how to "lock" to corporate dns ?

[Илья Шипицин]

Hello,

we use "tblk.zip" to provision config files to ours users (it allows inclusion Info.plist)

we run OpenVPN in corporate mode, our users connect to corporate LAN.
it is very important to use our corporate dns servers

but onfortunately, sometimes users set up dns servers to 8.8.8.8 manually

is there a way to add some string to Info.plist to "lock" those configs to corporate dns servers?

[Tunnelblick developer]

There is a new per-configuration setting (preference) which allows the configuration to override manually-set DNS. The setting is available starting in 3.7.3beta01 build 4860 (2017-08-17) and higher, so it is included in each of the stable and beta versions of Tunnelblick that were released yesterday.

The setting can be controlled by a checkbox on the "Advanced" settings window: "Allow changes to manually-set network settings".

The preference suffix associated with the setting is -allowChangesToManuallySetNetworkSettings. So for a configuration named "ABC XYZ", the full preference name would be "ABC XYZ-allowChangesToManuallySetNetworkSettings". (That's the name under which the preference would be seen in ~/Library/Preferences/net.tunnelblick.tunnelblick.plist.)

In a configuration's Info.plist, though, you just use the suffix, so you would include an entry with a key of "TBAlwaysSetPreference-allowChangesToManuallySetNetworkSettings" and value "true". See Tunnelblick VPN Configurations Details: Info.plist for details.

[Илья Шипицин]

how that is supposed to work ?

if I set "TBAlwaysSetPreference-allowChangesToManuallySetNetworkSettings"  to "true"

a) how will that affect earlier versions of Tunnelblick ? do they just ignore settings that are not known to them ?

b) if that is the only setting ? so, if I set it, no manual setting will work ? (if so, I'm ok with that)


пятница, 20 октября 2017 г., 14:54:02 UTC+5 пользователь Tunnelblick developer написал:

[Tunnelblick developer]

a) Earlier versions of Tunnelblick will not be affected; they will ignore the setting. They will NOT allow Tunnelblick/OpenVPN to modify manually-set DNS settings.

b) That is the only setting that affects this behavior (there are many more settings, of course!). The manual setting will be in effect whenever the VPN is not connected. While connected to the VPN, whatever DNS servers that are specified in the OpenVPN configuration file or pushed by the OpenVPN server will be used instead of the manually-set DNS servers.

In more detail:

Before this setting existed, Tunnelblick would refuse to change a manually-set DNS setting (or other network setting), even if the VPN server told it to. The failure to change DNS was put in the Tunnelblick log. Tunnelblick **would** change a DNS setting that was set via DHCP.

So if the user manually set DNS to 8.8.8.8 and the VPN configuration (or an option pushed by the VPN server) told OpenVPN to set it to 1.2.3.4, OpenVPN would ask Tunnelblick to set it to 1.2.3.4. Tunnelblick would refuse to do that because it had been set manually. (That was a policy decision based on the idea that if someone set something manually, it shouldn't be overridden by some automatic process.)

Now, in the same situation, if the setting is set "true", Tunnelblick will change the DNS setting to 1.2.3.4 for the duration of the VPN connection. When the VPN is disconnected, Tunnelblick will restore the setting to 8.8.8.8.

Note that Tunnelblick does not support "split tunnels", with different DNS servers for different domains. To do that you would need to write your own scripts (or modify Tunnelblick's standard scripts).

[Илья Шипицин]

thank you for clarification, I'll try in few days

пятница, 20 октября 2017 г., 17:54:18 UTC+3 пользователь Tunnelblick developer написал:

[max.ma...@gmail.com]

Thanks for clarification!

That finally solves the prob which had been puzzling me for a while, I'd say I understand your logic but from user prospective if VPN config includes explicitly-mentioned change to DNS setting it looks obvious to me that such setting should rather override system DNS settings (even if they are custom too) for the VPN session, because it is not pure "automatic process", it is thing done intentionally and for integrity /privacy of that specific VPN setup.

Max

[Tunnelblick developer]

OpenVPN is carefully designed to allow the client to not trust the server very much. Allowing the server to "automatically" override the client's manual network settings is a problematic for many users.

If network settings are obtained via DHCP, the client has already accepted that that they can come from "somewhere else", so it is deemed acceptable that they be modified automatically. But if the network settings were set manually, Tunnelblick doesn't assume the client has accepted that they should come from "somewhere else".

It's the familiar "security vs. ease of use" tradeoff. You lean toward ease of use; Tunnelblick leans toward security, but allows you to override that.