Page MenuHomeVyOS Platform

OpenVPN Register client names in DNS via learn-address
Open, NormalPublicFEATURE REQUEST

Description

Hi There,

If there could be a way to add a configuration option that would register client names inside a dns domain either with the built in dns resolver or an external DNS server via the learn-address script that would be amazing.

Use case, say you have a fleet of remote systems that VPN back into an environment and you access those systems via a jumphost, being able to lookup the client names in DNS would make this use case much easier. Currently its doable by placing a learn-address script in the scripts directory and then hacking in a direct openvpn option but building it into vyos would make things much cleaner.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Improvement (missing useful functionality)

Event Timeline

@evilmog Can you provide the OpenVPN/other configuration to achieve what you want?

Here is a redacted version

# Which TCP/UDP item.1.port should OpenVPN listen on?

# TCP or UDP server?
## Generated 1194
proto udp
port 1194
dev tun0
server 100.64.0.0 255.255.255.0

## Ciphers
#data-ciphers AES-256-CBC
#data-ciphers-fallback AES-256-OFB

## Routes and DHCP options
[redacted]

push "dhcp-option DOMAIN example.fqdn.internal"
topology subnet


## Logging and Auth
verb 1
script-security 3
keepalive 10 60
ping-timer-rem
auth sha512
cipher AES-256-OFB

## IP route stuff
#iproute /usr/local/sbin/unpriv-ip

## API Backend
#client-disconnect

# this script is what would update DNS
learn-address /usr/local/bin/update-dns.sh
log-append /var/log/openvpn/openvpn-udp-1194.log

ifconfig-pool-persist /var/log/openvpn/ipp-udp-1194.txt

#compress lz4-v2
#push "compress lz4-v2"

user openvpn
group openvpn

persist-key
persist-tun

status /var/log/openvpn/openvpn-status-udp-1194.log

## CERTS AND STUFF
dh dh.pem
tls-auth ta.key 0
<ca>
[redacted]
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[redacted]
-----END CERTIFICATE-----
</cert>
<key>
[redacted]
</key>

and the learn-address script

#!/bin/bash
# For A Record:         <action> <hostname> <ttl> <type> <address>
# For PTR Record:       <action> <revaddr> <ttl> <type> <fqdn>
# $1=operation $2=address $3=common_name
# VARIABLES
KEY=/etc/openvpn/example.key.rndc.private
dnsserver=nameserver1.com.com
masterzone=zonename.com
fwdzone=zonename.com
ttl=360
op=$1
addr=$2
revaddr=`echo $addr | sed -re 's:([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+):\4.\3.\2.\1.in-addr.arpa:'`
cn=$3
fqdn=$cn.$fwdzone
dir=/var/lib/openvpn
addfile=$dir/dns/add_$addr
delfile=$dir/dns/del_$addr
echo op=$op addr=$addr cn=$3 fqdn=$fqdn
addRecord() {
cat > $addfile << EOF
server $dnsserver
zone $masterzone
update delete $fqdn a
update add $fqdn $ttl a $addr
send
EOF
cat > $delfile << EOF
server $dnsserver
zone $masterzone
update delete $fqdn a
send
EOF
nsupdate -k $KEY -v $addfile
        rm -f $addfile
}
delRecord() {
        nsupdate -k $KEY -v $delfile
        rm -f $delfile
}
case $op in
        add|update)
                addRecord
                ;;
        delete)
                delRecord
                ;;
        *)
                echo "Unable to handle operation $op.  Exiting" exit 1

I'm thinking end of the day an integrated learn address script that can update vyos's forwarder or any of the upstream DNS its using, and then calling learn-address on each client learned in the openvpn is the ideal way to do it since learn-address is built into openvpn

dmbaturin triaged this task as Normal priority.Feb 15 2024, 10:44 AM