Project

General

Profile

Feature #6847

Register CN of OpenVPN clients in DNS Resolver

Added by Lorenz Schori almost 2 years ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
DNS Resolver
Target version:
Start date:
10/10/2016
Due date:
% Done:

100%


Description

Use case: Serial port servers deployed in the field connect to the office via OpenVPN. In order to collect the data, a machine connects to each serial port server via proprietary protocols over the VPN.

Configuring fixed IP addresses for each OpenVPN client is cumbersome and error prone. Instead it would be great if the VPN server would register the common name (CN) of connected clients in the DNS Resolver.

This is currently possible using a learn-address script in OpenVPN as described in this ml-post

I'm using the following learn-address script (/usr/local/sbin/openvpn.learn-address.sh):

#!/bin/sh
# openvpn learn-address script maintaining DNS entries of connected clients in
# unbound config.

DOMAIN="$1" 
OP="$2" 
IP="$3" 
CN="$4" 

case "$1" in

   add|update)
      # Remove all configs which mention the CN
      grep -l -null -F "$CN.$DOMAIN" /var/unbound/openvpn.client.*.conf | xargs -0 rm
      rm -f /var/unbound/openvpn.client.$IP.conf

      # Add new local-data entry.
      (
            echo "local-data-ptr: \"$IP $CN.$DOMAIN\"" &&
            echo "local-data: \"$CN.$DOMAIN A $IP\"" &&
            echo "local-data: \"$CN A $IP\"" 
      ) > /var/unbound/openvpn.client.$IP.conf
      /bin/pkill -HUP -F /var/run/unbound.pid
   ;;

   delete)
      # CN is not set on delete.
      rm -f /var/unbound/openvpn.client.$IP.conf && /bin/pkill -HUP -F /var/run/unbound.pid
   ;;

esac

exit 0

This is along with the following row in OpenVPN server custom options:

learn-address "/usr/local/sbin/openvpn.learn-address.sh vpn.example.com" 

Finally the following custom options for DNS Resolver:

include: /var/unbound/openvpn.client.*.conf

I'm willing to write a patch if people are interested in having this functionality built-in. I might just duplicate the "Register DHCP leases in the DNS Resolver" checkbox in the "DNS Resolver" configuration. If it is checked, the OpenVPN server automatically will use the script and unbound will include the necessary files.

I'm not quite sure how robust unbound is regarding invalid host names. A bullet-proof learn-address script probably should reject writing invalid unbound config.

Associated revisions

Revision e6e7b00c
Added by Jim Pingle 5 months ago

Trim domain for learned DNS entries. Ticket #6847

If the CN is already an FQDN on the given domain, this prevents the
domain from being present in the record twice (e.g. host.example.com
as a CN leads to records for host.example.com.example.com)

History

#1 Updated by Lorenz Schori almost 2 years ago

There is an error in the script. case "$1" in should read case "$OP" in.

#3 Updated by Jim Pingle 7 months ago

  • Category set to DNS Resolver
  • Status changed from New to Feedback
  • Target version set to 2.4.3
  • % Done changed from 0 to 100

PR was merged on 11/29

#4 Updated by Jim Pingle 5 months ago

  • Status changed from Feedback to Resolved

Seems to work OK but needed a minor tweak in the script, see e6e7b00c5c

Also available in: Atom PDF