diff options
Diffstat (limited to 'pkg/linux/resolv-update')
| -rwxr-xr-x | pkg/linux/resolv-update | 90 | 
1 files changed, 90 insertions, 0 deletions
| diff --git a/pkg/linux/resolv-update b/pkg/linux/resolv-update new file mode 100755 index 00000000..a54802e3 --- /dev/null +++ b/pkg/linux/resolv-update @@ -0,0 +1,90 @@ +#!/bin/bash +# +# Parses options from openvpn to update resolv.conf +# +# The only way to enforce that a linux system will not leak DNS +# queries is to replace /etc/resolv.conf with a file that only +# has the DNS resolver specified by the VPN. +# +# That is what this script does. This is what resolvconf is for, +# but sadly it does not always work. +# +# Example envs set from openvpn: +# foreign_option_1='dhcp-option DNS 193.43.27.132' +# foreign_option_2='dhcp-option DNS 193.43.27.133' +# foreign_option_3='dhcp-option DOMAIN be.bnc.ch' +# + +function up() { + +  comment=$( +cat <<SETVAR +# +# This is a temporary resolv.conf set by the LEAP Client in order to +# strictly enforce that DNS lookups are secured by the VPN. +# +# When the LEAP Client quits or the VPN connection it manages is dropped, +# this file will be replace with the regularly scheduled /etc/resolv.conf +# +# If you want custom entries to appear in this file while LEAP is running, +# put them in /etc/leap/resolv-head or /etc/leap/resolv-tail. These files +# should only be writable by root. +# + +SETVAR +) + +  if [ -f /etc/leap/resolv-head ] ; then +    custom_head=$(cat /etc/leap/resolv-head) +  else +    custom_head="" +  fi + +  if [ -f /etc/leap/resolv-tail ] ; then +    custom_tail=$(cat /etc/leap/resolv-tail) +  else +    custom_tail="" +  fi + +  for optionname in ${!foreign_option_*} ; do +    option="${!optionname}" +    echo $option +    part1=$(echo "$option" | cut -d " " -f 1) +    if [ "$part1" == "dhcp-option" ] ; then +      part2=$(echo "$option" | cut -d " " -f 2) +      part3=$(echo "$option" | cut -d " " -f 3) +      if [ "$part2" == "DNS" ] ; then +        IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3" +      fi +      if [ "$part2" == "DOMAIN" ] ; then +        IF_DNS_SEARCH="$IF_DNS_SEARCH $part3" +      fi +    fi +  done +  R="" +  for SS in $IF_DNS_SEARCH ; do +          R="${R}search $SS +" +  done +  for NS in $IF_DNS_NAMESERVERS ; do +          R="${R}nameserver $NS +" +  done +  mv /etc/resolv.conf /etc/resolv.conf.bak +  echo "$comment +$custom_head +$R +$custom_tail" > /etc/resolv.conf +} + +function down() { +  if [ -f /etc/resolv.conf.bak ] ; then +    unlink /etc/resolv.conf +    mv /etc/resolv.conf.bak /etc/resolv.conf +  fi +} + +case $script_type in +  up)   up   ;; +  down) down ;; +esac | 
