NetworkManager Sets Wrong DNS Server When OpenVPN tun0 starts if ipv6 on underlying interface in Ubuntu 16.04

Bug #1599949 reported by WirelessMoves
264
This bug affects 3 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Undecided
Unassigned

Bug Description

In Ubuntu 16.04 when I start an OpenVPN tunnel via the NetworkManager GUI over an outer interface for which only IPv4 is configured, only the DNS server that is reachable through the new tun0 interface is configured by network manager. This is correct, no DNS leakage outside the tunnel occurs.

However, if I start OpenVPN and use an outer interface (over which tun0 flows) that has both IPv4 and IPv6 configured, the NetworkManager reports the DNS server of the outer interface and the DNS server of the tun0 interface to dnsmasq/resolvconf. This leads to DNS leakage outside tun0 and is a security issue as DNS queries are done inside and outside the tunnel. Here's the interesting part in syslog:

-----

Jul 7 20:02:40 wlm NetworkManager[4694]: <warn> [1467914560.9893] device (tun0): failed to disable userspace IPv6LL address handling
Jul 7 20:02:40 wlm NetworkManager[4694]: <info> [1467914560.9897] device (tun0): state change: ip-config -> ip-check (reason 'none') [70 80 0]
Jul 7 20:02:40 wlm NetworkManager[4694]: <info> [1467914560.9913] device (tun0): state change: ip-check -> secondaries (reason 'none') [80 90 0]
Jul 7 20:02:40 wlm NetworkManager[4694]: <info> [1467914560.9917] device (tun0): state change: secondaries -> activated (reason 'none') [90 100 0]
Jul 7 20:02:40 wlm NetworkManager[4694]: <info> [1467914560.9963] policy: set 'tun0' (tun0) as default for IPv4 routing and DNS
Jul 7 20:02:41 wlm NetworkManager[4694]: <info> [1467914560.9967] dns-mgr: Writing DNS information to /sbin/resolvconf
Jul 7 20:02:41 wlm systemd[1]: Starting Network Manager Script Dispatcher Service...
Jul 7 20:02:41 wlm dnsmasq[16825]: setting upstream servers from DBus

Jul 7 20:02:41 wlm dnsmasq[16825]: using nameserver 10.8.0.1#53
Jul 7 20:02:41 wlm dnsmasq[16825]: using nameserver 192.168.42.1#53

Jul 7 20:02:41 wlm dbus[878]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Jul 7 20:02:41 wlm nm-dispatcher: req:1 'vpn-up' [tun0]: new request (1 scripts)

-------

Only 10.8.0.1 should be configured at this point. 192.168.42.1 should NOT be configure (and is not if the outer interface is IPv4 only!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Can I make this bug public?

Revision history for this message
WirelessMoves (gsmumts) wrote : Re: [Bug 1599949] Re: NetworkManager Sets Wrong DNS Server When OpenVPN tun0 starts if ipv6 on underlying interface in Ubuntu 16.04

Hi Marc,

yes you can.

Thanks,
Martin

On 08.07.2016 18:38, Marc Deslauriers wrote:
> Can I make this bug public?
>

Revision history for this message
WirelessMoves (gsmumts) wrote :

Hi Marc,

yes you can.

-Martin

information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers