From ddaa0ee99c4c2c6fe4650c4d9394fc7d5186f7d5 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Mon, 17 Dec 2018 00:07:04 -0600
Subject: [PATCH] Improve DNS servers

- Improve modecfgdns format
- Better parsing of DNS servers in upgrade scripts
- Add usage of DNS server variables to README and allow users to specify
  only one or both alternative DNS servers
---
 README-zh.md                |  2 +-
 README.md                   |  2 +-
 docs/ikev2-howto-zh.md      |  2 +-
 docs/ikev2-howto.md         |  2 +-
 extras/vpnupgrade.sh        | 19 ++++++++++---------
 extras/vpnupgrade_centos.sh | 19 ++++++++++---------
 vpnsetup.sh                 | 13 ++++++++++---
 vpnsetup_centos.sh          | 13 ++++++++++---
 8 files changed, 44 insertions(+), 28 deletions(-)

diff --git a/README-zh.md b/README-zh.md
index 1034672..18bfe18 100644
--- a/README-zh.md
+++ b/README-zh.md
@@ -151,7 +151,7 @@ sh vpnsetup.sh
 
 如果需要添加，修改或者删除 VPN 用户账户，请参见 <a href="docs/manage-users-zh.md" target="_blank">管理 VPN 用户</a>。该文档包含辅助脚本，以方便管理 VPN 用户。
 
-在 VPN 已连接时，客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。如果偏好其它的域名解析服务，请编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`。然后重启服务器。
+在 VPN 已连接时，客户端配置为使用 <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a>。如果偏好其它的域名解析服务，编辑 `/etc/ppp/options.xl2tpd` 和 `/etc/ipsec.conf` 并替换 `8.8.8.8` 和 `8.8.4.4`，然后重启服务器。或者，你也可以在运行 VPN 脚本时定义变量 `VPN_DNS_SRV1` 和 `VPN_DNS_SRV2`（可选）。
 
 使用内核支持有助于提高 IPsec/L2TP 性能。它在以下系统上可用： Ubuntu 18.04/16.04, Debian 9 和 CentOS 7/6. Ubuntu 系统需要安装 `linux-modules-extra-$(uname -r)`（或者 `linux-image-extra`），然后运行 `service xl2tpd restart`。
 
diff --git a/README.md b/README.md
index ef7713a..b545ab1 100644
--- a/README.md
+++ b/README.md
@@ -151,7 +151,7 @@ For servers with an external firewall (e.g. <a href="https://docs.aws.amazon.com
 
 If you wish to add, edit or remove VPN user accounts, see <a href="docs/manage-users.md" target="_blank">Manage VPN Users</a>. Helper scripts are included for convenience.
 
-Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`. Then reboot your server.
+Clients are set to use <a href="https://developers.google.com/speed/public-dns/" target="_blank">Google Public DNS</a> when the VPN is active. If another DNS provider is preferred, replace `8.8.8.8` and `8.8.4.4` in both `/etc/ppp/options.xl2tpd` and `/etc/ipsec.conf`, then reboot your server. Alternatively, you may define `VPN_DNS_SRV1` and optionally `VPN_DNS_SRV2` when running the VPN setup script.
 
 Using kernel support could improve IPsec/L2TP performance. It is available on Ubuntu 18.04/16.04, Debian 9 and CentOS 7/6. Ubuntu users: Install `linux-modules-extra-$(uname -r)` (or `linux-image-extra`), then run `service xl2tpd restart`.
 
diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index 4862252..72d1535 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -74,7 +74,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
 
    ```bash
    cat >> /etc/ipsec.conf <<EOF
-     modecfgdns="8.8.8.8, 8.8.4.4"
+     modecfgdns="8.8.8.8 8.8.4.4"
      encapsulation=yes
      mobike=no
    EOF
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
index 8335fa6..f977bb8 100644
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@@ -74,7 +74,7 @@ Before continuing, make sure you have successfully <a href="https://github.com/h
 
