Hi, On Wed, Oct 28, 2015 at 3:47 AM, ValdikSS <i...@valdikss.org.ru> wrote:
> This option is silently ignored on non-Windows platforms and works on > Vista+. > External DNS is blocked even if no DNS server configured (user may > configure it in the tap interface itself). > This option could be ignored from server push using route-nopull. > > v2: > * Add missing libs to MSVC project file. > * Add ifndef for FWPM_SESSION_FLAG_DYNAMIC to silence warning in MSVC. > * Use const WCHAR for firewall name. > * Block all traffic to TCP/UDP port 53 except for OpenVPN itself. Blocking > only svchost.exe is not reliable as user could disable dnscache service > making all applications resolve DNS from their processes. > I tested this on Windows 7 and ran into some problems. Blocking dns through all interfaces except the tun/tap works (tested by sniffing the traffic etc.). But most often (see below) name resolution fails after the vpn is connected: openvpn: git-master + this patch locally compiled using mingw (64bit) LAN: IP (dhcp): 192.168.0.110 dns (dhcp): 1192.168.0.30 TUN/TAP: IP (automatic): 10.9.0.10 dns (fixed): 8.8.8.8 Windows firewall: disabled openvpn --config some-config.ovpn --block-outside-dns --verb4 --redirect-gateway def1 Name resolution times-out after connect (checked by ping and browser). But nslookup continues to work, so direct connection to 8.8.8.8:53 via the tun is working. In this state, the only strange thing I notice is ipconfig /displaydns returns "Could not display the resolver cache". as if the dnscache service is stopped, but it is running. Name resolution starts to work again after a (i) ipconfig /registerdns OR (ii) sc stop dnscache (starting it again is also ok) OR (iii) wait for several minutes /displaydns also displlays the cache correctly after that. On restarting the vpn (SIGHUP or SIGUSR1), it goes back to the non resolving state again. Once start working there are no obvious delays with dns -- tested only on a fast connection to the vpn server. I could not enable logging of the firewall without which its hard to say what's going on. I can only guess the system continues to try only 192.168.0.30 which gets blocked by the filter. So, how to enable firewall logging? -- enabling via netsh or Windows firewall UI (wf.msc) does not generate any logs. Also the firewall rules added by the program does not show up in the firewall UI or in netsh advfirewall outputs. How to make these filters visible in the UI and how to log the dropped connections? The filters are in place and do work, but doesnt show up in the UI -- is that expected? The UI continues to show firewall as disabled with no filters in place. I couldn't find anything wrong with the code, but I'm not familiar with WFP. Thanks ,
