#!/bin/bash # # Parses options from openvpn to update resolv.conf # # The only way to enforce that a linux system will not leak DNS # queries is to replace /etc/resolv.conf with a file that only # has the DNS resolver specified by the VPN. # # That is what this script does. This is what resolvconf is for, # but sadly it does not always work. # # Example envs set from openvpn: # foreign_option_1='dhcp-option DNS 193.43.27.132' # foreign_option_2='dhcp-option DNS 193.43.27.133' # foreign_option_3='dhcp-option DOMAIN be.bnc.ch' # function up() { comment=$( cat <<SETVAR # # This is a temporary resolv.conf set by the Bitmask in order to # strictly enforce that DNS lookups are secured by the VPN. # # When Bitmask quits or the VPN connection it manages is dropped, # this file will be replace with the regularly scheduled /etc/resolv.conf # # If you want custom entries to appear in this file while Bitmask is running, # put them in /etc/leap/resolv-head or /etc/leap/resolv-tail. These files # should only be writable by root. # SETVAR ) if [ -f /etc/leap/resolv-head ] ; then custom_head=$(cat /etc/leap/resolv-head) else custom_head="" fi if [ -f /etc/leap/resolv-tail ] ; then custom_tail=$(cat /etc/leap/resolv-tail) else custom_tail="" fi for optionname in ${!foreign_option_*} ; do option="${!optionname}" echo $option part1=$(echo "$option" | cut -d " " -f 1) if [ "$part1" == "dhcp-option" ] ; then part2=$(echo "$option" | cut -d " " -f 2) part3=$(echo "$option" | cut -d " " -f 3) if [ "$part2" == "DNS" ] ; then IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3" fi if [ "$part2" == "DOMAIN" ] ; then IF_DNS_SEARCH="$IF_DNS_SEARCH $part3" fi fi done R="" for SS in $IF_DNS_SEARCH ; do R="${R}search $SS " done for NS in $IF_DNS_NAMESERVERS ; do R="${R}nameserver $NS " done cp /etc/resolv.conf /etc/resolv.conf.bak echo "$comment $custom_head $R $custom_tail" > /etc/resolv.conf } function down() { if [ -f /etc/resolv.conf.bak ] ; then cat /etc/resolv.conf.bak > /etc/resolv.conf rm /etc/resolv.conf.bak fi } case $script_type in up) up ;; down) down ;; esac