    ```bash
    cat >> /etc/ipsec.conf <<EOF
-     modecfgdns="8.8.8.8, 8.8.4.4"
+     modecfgdns="8.8.8.8 8.8.4.4"
      encapsulation=yes
      mobike=no
    EOF
diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index 7c7f3a8..560a731 100644
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -67,11 +67,12 @@ case "$SWAN_VER" in
     [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=5
     ;;
   3.19|3.2[012])
-    DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2 | cut -d '"' -f 2)
-    DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 1)
-    DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 2 | sed 's/^ *//')
-    [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" != "$DNS_SRV2" ] && dns_state=3
-    [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" = "$DNS_SRV2" ]  && dns_state=4
+    DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
+    DNS_SRVS=$(printf '%s' "$DNS_SRVS" | cut -d '"' -f 2 | cut -d "'" -f 2 | sed 's/,/ /g' | tr -s ' ')
+    DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ' ' -f 1)
+    DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -s -d ' ' -f 2)
+    [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=3
+    [ -n "$DNS_SRV1" ] && [ -z "$DNS_SRV2" ] && dns_state=4
     [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" -gt "1" ] && dns_state=6
     ;;
 esac
@@ -227,10 +228,10 @@ sed -i".old-$(date +%F-%T)" \
     -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
 
 if [ "$dns_state" = "1" ]; then
-  sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"/" \
+  sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
       -e "/modecfgdns2/d" /etc/ipsec.conf
 elif [ "$dns_state" = "2" ]; then
-  sed -i "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1\"/" /etc/ipsec.conf
+  sed -i "s/modecfgdns1=.*/modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
 elif [ "$dns_state" = "3" ]; then
   sed -i "/modecfgdns=/a \  modecfgdns2=$DNS_SRV2" /etc/ipsec.conf
   sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
@@ -263,7 +264,7 @@ IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf
 
     with a single line like this:
 
-      modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
+      modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
 
     Then run "sudo service ipsec restart".
 
@@ -273,7 +274,7 @@ cat <<'EOF'
 IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf
     and replace all occurrences of this line:
 
-      modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
+      modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
 
     with two lines like this:
 
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index 7f80964..64ed4f3 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -58,11 +58,12 @@ case "$SWAN_VER" in
     [ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=5
     ;;
   3.19|3.2[012])
-    DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2 | cut -d '"' -f 2)
-    DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 1)
-    DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -d ',' -f 2 | sed 's/^ *//')
-    [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" != "$DNS_SRV2" ] && dns_state=3
-    [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && [ "$DNS_SRV1" = "$DNS_SRV2" ]  && dns_state=4
+    DNS_SRVS=$(grep "modecfgdns=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
+    DNS_SRVS=$(printf '%s' "$DNS_SRVS" | cut -d '"' -f 2 | cut -d "'" -f 2 | sed 's/,/ /g' | tr -s ' ')
+    DNS_SRV1=$(printf '%s' "$DNS_SRVS" | cut -d ' ' -f 1)
+    DNS_SRV2=$(printf '%s' "$DNS_SRVS" | cut -s -d ' ' -f 2)
+    [ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=3
+    [ -n "$DNS_SRV1" ] && [ -z "$DNS_SRV2" ] && dns_state=4
     [ "$(grep -c "modecfgdns=" /etc/ipsec.conf)" -gt "1" ] && dns_state=6
     ;;
 esac
@@ -225,10 +226,10 @@ sed -i".old-$(date +%F-%T)" \
     -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
 
 if [ "$dns_state" = "1" ]; then
-  sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"/" \
+  sed -i -e "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1 $DNS_SRV2\"/" \
       -e "/modecfgdns2/d" /etc/ipsec.conf
 elif [ "$dns_state" = "2" ]; then
-  sed -i "s/modecfgdns1=.*/modecfgdns=\"$DNS_SRV1\"/" /etc/ipsec.conf
+  sed -i "s/modecfgdns1=.*/modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
 elif [ "$dns_state" = "3" ]; then
   sed -i "/modecfgdns=/a \  modecfgdns2=$DNS_SRV2" /etc/ipsec.conf
   sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
@@ -261,7 +262,7 @@ IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf
 
     with a single line like this:
 
-      modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
+      modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
 
     Then run "sudo service ipsec restart".
 
