From da6de252772ed5d536c50571a7123b40dccd0704 Mon Sep 17 00:00:00 2001 From: Jonathan Wright Date: Mon, 24 Jul 2017 16:25:46 +0100 Subject: [PATCH 1/2] Ensure consistancy for the script path across all documentation This should resovlve issue #23. --- README.md | 10 ++++++++-- update-systemd-resolved | 4 ++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index af10935..5310325 100644 --- a/README.md +++ b/README.md @@ -69,10 +69,16 @@ down /etc/openvpn/scripts/update-systemd-resolved down-pre ``` -Alternatively if you don't want to edit your client configuration, you can add the following options to your openvpn command: +Alternatively if you don't want to edit your client configuration, you can add +the following options to your openvpn command: ``` ---setenv PATH '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' --script-security 2 --up /etc/openvpn/update-systemd-resolved --down /etc/openvpn/update-systemd-resolved --down-pre +openvpn \ + --script-security 2 \ + --setenv PATH '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \ + --up /etc/openvpn/scripts/update-systemd-resolved \ + --down /etc/openvpn/scripts/update-systemd-resolved \ + --down-pre ``` ## Usage diff --git a/update-systemd-resolved b/update-systemd-resolved index db2cc13..157f6cd 100755 --- a/update-systemd-resolved +++ b/update-systemd-resolved @@ -21,8 +21,8 @@ # install, set as the 'up' and 'down' script in your OpenVPN configuration file # or via the command-line arguments, alongside setting the 'down-pre' option to # run the 'down' script before the device is closed. For example: -# up /etc/openvpn/update-systemd-resolved -# down /etc/openvpn/update-systemd-resolved +# up /etc/openvpn/scripts/update-systemd-resolved +# down /etc/openvpn/scripts/update-systemd-resolved # down-pre # Define what needs to be called via DBus From b417bace92d6c76b2aca048c5518c3e56f81c1f7 Mon Sep 17 00:00:00 2001 From: Jonathan Wright Date: Mon, 24 Jul 2017 16:30:27 +0100 Subject: [PATCH 2/2] Add note to DOMAIN-ROUTE option about DNS leakage overrides This resolves issue #28. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5310325..60df46c 100644 --- a/README.md +++ b/README.md @@ -91,7 +91,7 @@ OpenVPN, either through the server, or the client, configuration: | `DNS` | `0.0.0.0`
`::1` | This sets the DNS servers for the link and can take any IPv4 or IPv6 address. | | `DOMAIN` | `example.com` | The primary domain for this host. If set multiple times, the last provided is used. Will be the primary search domain for bare hostnames. All requests for this domain as well will be routed to the `DNS` servers provided on this link. | | `DOMAIN-SEARCH` | `example.com` | Secondary domains which will be used to search for bare hostnames (after any `DOMAIN`, if set) and in the order provided. All requests for this domain will be routed to the `DNS` servers provided on this link. | -| `DOMAIN-ROUTE` | `example.com` | All requests for these domains will be routed to the `DNS` servers provided on this link. They will *not* be used to search for bare hostnames, only routed. | +| `DOMAIN-ROUTE` | `example.com` | All requests for these domains will be routed to the `DNS` servers provided on this link. They will *not* be used to search for bare hostnames, only routed. A `DOMAIN-ROUTE` option for `.` (single period) will instruct `systemd-resolved` to route the entire namespace through to the `DNS` servers configured for this connection (unless a more specifc route has been offered by another connection for a selected name/namespace). This is useful if you wish to prevent DNS leakage. | | `DNSSEC` | `yes`
`no`
`allow-downgrade`
`default` | Control of DNSSEC should be enabled (`yes`) or disabled (`no`), or `allow-downgrade` to switch off DNSSEC only if the server doesn't support it, for any queries over this link only, or use the system default (`default`). | *Note*: There are no local or system options to be configured. All configuration