From 21ae2fcef4eee16862582b515c33656b3b51fabc Mon Sep 17 00:00:00 2001 From: Nate Jones Date: Tue, 7 Mar 2017 23:20:50 +0000 Subject: [PATCH 1/2] fix block-external-dns tests --- test/tests/conf_options/container.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/test/tests/conf_options/container.sh b/test/tests/conf_options/container.sh index dd62419..d295471 100644 --- a/test/tests/conf_options/container.sh +++ b/test/tests/conf_options/container.sh @@ -56,8 +56,8 @@ CONFIG_REQUIRED_DEFAULT_ROUTE="^route 192.168.254.0 255.255.255.0" CONFIG_MATCH_DEFAULT_ROUTE=$(busybox grep 'route 192.168.254.0 255.255.255.0' /etc/openvpn/openvpn.conf) # 9. Should see a push of 'block-outside-dns' by default -CONFIG_REQUIRED_DEFAULT_ROUTE="^push block-outside-dns" -CONFIG_MATCH_DEFAULT_ROUTE=$(busybox grep 'push block-outside-dns' /etc/openvpn/openvpn.conf) +CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS="^push block-outside-dns" +CONFIG_MATCH_BLOCK_OUTSIDE_DNS=$(busybox grep 'push block-outside-dns' /etc/openvpn/openvpn.conf) # 10. Should see a push of 'dhcp-option DNS' by default CONFIG_REQUIRED_DEFAULT_DNS_1="^push dhcp-option DNS 8.8.8.8" @@ -127,6 +127,13 @@ else abort "==> Config match not found: $CONFIG_REQUIRED_DEFAULT_ROUTE != $CONFIG_MATCH_DEFAULT_ROUTE" fi +if [[ $CONFIG_MATCH_BLOCK_OUTSIDE_DNS =~ $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS ]] +then + echo "==> Config match found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS == $CONFIG_MATCH_BLOCK_OUTSIDE_DNS" +else + abort "==> Config match not found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS != $CONFIG_MATCH_BLOCK_OUTSIDE_DNS" +fi + if [[ $CONFIG_MATCH_DEFAULT_DNS_1 =~ $CONFIG_REQUIRED_DEFAULT_DNS_1 ]] then echo "==> Config match found: $CONFIG_REQUIRED_DEFAULT_DNS_1 == $CONFIG_MATCH_DEFAULT_DNS_1" From c8ba567333f843d51a4a5e627e2024619b8dc898 Mon Sep 17 00:00:00 2001 From: Nate Jones Date: Tue, 7 Mar 2017 23:21:17 +0000 Subject: [PATCH 2/2] only block external dns when default route is pushed --- bin/ovpn_genconfig | 4 ++-- test/tests/conf_options/container.sh | 29 ++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/bin/ovpn_genconfig b/bin/ovpn_genconfig index a21bc1b..4a32734 100755 --- a/bin/ovpn_genconfig +++ b/bin/ovpn_genconfig @@ -330,8 +330,8 @@ user nobody group nogroup EOF -#This was in the heredoc, we use the new function instead -process_push_config "block-outside-dns" +# only block outside dns when we take the default route +[ "$OVPN_DEFROUTE" == "1" ] && process_push_config "block-outside-dns" [ -n "$OVPN_TLS_CIPHER" ] && echo "tls-cipher $OVPN_TLS_CIPHER" >> "$conf" [ -n "$OVPN_CIPHER" ] && echo "cipher $OVPN_CIPHER" >> "$conf" diff --git a/test/tests/conf_options/container.sh b/test/tests/conf_options/container.sh index d295471..1920344 100644 --- a/test/tests/conf_options/container.sh +++ b/test/tests/conf_options/container.sh @@ -199,3 +199,32 @@ then else abort "==> Config match not found: $CONFIG_REQUIRED_TCP_REMOTE_2 != $CONFIG_MATCH_TCP_REMOTE_2" fi + +# Test non-defroute config + +SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) +ovpn_genconfig -d -u udp://$SERV_IP -r "172.33.33.0/24" -r "172.34.34.0/24" +# nopass is insecure +EASYRSA_BATCH=1 EASYRSA_REQ_CN="Travis-CI Test CA" ovpn_initpki nopass +easyrsa build-client-full client-fallback nopass +ovpn_getclient client-fallback | tee /etc/openvpn/config-fallback.ovpn + +CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS="" +CONFIG_MATCH_BLOCK_OUTSIDE_DNS=$(busybox grep 'push block-outside-dns' /etc/openvpn/openvpn.conf) + +if [[ $CONFIG_MATCH_BLOCK_OUTSIDE_DNS =~ $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS ]] +then + echo "==> Config match found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS == $CONFIG_MATCH_BLOCK_OUTSIDE_DNS" +else + abort "==> Config match not found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS != $CONFIG_MATCH_BLOCK_OUTSIDE_DNS" +fi + +CONFIG_REQUIRED_REDIRECT_GATEWAY="" +CONFIG_MATCH_REDIRECT_GATEWAY=$(busybox grep "redirect-gateway def1" /etc/openvpn/config-fallback.ovpn) + +if [[ $CONFIG_MATCH_REDIRECT_GATEWAY =~ $CONFIG_REQUIRED_REDIRECT_GATEWAY ]] +then + echo "==> Config match found: $CONFIG_REQUIRED_REDIRECT_GATEWAY == $CONFIG_MATCH_REDIRECT_GATEWAY" +else + abort "==> Config match not found: $CONFIG_REQUIRED_REDIRECT_GATEWAY != $CONFIG_MATCH_REDIRECT_GATEWAY" +fi