Comment 37 for bug 1671606

This is the *nastiest* bug I've ever encountered in the wild on my own in Linux (that has no good solution after this long). Package 1.2.2-0ubuntu0.16.04.4 has disappeared from the mirrors for Xenial (not that anyone should expect a normal user to go through the deep dive that is this subject, once one realizes what is happening). The cipher in use by AWS for Client VPN isn't available in OpenSSL within Trusty Tahr, so running an old Ubuntu distro is also not a viable solution for me. This is about as serious of a bug as I could think of, and we're almost two years in without it being addressed. Hate to be tin-foil-hatty, but this seems like the kind of thing that gets put into software as a result of government-agency interests. How many people around the world expecting their VPN to protect them while viewing content from outside of their nation state are DNS-leaking all over the place to their local ISP? How many companies are leaking private zone DNS names (which often reflect what's running on the target boxes, and would then include information that could be used as part of an attack vector) to their ISP? I understand how open source works, but most people (including me) don't have the ability to work effectively on this nuanced bug. What's the plan? Sorry to sound disgruntled, but I spent about a week on this (coming to terms with understanding the issue, and then trying a number of workarounds). Initially I accused our CTO of running a broken VPN server (heh), because I could simply not believe that things didn't "just work" in Linux for this extremely common use case. So we don't support pushing "dhcp-option" for DNS in Linux. This works in Mac and in Windows. We need a working/easy way to update our DNS addresses upon connecting to/disconnected from a VPN that users can trust. This bug is so obscene, bwahah, I felt like Linus Torvalds dealing with Nvidia... :-P