How to fix OpenVPN DNS leak

Question

I just subscribed to a VPN provider.

I have Xubuntu 17.10, openvpn 2.4.3. After launching the openvpn command I check the IP (fine) and performed a simple DNS leak test: not fine, it shows my Internet Service Provider!

How to fix this DNS leak?

I have one preliminary interrogation:

is it "fixable" on my side? Or is the remote server wrongly configured?

On my side, I tried changing some values in the .ovpn config file for openvpn:

Originally there were already these lines, that are expected to work, but nope:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

I changed them according to this reddit answer (explicitly specifying DNS addresses):

dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
dhcp-option DNS 8.26.56.26
up "/etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS 208.67.222.222' foreign_option_2='dhcp-option DNS 208.67.220.220' foreign_option_3='dhcp-option DNS 8.26.56.26'"
down "/etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS 208.67.222.222' foreign_option_2='dhcp-option DNS 208.67.220.220' foreign_option_3='dhcp-option DNS 8.26.56.26'"

Doing that seems to do the job, as the content of /etc/resolvconf gets updated by the up/down scripts:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 8.26.56.26
search lan

but DNSleaktest still showing my ISP.

So then I learned the existence of the ubuntu package openvpn-systemd-resolved which provides a script similar to update-resolve-conf but makes it work with systemd (here I have no idea what processes use this: network-manager? openvpn?). I installed the package and replaced the script name in my .ovpn file:
```
up "/etc/openvpn/update-systemd-resolved ..."
down "..."
down-pre
```
Still no luck. [While writing this I just figured out the solution, see my answer below]
Then I played a lot with the /etc/resolv.conf file. Normally it should not be changed, so I put my DNS servers addresses into /etc/resolvconf/resolv.conf.d/base, but issuing resolvconf -u did not appear to work.
Chatted with a support person from the VPN company, no solution.
I tried various solutions like this one, and subsequent unaccepted answers:
- installing dnsmasq and putting server=... into /etc/dnsmasq.conf;
- putting a "supersede" line in the /etc/dhcp/dhclient.conf (details);
- the chattr-based hack.
I forgot the other things I tried, then I thought, stackexchange will save me from my misery, and it miraculously did, just by the power of formulating a question.

[Edit 1: Not solved! Actually my first answer is not the reason it works]

I noticed it after more checking. I can remove the systemd-update-resolved lines and it still works, but only on certain conditions:

When the openvpn service is running, I get DNS leaks. If I stop it, and then restart only the service for my client:

sudo service openvpn stop
sudo service openvpn@client start

then it works.

Sorry, I suppose I haven't check the openvpn manual thoroughly, but why is that? Isn't it a security leak? Especially because the openvpn service is activated automatically after installation from apt. How to make the change permanent? (I tried sudo systemctl disable openvpn, but at next startup I still had the same problem).

[Edit 2: routing tables]

Once I stopped openvpn and started openvpn@client, I don't have DNS leaks and the output of route -n is:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         91.240.65.1     128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.254   0.0.0.0         UG    100    0        0 eno1
91.240.64.17    192.168.1.254   255.255.255.255 UGH   0      0        0 eno1
91.240.65.0     0.0.0.0         255.255.255.224 U     0      0        0 tun0
128.0.0.0       91.240.65.1     128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1

After a sudo service openvpn restart:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         91.240.66.1     128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.254   0.0.0.0         UG    100    0        0 eno1
91.240.64.16    192.168.1.254   255.255.255.255 UGH   0      0        0 eno1
91.240.66.0     0.0.0.0         255.255.255.224 U     0      0        0 tun0
128.0.0.0       91.240.66.1     128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1

Not working anymore, I get DNS leaks in both cases. I tried installing the package openresolv (which replaces resolvconf), and it seems to work. Here is the new routing table:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         91.240.66.161   128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.254   0.0.0.0         UG    100    0        0 eno1
91.240.64.15    192.168.1.254   255.255.255.255 UGH   0      0        0 eno1
91.240.66.160   0.0.0.0         255.255.255.224 U     0      0        0 tun0
128.0.0.0       91.240.66.161   128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1

Please add your routing table while you have the VPN active. — Rui F Ribeiro, Apr 02 '18 at 08:55
Just did! But damned***, I can't make it work anymore, I get DNS leaks even when stopping the openvpn service! — PlasmaBinturong, Apr 02 '18 at 09:50
No changes in routing. Are you setting up a client or a server? — Rui F Ribeiro, Apr 02 '18 at 10:10
Basically nothing works, lastly openresolv neither. What services should I restart after each config edit? network-manager? openvpn? Is my browser caching some data? — PlasmaBinturong, Apr 02 '18 at 11:06
I uninstalled openresolv. I think I have some hints about systemd-resolved. It uses a file in /run/systemd/resolve/resolv.conf (not the one symlinked from /etc/resolv.conf) where the first "nameserver" is my router... It gets overwritten when I change it, so I need to find out how to configure it. — PlasmaBinturong, Apr 02 '18 at 13:47
Seems like there is simply a problem with systemd-resolved: https://github.com/systemd/systemd/issues/6076... It is really really sad! — PlasmaBinturong, Apr 02 '18 at 14:11
Yes indeed, but then I need to use dnsmasq for example. I just found that /etc/systemd/resolved.conf seems to be the config file, and that man resolved.conf is the corresponding documentation. — PlasmaBinturong, Apr 02 '18 at 14:32
You should need to check if your VPN working properly or not, here you can check https://www.vpninsights.com/ip-leak-test — Finn Joe, Aug 02 '18 at 07:59