@@ -271,7 +272,7 @@ cat <<'EOF'
 IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf
     and replace all occurrences of this line:
 
-      modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
+      modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
 
     with two lines like this:
 
diff --git a/vpnsetup.sh b/vpnsetup.sh
index b268d7d..0892ac1 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -234,6 +234,8 @@ XAUTH_NET=${VPN_XAUTH_NET:-'192.168.43.0/24'}
 XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'}
 DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'}
 DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
+DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
+[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
 
 # Create IPsec config
 conf_bk "/etc/ipsec.conf"
@@ -274,7 +276,7 @@ conn xauth-psk
   auto=add
   leftsubnet=0.0.0.0/0
   rightaddresspool=$XAUTH_POOL
-  modecfgdns="$DNS_SRV1, $DNS_SRV2"
+  modecfgdns=$DNS_SRVS
   leftxauthserver=yes
   rightxauthclient=yes
   leftmodecfgserver=yes
@@ -320,8 +322,6 @@ cat > /etc/ppp/options.xl2tpd <<EOF
 +mschap-v2
 ipcp-accept-local
 ipcp-accept-remote
-ms-dns $DNS_SRV1
-ms-dns $DNS_SRV2
 noccp
 auth
 mtu 1280
@@ -330,8 +330,15 @@ proxyarp
 lcp-echo-failure 4
 lcp-echo-interval 30
 connect-delay 5000
+ms-dns $DNS_SRV1
 EOF
 
+if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
+cat >> /etc/ppp/options.xl2tpd <<EOF
+ms-dns $DNS_SRV2
+EOF
+fi
+
 # Create VPN credentials
 conf_bk "/etc/ppp/chap-secrets"
 cat > /etc/ppp/chap-secrets <<EOF
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index be7f55a..93967c9 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -221,6 +221,8 @@ XAUTH_NET=${VPN_XAUTH_NET:-'192.168.43.0/24'}
 XAUTH_POOL=${VPN_XAUTH_POOL:-'192.168.43.10-192.168.43.250'}
 DNS_SRV1=${VPN_DNS_SRV1:-'8.8.8.8'}
 DNS_SRV2=${VPN_DNS_SRV2:-'8.8.4.4'}
+DNS_SRVS="\"$DNS_SRV1 $DNS_SRV2\""
+[ -n "$VPN_DNS_SRV1" ] && [ -z "$VPN_DNS_SRV2" ] && DNS_SRVS="$DNS_SRV1"
 
 # Create IPsec config
 conf_bk "/etc/ipsec.conf"
@@ -261,7 +263,7 @@ conn xauth-psk
   auto=add
   leftsubnet=0.0.0.0/0
   rightaddresspool=$XAUTH_POOL
-  modecfgdns="$DNS_SRV1, $DNS_SRV2"
+  modecfgdns=$DNS_SRVS
   leftxauthserver=yes
   rightxauthclient=yes
   leftmodecfgserver=yes
@@ -303,8 +305,6 @@ cat > /etc/ppp/options.xl2tpd <<EOF
 +mschap-v2
 ipcp-accept-local
 ipcp-accept-remote
-ms-dns $DNS_SRV1
-ms-dns $DNS_SRV2
 noccp
 auth
 mtu 1280
@@ -313,8 +313,15 @@ proxyarp
 lcp-echo-failure 4
 lcp-echo-interval 30
 connect-delay 5000
+ms-dns $DNS_SRV1
 EOF
 
+if [ -z "$VPN_DNS_SRV1" ] || [ -n "$VPN_DNS_SRV2" ]; then
+cat >> /etc/ppp/options.xl2tpd <<EOF
+ms-dns $DNS_SRV2
+EOF
+fi
+
 # Create VPN credentials
 conf_bk "/etc/ppp/chap-secrets"
 cat > /etc/ppp/chap-secrets <<EOF