This is known issue (for me), and it was superficially discussed on IRC at some point. It wasn't considered significant to implement block-outside-dns for multiple connections.
Is there ahy reason to use block-outside-dns on multiple connections? Just asked supergregg (bug reporter), he probably has a reason if he created the bug. On 08/06/2016 07:04 AM, Selva Nair wrote: > Hi, > > It has been reported (Trac 718) that --block-outside-dns on multiple tunnels > blocks all DNS traffic. My tests appear to confirm this. > > Apparently this is due to each openvpn instance adding filters to independent > sublayers. With two tunnels we get port 53 filters in two sublayers: > > sublayer 1: permit openvpn, permit tap1, block all (in that order) > sublayer 2: permit openvpn, permit tap2, block all > > Filter arbitration works roughly like this: filters in each sublayer are > parsed in order of priority and stops at the first match. Then the result > from all > sublayers are considered in order of priority in determining the final > action: a block is final and by default a permit may be overridden by block > in lower > priority sublayers. So for traffic through tap1, we get permit from sublayer > 1 and block from sublayer 2 leading to a block etc. > > This could partially mitigated by making the permit tap1/tap2 filters hard > (they are soft by default -- i.e may be overridden). I say partially because > only > one of the "permit tap" filters can be thus protected. > > I see two ways to allow dns traffic through all tunnels for which > --block-outside-dns is set > > 1. Add all filters to a the default sublayer --- this is the easiest option > but not ideal: cluttering the default sublayer with custom filters may not > not be > considered a good practice. > > 2. Add all filters to a common custom sublayer. This requires a pre-defined > UUID that could be used to define the sublayer and shared between all > instances of > openvpn. > > For UUID, > (a) generate a machine-specific UUID at install time, save in the registry > and use it as the sublayer key > > OR > > (b) hard code a UUID in the executable and use it as the sublayer key > > I prefer (b) as its simpler. > > Note that each additional instances will add duplicate filters like "permit > openvpn" or a low priority "block all". This is required as these filters are > added in a dynamic session so that they disappear if the process terminates > or crashes without removing the filters. As parsing filters within a sublayer > stops as soon as a match (permit or block) is found, no performance penalty > is expected. In any case it will have less overhead than the current situation > with multiple sublayers. > > Any suggestions? > > Selva > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
