add support for --block-outside-dns option

The option is only enforced with the --dns option, since DNS settings
coming in via --dhcp-option have always voluntarily blocked port 53.
This behavior is kept for backwards compatibility.

Since the --dns option allows local name servers to continue to work,
even thought no split DNS is pushed, supporting the option makes sense.
If admins do not want any DNS queries outside the tunnel, this is the
option to push alongside the --dns options.

Signed-off-by: Heiko Hund <[email protected]>

Author: d12fk

openvpn/client/cliopt.hpp

@@ -683,7 +683,6 @@ class ClientOptions : public RC<thread_unsafe_refcount>
         "allow-compression", /* TODO: maybe check against our client option compression setting? */
         "allow-recursive-routing",
         "auth-retry",
-        "block-outside-dns", /* Core will decide on its own when to block outside dns, so this is not 100% identical in behaviour, so still warn */
         "compat-mode",
         "connect-retry",
         "connect-retry-max",

openvpn/tun/builder/base.hpp

@@ -222,6 +222,17 @@ class TunBuilderBase
         return true;
     }
 
+    // Optional callback that indicates whether local DNS traffic
+    // should be blocked or allowed, to prevent DNS queries to leak
+    // while the tunnel is connected.
+    // Note that this option is only relevant on Windows when the
+    // --dns option is used. If DNS is set via --dhcp-option port 53
+    // is always blocked for backwards compatibility reasons.
+    virtual bool tun_builder_set_allow_local_dns(bool allow)
+    {
+        return true;
+    }
+
     // Optional callback to set a DNS suffix on tun/tap adapter.
     // Currently only implemented on Windows, where it will
     // set the "Connection-specific DNS Suffix" property on

openvpn/tun/builder/capture.hpp

@@ -610,6 +610,12 @@ class TunBuilderCapture : public TunBuilderBase, public RC<thread_unsafe_refcoun
         return true;
     }
 
+    bool tun_builder_set_allow_local_dns(bool allow) override
+    {
+        block_outside_dns = !allow;
+        return true;
+    }
+
     void reset_tunnel_addresses()
     {
         tunnel_addresses.clear();
@@ -691,6 +697,7 @@ class TunBuilderCapture : public TunBuilderBase, public RC<thread_unsafe_refcoun
         os << "Reroute Gateway: " << reroute_gw.to_string() << std::endl;
         os << "Block IPv4: " << (block_ipv4 ? "yes" : "no") << std::endl;
         os << "Block IPv6: " << (block_ipv6 ? "yes" : "no") << std::endl;
+        os << "Block local DNS: " << (block_outside_dns ? "yes" : "no") << std::endl;
         if (route_metric_default >= 0)
             os << "Route Metric Default: " << route_metric_default << std::endl;
         render_list(os, "Add Routes", add_routes);
@@ -733,6 +740,7 @@ class TunBuilderCapture : public TunBuilderBase, public RC<thread_unsafe_refcoun
         root["tunnel_address_index_ipv6"] = Json::Value(tunnel_address_index_ipv6);
         root["reroute_gw"] = reroute_gw.to_json();
         root["block_ipv6"] = Json::Value(block_ipv6);
+        root["block_outside_dns"] = Json::Value(block_outside_dns);
         root["route_metric_default"] = Json::Value(route_metric_default);
         json::from_vector(root, add_routes, "add_routes");
         json::from_vector(root, exclude_routes, "exclude_routes");
@@ -765,6 +773,7 @@ class TunBuilderCapture : public TunBuilderBase, public RC<thread_unsafe_refcoun
         json::to_int(root, tbc->tunnel_address_index_ipv6, "tunnel_address_index_ipv6", title);
         tbc->reroute_gw.from_json(root["reroute_gw"], "reroute_gw");
         json::to_bool(root, tbc->block_ipv6, "block_ipv6", title);
+        json::to_bool(root, tbc->block_outside_dns, "block_outside_dns", title);
         json::to_int(root, tbc->route_metric_default, "route_metric_default", title);
         json::to_vector(root, tbc->add_routes, "add_routes", title);
         json::to_vector(root, tbc->exclude_routes, "exclude_routes", title);
@@ -793,6 +802,7 @@ class TunBuilderCapture : public TunBuilderBase, public RC<thread_unsafe_refcoun
     RerouteGW reroute_gw;                       // redirect-gateway info
     bool block_ipv4 = false;                    // block IPv4 traffic while VPN is active
     bool block_ipv6 = false;                    // block IPv6 traffic while VPN is active
+    bool block_outside_dns = false;             // block traffic to port 53 locally while VPN is active
     int route_metric_default = -1;              // route-metric directive
     std::vector<Route> add_routes;              // routes that should be added to tunnel
     std::vector<Route> exclude_routes;          // routes that should be excluded from tunnel

openvpn/tun/client/tunprop.hpp

@@ -181,6 +181,9 @@ class TunProp
         tb->tun_builder_set_allow_family(AF_INET, !opt.exists("block-ipv4"));
         tb->tun_builder_set_allow_family(AF_INET6, !opt.exists("block-ipv6"));
 
+        // Allow access to local port 53 with --dns options unless explicitly blocked
+        tb->tun_builder_set_allow_local_dns(!opt.exists("block-outside-dns"));
+
         // DNS fallback
         if (ipv.rgv4() && !(dhcp_option_flags & F_ADD_DNS))
         {

openvpn/tun/win/client/tunsetup.hpp

@@ -650,6 +650,13 @@ class Setup : public SetupBase
                 create.add(new DNS::ActionCreate(tap.name, search_domains));
                 destroy.add(new NRPT::ActionDelete(pid));
                 destroy.add(new DNS::ActionDelete(tap.name, search_domains));
+
+                // block local DNS lookup unless all traffic is blocked already
+                if (use_wfp && pull.block_outside_dns && !block_local_traffic && !openvpn_app_path.empty())
+                {
+                    create.add(new WFP::ActionBlock(openvpn_app_path, tap.index, true, wfp));
+                    destroy.add(new WFP::ActionUnblock(openvpn_app_path, tap.index, true, wfp));
+                }
             }
             else
             {