Merge pull request #231 from mediatemple/only_block_when_road_warrior

Only block external dns when default route is pushed
This commit is contained in:
Kyle Manna 2017-03-07 16:24:34 -08:00 committed by GitHub
commit d454a20e80
2 changed files with 40 additions and 4 deletions

View File

@ -330,8 +330,8 @@ user nobody
group nogroup group nogroup
EOF EOF
#This was in the heredoc, we use the new function instead # only block outside dns when we take the default route
process_push_config "block-outside-dns" [ "$OVPN_DEFROUTE" == "1" ] && process_push_config "block-outside-dns"
[ -n "$OVPN_TLS_CIPHER" ] && echo "tls-cipher $OVPN_TLS_CIPHER" >> "$conf" [ -n "$OVPN_TLS_CIPHER" ] && echo "tls-cipher $OVPN_TLS_CIPHER" >> "$conf"
[ -n "$OVPN_CIPHER" ] && echo "cipher $OVPN_CIPHER" >> "$conf" [ -n "$OVPN_CIPHER" ] && echo "cipher $OVPN_CIPHER" >> "$conf"

View File

@ -56,8 +56,8 @@ CONFIG_REQUIRED_DEFAULT_ROUTE="^route 192.168.254.0 255.255.255.0"
CONFIG_MATCH_DEFAULT_ROUTE=$(busybox grep 'route 192.168.254.0 255.255.255.0' /etc/openvpn/openvpn.conf) CONFIG_MATCH_DEFAULT_ROUTE=$(busybox grep 'route 192.168.254.0 255.255.255.0' /etc/openvpn/openvpn.conf)
# 9. Should see a push of 'block-outside-dns' by default # 9. Should see a push of 'block-outside-dns' by default
CONFIG_REQUIRED_DEFAULT_ROUTE="^push block-outside-dns" CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS="^push block-outside-dns"
CONFIG_MATCH_DEFAULT_ROUTE=$(busybox grep 'push block-outside-dns' /etc/openvpn/openvpn.conf) CONFIG_MATCH_BLOCK_OUTSIDE_DNS=$(busybox grep 'push block-outside-dns' /etc/openvpn/openvpn.conf)
# 10. Should see a push of 'dhcp-option DNS' by default # 10. Should see a push of 'dhcp-option DNS' by default
CONFIG_REQUIRED_DEFAULT_DNS_1="^push dhcp-option DNS 8.8.8.8" CONFIG_REQUIRED_DEFAULT_DNS_1="^push dhcp-option DNS 8.8.8.8"
@ -127,6 +127,13 @@ else
abort "==> Config match not found: $CONFIG_REQUIRED_DEFAULT_ROUTE != $CONFIG_MATCH_DEFAULT_ROUTE" abort "==> Config match not found: $CONFIG_REQUIRED_DEFAULT_ROUTE != $CONFIG_MATCH_DEFAULT_ROUTE"
fi fi
if [[ $CONFIG_MATCH_BLOCK_OUTSIDE_DNS =~ $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS ]]
then
echo "==> Config match found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS == $CONFIG_MATCH_BLOCK_OUTSIDE_DNS"
else
abort "==> Config match not found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS != $CONFIG_MATCH_BLOCK_OUTSIDE_DNS"
fi
if [[ $CONFIG_MATCH_DEFAULT_DNS_1 =~ $CONFIG_REQUIRED_DEFAULT_DNS_1 ]] if [[ $CONFIG_MATCH_DEFAULT_DNS_1 =~ $CONFIG_REQUIRED_DEFAULT_DNS_1 ]]
then then
echo "==> Config match found: $CONFIG_REQUIRED_DEFAULT_DNS_1 == $CONFIG_MATCH_DEFAULT_DNS_1" echo "==> Config match found: $CONFIG_REQUIRED_DEFAULT_DNS_1 == $CONFIG_MATCH_DEFAULT_DNS_1"
@ -192,3 +199,32 @@ then
else else
abort "==> Config match not found: $CONFIG_REQUIRED_TCP_REMOTE_2 != $CONFIG_MATCH_TCP_REMOTE_2" abort "==> Config match not found: $CONFIG_REQUIRED_TCP_REMOTE_2 != $CONFIG_MATCH_TCP_REMOTE_2"
fi fi
# Test non-defroute config
SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1)
ovpn_genconfig -d -u udp://$SERV_IP -r "172.33.33.0/24" -r "172.34.34.0/24"
# nopass is insecure
EASYRSA_BATCH=1 EASYRSA_REQ_CN="Travis-CI Test CA" ovpn_initpki nopass
easyrsa build-client-full client-fallback nopass
ovpn_getclient client-fallback | tee /etc/openvpn/config-fallback.ovpn
CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS=""
CONFIG_MATCH_BLOCK_OUTSIDE_DNS=$(busybox grep 'push block-outside-dns' /etc/openvpn/openvpn.conf)
if [[ $CONFIG_MATCH_BLOCK_OUTSIDE_DNS =~ $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS ]]
then
echo "==> Config match found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS == $CONFIG_MATCH_BLOCK_OUTSIDE_DNS"
else
abort "==> Config match not found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS != $CONFIG_MATCH_BLOCK_OUTSIDE_DNS"
fi
CONFIG_REQUIRED_REDIRECT_GATEWAY=""
CONFIG_MATCH_REDIRECT_GATEWAY=$(busybox grep "redirect-gateway def1" /etc/openvpn/config-fallback.ovpn)
if [[ $CONFIG_MATCH_REDIRECT_GATEWAY =~ $CONFIG_REQUIRED_REDIRECT_GATEWAY ]]
then
echo "==> Config match found: $CONFIG_REQUIRED_REDIRECT_GATEWAY == $CONFIG_MATCH_REDIRECT_GATEWAY"
else
abort "==> Config match not found: $CONFIG_REQUIRED_REDIRECT_GATEWAY != $CONFIG_MATCH_REDIRECT_GATEWAY"
fi