Re: Best practice for managing default routes over only VPN connections?

On 11/06/2016 07:30 PM, Paul Swanson wrote:

I've recently been configuring my Ubuntu 16.10 laptop for default routing via VPN only and have discovered some difficulties.

My goal is to only connect to the Internet via a VPN and ensure that DNS requests are resolved by a trusted server only.
I don't know if it's the "best" way, but for trusted DNS I put this script in /etc/NetworkManager/dispatcher.d/50-dnsmasq and run the dnsmasq service.  I configure a trusted nameserver in dnsmasq.conf

The NM nameservers are saved as /etc/resolv.conf.dhcp, and dnsmasq can read those as additional nameservers if you like.
(Sounds like you don't like from your situation.)  You could omit the checks that dnsmasq is actually working, if you don't
want fallback to the DHCP nameservers.

I use cjdns for VPN, and if you configure a cjdns tunnel server to provide a default route, cjdns will route everything except the IPs it needs for the VPN peers.  Any cjdns enabled nodes on the local LAN will automatically provide connectivity to the cjdns VPN - but a cjdns tunnel server somewhere is still needed for access to the ICANN internet.  cjdns peers use random UDP ports.  But some places block all UDP.



NS="fcff:aa44:3300:2244:55dd:48:822:98dd"   # need a "documentation" cjdns IP

pingcheck() {
  ping6 -n -c 1 -w 5 $1 >/dev/null 2>&1

exec 2>/tmp/dnsmasq.log

case "$event" in
up)    pingcheck $NS || pingcheck $NS || exit
    # replace example.bit with some domain that you want to check resolves
    host -T example.bit >/dev/null || exit
    if diff /etc/resolv.conf /etc/resolv.conf.dnsmasq >/dev/null; then
      cp /etc/resolv.conf /etc/resolv.conf.dhcp
      cp /etc/resolv.conf.dnsmasq /etc/resolv.conf


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]