add a way to use openresolv

[CircleCode]

when openresolv is available, please add a way to use it so that openfortivpn does not overwrite resolv.conf.

[adrienverge]

Good idea, such a contribution would be welcomed!

[CircleCode]

sadly, I have no skills in C.
Additionally, after thinking a bit, I think it would be much more open to use some scripts like openvpn.
These scripts would receive the routes and the list of dns servers, and could do whatever they want with it (for example, as i'm using dnsmasq, and I know the dns given by the tunel are only useful for some given domains, I would only register them for concerned domains)
(related to #67)

[CircleCode]

I made some tests about it, and it appears that the use of --no-dns and an /etc/ppp/ip-up.d/ script can almost do this. But I am a bit limited, and I think we could allow more flexibility by simply using the ipparam parameter: this param is passed to /etc/ppp/ip-up.d/ and /etc/ppp/ip-down.d/ scripts and can allow a more grained control of what to do for each vpn.
For me, an additional option to openforticlient (like pppd-ipparam) can be directly forwarded to the pppd command, and the user can use it in the way he wants in his own scripts.

[mrbaseman]

I have implemented the ip-param option. @CircleCode could you test mrbaseman@d847932 please?

[mrbaseman]

maybe we could include the ip-up.d/ and ip-down.d/ scripts at least as a sample or provide the recipe in the man page

[CircleCode]

@mrbaseman thanks for this code.
Unfortunately, I'm on vacation right now, I'm not sure I will be able to test this before the next 2 weeks.
In any case, I'll comment here.
Thanks again.

[mrbaseman]

@digmore has confirmed in #124 that the ipparam setting from my branch was working, so I have just merged this into master.
@CircleCode, first of all enjoy your vacation! When you are back, please let me know if the implementation of the ipparam setting fulfills your needs, too, or if you need some more flexibility. Right now, the parameter is just handed over unchanged to pppd by openfortivpn.

[mrbaseman]

Just a remark: pppd sets a couple of environment variables (see man pppd). ipparam is currently passed through openfortivpn, but inside the ip-up / ip-down scripts one can replace variables in this string as follows:
ipparam_raw=$6
ipparam=$(eval echo $ipparam_raw)
and invoke with
openfortivpn --pppd-ipparam='device=$DEVICE'
Note the single quotes to prevent from variable expansion by the calling shell where $DEVICE is not yet set. Expansion is done inside the script by the execution of eval echo $ipparam_raw when the environment variables are made available by pppd.

[skycaptain]

@mrbaseman @CircleCode May I ask you to provide an example on how to setup ip-up and ip-down?
I'm trying to only route subdomains of example.com through the vpn tunnel.

[mrbaseman]

I have just tried with openfortivpn --no-dns -v on Ubuntu after installing openresolv (which already comes with the following scripts that take care of updating /etc/resolv.conf):
/etc/ppp/ip-down.d/000resolvconf:

#!/bin/sh

# ppp.ip-down hook script for resolvconf
# Written by Roy Marples <roy(at)marples.name> under the BSD-2 license

[ -x /sbin/resolvconf ] || exit 0
/sbin/resolvconf -f -d "$PPP_IFACE"

and /etc/ppp/ip-up.d/000resolvconf:

#!/bin/sh
# ppp.ip-up hook script for resolvconf
# Written by Roy Marples <roy(at)marples.name> under the BSD-2 license

[ -x /sbin/resolvconf ] || exit 0

if [ -n "$DNS1" -o -n "$DNS2" ]; then
conf="# Generated by ppp.ip-up for $PPP_IFACE\n"
[ -n "$DNS1" ] && conf="${conf}nameserver $DNS1\n"
[ -n "$DNS2" ] && conf="${conf}nameserver $DNS2\n"
printf "$conf" | /sbin/resolvconf -a "$PPP_IFACE"
fi

When you also want to set up routing manually, you should use --no-routes, but you would have to hard-code the routes in the script. See man(8) pppd for the variables you can use in the scipts that get called by pppd (e.g. the interface name may change when other ppp connections are already open).

The general task that you describe "only route subdomains" is a quite complex task. For each IP packet you would have to reverse-lookup the domain and then make a routing decision based on the FQDN. However, if you know the assigned subnets, you could check $5in the ip-up script which is the gateway-IP, and if that one matches your "example.com" VPN gateway, accordingly add the routes in the script like in this example.

[mrbaseman]

@skycaptain I just read your comment again and I think I misunderstood. You were talking about name resolution whereas my answer was about routing.
If you have dnsmasq running locally, it should do the dns lookups, and cache the entries etc. It would normally read /etc/resolv.conf to know which DNS servers to query for anything not present in the cache. I'm pretty sure that you can not configure complex rules which server it should query depending on the subdomain, but if you have a private DNS system behind your VPN tunnel, dnsmasq would probably try your first (public) DNS server and if that one doesn't have an answer it might query the second one, which should be the private one at the other end of the VPN tunnel. There is a simple configuration example how to make dnsmasq pick up changes about name resolution via ip-up scripts on the openresolv homepage, so that it adds the private DNS server as soon as the tunnel is up.
However, I'm not sure if such a fallback actually works with dnsmasq. You might have to use a different DNS (caching) server. There are also examples for bind and others on the openresolv homepage.

[DimitriPapadopoulos]

@CircleCode I am currently trying to rationalize DNS handling in openfortivpn. The plan is to stop messing with DNS settings in openfortivpn in the future, instead entirely delegate DNS settings to pppd.

In this context, would it make sense to drop this issue, and perhaps open an new ticket against pppd?

In the short term we could still add openresolv support in openfortivpn. I cannot easily make sense of how to use openresolv in a distribution such as Ubuntu. Could you point me to appropriate documentation?

[DimitriPapadopoulos]

@CircleCode See commit f383084. The default is to let pppd handle DNS: from now on openfortivpn will not try to modify /etc/resolv.conf on its own by default. In the future we might remove this possibility to modify /etc/resolv.conf altogether, leaving that to pppd. Do you know whether pppd is aware of openresolv and capable of using it?

[mrbaseman]

for the record we have reverted that commit with openfortivpn 1.8.1 because of unexpected trouble (see #349).

Another hint: We have started a wiki and added the ip-up/down scripts and a few more questions and answers around that topic.

[mrbaseman]

in #419 I have improved the documentation of the relevant options. I think we can close this issue now, since the necessary options have been implemented in the meantime, the wiki has been created and with the latest pull request the man page will be updated as well. If anything is still missing, please open a new issue.

[mrbaseman]

We have noticed that this issue in fact was not solved. We had to revert what was meant to be a solution, but pppd's ip-up-scripts are much more tricky to maintain than just installing resolvconf in the hope that it does the right thing.
We have added resolvconf support on the master branch now and it can be tested there.