changed the global DNS server addresses, while the
tunnel was connected, do not restore the backup of the global DNS
configuration we made when connecting. Doing so would likely change
DNS to something unexpected. Instead just clear the backup and leave
a message in the log.

Change-Id: I1aabd62e60dd18408a57baccbb0f4ebd6d2f8d67
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1075
This mail reflects revision 4 of this Change.

Acked-by according to Gerrit (reflected above):
Frank Lichtenheld <frank@lichtenheld.com>

Comments

Gert Doering July 15, 2025, 2:02 p.m. UTC | #1 
This is a very welcome feature (... I regularily bump into this, when
moving "with VPN open" from LTE to wifi, then close VPN, and the restored
DNS is no longer working - Tunnelblick today, but I hear that our script
might become useful there too ;-) ).

I have not tested this, just skimmed the code change.

Your patch has been applied to the master branch.

commit c1f44ea8a24754139beee8758c15657fe367cbb0
Author: Heiko Hund
Date:   Fri Jul 11 17:23:09 2025 +0200

     mac dns: compare servers before restoring backup

     Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
     Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
     Message-Id: <20250711152309.286177-1-frank@lichtenheld.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32110.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh
index 56f1009..73bbee9 100644
--- a/distro/dns-scripts/macos-dns-updown.sh
+++ b/distro/dns-scripts/macos-dns-updown.sh
@@ -111,6 +111,10 @@ 
     property_value State:/Network/Global/DNS SearchDomains
 }
 
+function get_server_addresses {
+    property_value "$(primary_dns_key)" ServerAddresses
+}
+
 function set_search_domains {
     [ -n "$1" ] || return
     local dns_key=$(primary_dns_key)
@@ -239,11 +243,10 @@ 
 
 function unset_dns {
     local n="$(find_compat_profile)"
-    local addresses="$(addresses_string $n)"
-    local search_domains="$(search_domains_string $n)"
     local match_domains="$(match_domains_string $n)"
 
     if [ -n "$match_domains" ]; then
+        local search_domains="$(search_domains_string $n)"
         echo "remove ${itf_dns_key}" | /usr/sbin/scutil
         unset_search_domains "$search_domains"
     else
@@ -252,8 +255,15 @@ 
         [[ "${dns_backup_key}" =~ ${dev}/ ]] || return
 
         local cmds=""
-        cmds+="get ${dns_backup_key}\n"
-        cmds+="set $(primary_dns_key)\n"
+        local servers="$(get_server_addresses)"
+        local addresses="$(addresses_string $n)"
+        # Only restore backup if the server addresses match
+        if [ "${servers}" = "${addresses}" ]; then
+            cmds+="get ${dns_backup_key}\n"
+            cmds+="set $(primary_dns_key)\n"
+        else
+            echo "not restoring global DNS configuration, server addresses have changed"
+        fi
         cmds+="remove ${dns_backup_key}\n"
         echo -e "${cmds}" | /usr/sbin/scutil
     fi