FortiClient VPN for Linux DNS leak
Hi,
I am running the latest FortiClient VPN for Linux version 7.0.0.0018 on Ubuntu 20.04 LTS. The FortiGate is configured to send a simple name resolution configuration to SSL VPN clients: just two DNS servers (xxx.xxx.xxx.7and xxx.xxx.xxx.6), no split DNS, no domain search list. Here is the redacted XML configuration sent by the FortiGate to the FortiClient:
<?xml version="1.0" encoding="utf-8"?> <sslvpn-tunnel ver="2" dtls="1" patch="1"> <dtls-config heartbeat-interval="10" heartbeat-fail-count="10" heartbeat-idle-timeout="10" client-hello-timeout="10"/> <tunnel-method value="ppp"/> <tunnel-method value="tun"/> <fos platform="FG22E1" major="6" minor="02" patch="10" build="1263" branch="1263"/> <auth-ses check-src-ip="1" tun-connect-without-reauth="0" tun-user-ses-timeout="30"/> <client-config save-password="off" keep-alive="off" auto-connect="off"/> <exclusive-routing>on</exclusive-routing> <ipv4> <dns ip="xxx.xxx.xxx.7"/> <dns ip="xxx.xxx.xxx.6"/> <assigned-addr ipv4="10.11.240.4"/> </ipv4> <idle-timeout val="1500"/> <auth-timeout val="43200"/> </sslvpn-tunnel>
The default name resolution configuration looks like this, with two local DNS servers, 192.168.0.254 and fd0f:ee:b0::1:
$ systemd-resolve --status [...] Link 3 (wg0) Current Scopes: none DefaultRoute setting: no LLMNR setting: yes MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Link 2 (enp0s31f6) Current Scopes: DNS DefaultRoute setting: yes LLMNR setting: yes MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Current DNS Server: 192.168.0.254 DNS Servers: 192.168.0.254 fd0f:ee:b0::1 DNS Domain: ~. -- $
The FortiClient VPN for Linux 7.0.0.0018 fails to fully replace these default DNS servers with the new DNS servers specified by the FortiGate:
$ systemd-resolve --status [...] Link 8 (vpn) Current Scopes: DNS DefaultRoute setting: yes LLMNR setting: yes MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Current DNS Server: xxx.xxx.xxx.7 DNS Servers: xxx.xxx.xxx.7 xxx.xxx.xxx.6 DNS Domain: ~. Link 3 (wg0) Current Scopes: none DefaultRoute setting: no LLMNR setting: yes MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Link 2 (enp0s31f6) Current Scopes: DNS DefaultRoute setting: yes LLMNR setting: yes MulticastDNS setting: no DNSOverTLS setting: no DNSSEC setting: no DNSSEC supported: no Current DNS Server: fd0f:ee:b0::1 DNS Servers: fd0f:ee:b0::1 xxx.xxx.xxx.7 xxx.xxx.xxx.6 DNS Domain: ~. $
- The local DNS server fd0f:ee:b0::1 is not replaced by FortiClient on Ethernet interface enp0s31f6, and becomes the primary DNS server.
- Keeping ~. associated to both interfaces, the LAN interface (enp0s31f6 in this case) and vpn, does not give a clear priority to any of the sets of DNS servers.
Instead, I would expect one the new servers xxx.xxx.xxx.7 and xxx.xxx.xxx.6 to become the primary DNS server, by:
- either defining them as the DNS servers for each interface (the LAN interface and the vpn interface),
- or associating ~. only to the vpn interface, so that the DNS servers associated to that vpn interface are used preferably for all domains.
This results in a DNS leak, as the local DNS server fd0f:ee:b0::1 is used while FortiClient is running, instead of the DNS servers specified by the FortiGate, xxx.xxx.xxx.7 and xxx.xxx.xxx.6. Any clue how to work around this FortiClient bug?