Skip to content
Permalink
Browse files

rc: openvpn: rework pushed DNS handling for OpenVPN servers set to In…

…ternet-Only mode

- Resolve the issue where the router's DNS would be unreachable due to the firewall
- If the user entered custom nameservers on the router's DHCP config, then also push
  these to ovpn clients, and open access to them in the firewall.
  • Loading branch information
RMerl committed Feb 11, 2020
1 parent 26d0682 commit 938058e12e3f7e9eba3829b467150a719d290504
Showing with 29 additions and 1 deletion.
  1. +29 −1 release/src/router/rc/openvpn.c
@@ -951,7 +951,17 @@ void start_ovpn_server(int serverNum)
{
if ( nvram_safe_get("lan_domain")[0] != '\0' )
fprintf(fp, "push \"dhcp-option DOMAIN %s\"\n", nvram_safe_get("lan_domain"));
fprintf(fp, "push \"dhcp-option DNS %s\"\n", nvram_safe_get("lan_ipaddr"));

strlcpy(buffer, nvram_safe_get("dhcp_dns1_x"), sizeof (buffer));
strlcpy(buffer2, nvram_safe_get("dhcp_dns2_x"), sizeof (buffer2));

if (*buffer)
fprintf(fp, "push \"dhcp-option DNS %s\"\n", buffer);
if (*buffer2)
fprintf(fp, "push \"dhcp-option DNS %s\"\n", buffer2);

if (nvram_get_int("dhcpd_dns_router") || (*buffer == '\0' && *buffer2 == '\0'))
fprintf(fp, "push \"dhcp-option DNS %s\"\n", nvram_safe_get("lan_ipaddr"));
}

if ( nvram_pf_get_int(prefix, "client_access") != OVPN_CLT_ACCESS_LAN )
@@ -1340,6 +1350,24 @@ void start_ovpn_server(int serverNum)
{
ip2class(nvram_safe_get("lan_ipaddr"), nvram_safe_get("lan_netmask"), buffer);
fprintf(fp, "iptables -I OVPN -i %s ! -d %s -j ACCEPT\n", iface, buffer);

if (nvram_pf_get_int(prefix, "pdns")) {
strlcpy(buffer, nvram_safe_get("dhcp_dns1_x"), sizeof (buffer));
strlcpy(buffer2, nvram_safe_get("dhcp_dns2_x"), sizeof (buffer2));
// Open in the firewall in case they are within the LAN
if (*buffer) {
fprintf(fp, "iptables -I OVPN -i %s -p udp -d %s --dport 53 -j ACCEPT\n", iface, buffer);
fprintf(fp, "iptables -I OVPN -i %s -m tcp -p tcp -d %s --dport 53 -j ACCEPT\n", iface, buffer);
}
if (*buffer2) {
fprintf(fp, "iptables -I OVPN -i %s -p udp -d %s --dport 53 -j ACCEPT\n", iface, buffer2);
fprintf(fp, "iptables -I OVPN -i %s -m tcp -p tcp -d %s --dport 53 -j ACCEPT\n", iface, buffer2);
}
if (nvram_get_int("dhcpd_dns_router") || (*buffer == '\0' && *buffer2 == '\0')) {
fprintf(fp, "iptables -I OVPN -i %s -p udp -d %s --dport 53 -j ACCEPT\n", iface, nvram_safe_get("lan_ipaddr"));
fprintf(fp, "iptables -I OVPN -i %s -m tcp -p tcp -d %s --dport 53 -j ACCEPT\n", iface, nvram_safe_get("lan_ipaddr"));
}
}
} else if (nvram_pf_get_int(prefix, "client_access") == OVPN_CLT_ACCESS_LAN)
{
ip2class(nvram_safe_get("lan_ipaddr"), nvram_safe_get("lan_netmask"), buffer);

0 comments on commit 938058e

Please sign in to comment.
You can’t perform that action at this time.