Re: This is bad, was Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 29/09/2020 17:21, Paul Wouters wrote:
> 
> For the VPN scenario, it is just a little bit more complicated.
> 
> For those with proper standards, such as "Cisco IPsec", L2TP/IPsec",
> the VPN confiuration is dictated by the server to either send all or
> some traffic to the VPN server. If it is not "everything", then these
> VPNs convey 1 domain name and one or more IP's of DNS servers to use
> to resolve that domain.
> 
> For IKEv2 IPsec based VPNs, any number of domain names can be specified
> by the server to be used by the client. When doing split-DNS with DNSSEC
> trust anchors, these can be conveyed and there are strict rules on when
> to allow these to override public DNSSEC trust anchors as per RFC 8598.
> 
> For VPN protocols with no real standard, things are more complicated.
> 
> OpenVPN can do custom things. It all depends on the provisioning. 

As an OpenVPN developer, I can't resist giving a few details here :)

OpenVPN 2.x using the openvpn-client@.service unit files depends entirely on
the OpenVPN configuration.  So you are right here.

OpenVPN 2.x using NetworkManager, will let NetworkManager pick up changes and
apply them accordingly to the abilities of the NetworkManager-openvpn plugin.

OpenVPN 3 Linux can be enabled with systemd-resolved support [0], but
out-of-the-box it will modify /etc/resolv.conf directly.  Enabling
systemd-resolved support, you will get fairly close to a split-DNS setup but
not completely - but this integration is still considered tech-preview and
we're using the v10_beta release to gain more experience with systemd-resolved
across various distributions.  Ubuntu 20.04 has also enabled systemd-resolved
by default, but it seems it has not gone as far as Fedora 33.

Common to all of these alternatives, the VPN server must push DNS options or
the client configuration file must include the appropriate --dhcp-options.


[0]
<https://www.mail-archive.com/openvpn-devel@xxxxxxxxxxxxxxxxxxxxx/msg20607.html>


-- 
kind regards,

David Sommerseth
OpenVPN Inc
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux