I'm trying to use openvpn as client on centos 7. It works fine, but i cannot get DNS from server. As you know, there is no resolvconf in new Centos, so, standard update-resolv-conf script doesn't work.
I rewrite it slightly:
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood
# and Chris Hanson
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
# 07/2013 colin@daedrum.net Fixed intet name
# 05/2006 chlauber@bnc.ch
#
# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
# foreign_option_4='dhcp-option DOMAIN-SEARCH bnc.local'
set -e
## You might need to set the path manually here, i.e.
# RESOLVCONF=/usr/bin/resolvconf
#RESOLVCONF=$(which resolvconf)
#[ -x $RESOLVCONF ] || exit 0
#IPv4 ONLY!
NMCLI=/usr/bin/nmcli #$(which nmcli)
SYSTEMCTL=/usr/bin/systemctl #$(which systemctl)
[ -x $NMCLI ] || exit 0
[ -x $SYSTEMCTL ] || exit 0
#testing version for running from console
active_con_dev=$($NMCLI -t -f NAME,DEVICE con show --active | grep "tun" | head -1)
#it must be something like
#active_con_dev=$($NMCLI -t -f NAME,DEVICE con show --active | grep "$dev" | head -1)
active_con=$(echo $active_con_dev | awk '{print $1}' FS=":")
active_dev=$(echo $active_con_dev | awk '{print $2}' FS=":")
dns_list_file=/etc/openvpn/dns_list
case $script_type in
up)
#we take first active connection and device (but not tun devices. I don't know either NM can show it or no)
for optionname in ${!foreign_option_*} ; do
option="${!optionname}"
echo $option
part1=$(echo "$option" | cut -d " " -f 1)
if [ "$part1" == "dhcp-option" ] ; then
part2=$(echo "$option" | cut -d " " -f 2)
part3=$(echo "$option" | cut -d " " -f 3)
if [ "$part2" == "DNS" ] ; then
IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
fi
if [[ "$part2" == "DOMAIN" || "$part2" == "DOMAIN-SEARCH" ]] ; then
IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
fi
fi
done
R=""
for DS in $IF_DNS_SEARCH ; do
# R="${R}search $DS"
R="${R}$DS"
done
for NS in $IF_DNS_NAMESERVERS ; do
# R="${R}nameserver $NS"
R="${R}$NS"
done
echo "$R" > "$dns_list_file"
#ipv4 only
#we must check existence of DNS, but I'm too lazy now
$NMCLI con mod $active_con +ipv4.dns "$R"
$SYSTEMCTL restart NetworkManager
#echo -n "$R" | $RESOLVCONF -p -a "${dev}"
#echo -n "$R" | $RESOLVCONF -a "${dev}.inet"
;;
down)
dns_list=$(echo "$dns_list_file")
if [ ! -z "$dns_list" -a "$dns_list" != " " ]; then
#we must check existence of this dns, but I'm too lazy now
$NMCLI con mod $active_con -ipv4.dns "$dns_list"
$SYSTEMCTL restart NetworkManager
fi
#$RESOLVCONF -d "${dev}.inet"
;;
esac
I don't sure about search servers, but in case of nameservers only it works. Again, it must be tested with multiple servers (i didn't do it).
So, it can add DNS to your connection. But it does not work with SElinux when you run it from systemctl (systemctl start openvpn@config.service).
There are such strings in /var/log/audit.log:
type=AVC msg=audit(1414759817.198:2963): avc: denied { execute } for pid=1827 comm="update-resolv-c" name="systemctl" dev="dm-1" ino=787169 \
scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
I must write policy for SElinux. Ok, but is there some more user friendly way to set up DNS? May be maintainers of packages and developers of RedHat/Centos thought about openvpn DNS, but i don't know about it?
