Hi,
On 05/10/2023 21:03, Selva Nair wrote:
[cut]
Thanks fr the feedback on the context of the patch.
That said, I'm not convinced this is the right way to document this.
IMO, using "--dhcp-option DNS n.n.n" to set a DNS server not reachable
through the tunnel is a misuse of that option on any platform.
Even on "non-windows" one shouldn't do that as it's very reasonable for
a script that handles it to set it on the interface, instead of
globally, if the platform permits it. For example, using
systemd-resolved on Linux (though I'm not totally sure how exactly
interface-specific DNS works in this case).
So, if at all, why not state that the DNS server specified here should
be reachable through the tunnel irrespective of the platform?
Well I simply want to document the current behaviour (we spent a few
hours debugging this situation because the documentation wasn't clear
enough).
On Linux at the moment you can pass any DNS and, like you said, the user
script will do something with it. On Windows, this is not the case and I
simply want to note this down.
If you think we should accept only VPN-reachable IPs (which may make
sense, although some people do crazy things and may not like it), then
we should change the code in order to reject anything that cannot be
routed through the VPN. But so far OpenVPN has always left the
responsibility to the user/admin to make sure that all pieces will fit
together.
So instead of forcing any semantic, I think we should simply document
what the code does.
Cheers,
Regards,
Selva
--
Antonio Quartulli
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
