Merge pull request #231 from mediatemple/only_block_when_road_warrior

Only block external dns when default route is pushed

Author: kylemanna

bin/ovpn_genconfig

@@ -330,8 +330,8 @@ user nobody
 group nogroup
 EOF
 
-#This was in the heredoc, we use the new function instead
-process_push_config "block-outside-dns"
+# only block outside dns when we take the default route
+[ "$OVPN_DEFROUTE" == "1" ] && process_push_config "block-outside-dns"
 
 [ -n "$OVPN_TLS_CIPHER" ] && echo "tls-cipher $OVPN_TLS_CIPHER" >> "$conf"
 [ -n "$OVPN_CIPHER" ] && echo "cipher $OVPN_CIPHER" >> "$conf"

test/tests/conf_options/container.sh

@@ -56,8 +56,8 @@ CONFIG_REQUIRED_DEFAULT_ROUTE="^route 192.168.254.0 255.255.255.0"
 CONFIG_MATCH_DEFAULT_ROUTE=$(busybox grep 'route 192.168.254.0 255.255.255.0' /etc/openvpn/openvpn.conf)
 
 # 9. Should see a push of 'block-outside-dns' by default
-CONFIG_REQUIRED_DEFAULT_ROUTE="^push block-outside-dns"
-CONFIG_MATCH_DEFAULT_ROUTE=$(busybox grep 'push block-outside-dns' /etc/openvpn/openvpn.conf)
+CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS="^push block-outside-dns"
+CONFIG_MATCH_BLOCK_OUTSIDE_DNS=$(busybox grep 'push block-outside-dns' /etc/openvpn/openvpn.conf)
 
 # 10. Should see a push of 'dhcp-option DNS' by default
 CONFIG_REQUIRED_DEFAULT_DNS_1="^push dhcp-option DNS 8.8.8.8"
@@ -127,6 +127,13 @@ else
   abort "==> Config match not found: $CONFIG_REQUIRED_DEFAULT_ROUTE != $CONFIG_MATCH_DEFAULT_ROUTE"
 fi
 
+if [[ $CONFIG_MATCH_BLOCK_OUTSIDE_DNS =~ $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS ]]
+then
+  echo "==> Config match found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS == $CONFIG_MATCH_BLOCK_OUTSIDE_DNS"
+else
+  abort "==> Config match not found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS != $CONFIG_MATCH_BLOCK_OUTSIDE_DNS"
+fi
+
 if [[ $CONFIG_MATCH_DEFAULT_DNS_1 =~ $CONFIG_REQUIRED_DEFAULT_DNS_1 ]]
 then
   echo "==> Config match found: $CONFIG_REQUIRED_DEFAULT_DNS_1 == $CONFIG_MATCH_DEFAULT_DNS_1"
@@ -192,3 +199,32 @@ then
 else
   abort "==> Config match not found: $CONFIG_REQUIRED_TCP_REMOTE_2 != $CONFIG_MATCH_TCP_REMOTE_2"
 fi
+
+# Test non-defroute config
+
+SERV_IP=$(ip -4 -o addr show scope global  | awk '{print $4}' | sed -e 's:/.*::' | head -n1)
+ovpn_genconfig -d -u udp://$SERV_IP -r "172.33.33.0/24" -r "172.34.34.0/24"
+# nopass is insecure
+EASYRSA_BATCH=1 EASYRSA_REQ_CN="Travis-CI Test CA" ovpn_initpki nopass
+easyrsa build-client-full client-fallback nopass
+ovpn_getclient client-fallback | tee /etc/openvpn/config-fallback.ovpn
+
+CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS=""
+CONFIG_MATCH_BLOCK_OUTSIDE_DNS=$(busybox grep 'push block-outside-dns' /etc/openvpn/openvpn.conf)
+
+if [[ $CONFIG_MATCH_BLOCK_OUTSIDE_DNS =~ $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS ]]
+then
+  echo "==> Config match found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS == $CONFIG_MATCH_BLOCK_OUTSIDE_DNS"
+else
+  abort "==> Config match not found: $CONFIG_REQUIRED_BLOCK_OUTSIDE_DNS != $CONFIG_MATCH_BLOCK_OUTSIDE_DNS"
+fi
+
+CONFIG_REQUIRED_REDIRECT_GATEWAY=""
+CONFIG_MATCH_REDIRECT_GATEWAY=$(busybox grep "redirect-gateway def1" /etc/openvpn/config-fallback.ovpn)
+
+if [[ $CONFIG_MATCH_REDIRECT_GATEWAY =~ $CONFIG_REQUIRED_REDIRECT_GATEWAY ]]
+then
+  echo "==> Config match found: $CONFIG_REQUIRED_REDIRECT_GATEWAY == $CONFIG_MATCH_REDIRECT_GATEWAY"
+else
+  abort "==> Config match not found: $CONFIG_REQUIRED_REDIRECT_GATEWAY != $CONFIG_MATCH_REDIRECT_GATEWAY"
+fi