score 8 · Answer 1 · edited Apr 16 '19 at 14:54

Sooo the answer is to carefully follow the always-on-point instructions from the ArchLinux wiki:

https://wiki.archlinux.org/index.php/OpenVPN#Update_systemd-resolved_script

and to append the corresponding lines.

So, in two steps:

sudo apt install openvpn-systemd-resolved

and append the following lines to your .ovpn file:

script-security 2
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
dhcp-option DNS 8.26.56.26
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved

If that's not clear, your file should now contain two lines "up" and two lines "down":

# old lines
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
# new lines
script-security 2
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
dhcp-option DNS 8.26.56.26
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved

[Edit 1: Actually NOPE, this wasn't the reason it worked]

See Edit 1 in my question.

[Edit 2: I think I got it right this time]

This issue of weird systemd-resolved.service behavior is referenced here.

It seems that the option to put in the client config file is the following:

dhcp-option DOMAIN-ROUTE .

which apparently routes all DNS through the selected connection...

However, when the computer goes out of sleep, I have to restart the openvpn service and then it's leaking again... — PlasmaBinturong, Apr 02 '18 at 19:02

score 5 · Accepted Answer · edited Sep 23 '18 at 21:29

I had this DNS leak issue on Ubuntu 17.10 and now 18.04 LTS. It must have started when I updated from 16.10 a while back and I never thought to check until now, by accident. None of the above (and other things I found and tried) helped, until I ran into this URL below, reading all the way through the bug report. The comment on adding a dns-priority line worked for me.

https://bugs.launchpad.net/network-manager/+bug/1624317 look at comment #103.

Look for your installed NetworkManager VPN connections (the '$' is just my system prompt, to show you're at the command line in a terminal window):

$ ls -la /etc/NetworkManager/system-connections/*

Then choose the one you want to fix and run this command on it (or you can just edit the config file manually, as this command just adds a dns-priority entry under section ipv4):

$ sudo nmcli connection modify <vpn-connection-name> ipv4.dns-priority -42

And restart:

$ sudo service network-manager restart

Note that at least for me, putting it in the OpenVPN .ovpn config file that came from my VPN (ProtonVPN) did not work. For some reason it did not make it into the NetworkManager config when it was installed using the GUI dialog. Only by updating the config after it was installed, and then restarting NetworkManager, did it work. And you need to do this for each installed VPN config you want to use.

This works, but actually NOT really as desired. I monitor both my physical interface and tun0, DNS query for every domain actually gets sent, thus can be observed from both interfaces. — 32r34wgf3e, Mar 09 '19 at 14:22
want to confirm that this also worked for 20.04 LTS version (after upgrading from 19.04 -> 19.10 -> 20.04) — bakytn, May 16 '20 at 13:03

score 2 · Answer 3 · answered Feb 08 '19 at 18:25

2

This seems to be a bug due to Ubuntu switching to systemd-resolve before the network-manager-openvpn package was updated to be aware of systemd-resolve. Ubuntu 18.10 seems to have resolved this with network-manager 1.12.2-0ubuntu5. More information here: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/issues/10.

Until that's released, @Bob Willan's answer worked for me.

answered Feb 08 '19 at 18:25

chizou

131

Tested in 18.10 with NetworkManager and works! Hopefully they will fix this in the next LTS release. – 32r34wgf3e Mar 09 '19 at 14:23
Thanks for pointing out this issue discussion. Too bad they aren't providing the fix for ubuntu 18.04, but at least @bobwillan's answer indeed worked. – PlasmaBinturong Nov 18 '19 at 20:23

score 2 · Answer 4 · answered Nov 18 '19 at 19:51

I was running into the DNS-LeakProblem also. The modification of my ovpn file didn't help. Reason was a missing package. OpenVPN didn't warn me about that.

    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf

Having a look into the script cat /etc/openvpn/update-resolv-conf i was able to see that it calls another programm at /sbin/resolvconf. Doing an ls /sbin/resolvconf showed me that i was missing that file. A quick search brought me to the missing package.

After installing it with apt install openresolv the modifications in my ovpn script took effect.

yup, that did it for me, thanks mate – Julien B. May 20 '20 at 22:33 — Julien B., May 20 '20 at 22:33

score 0 · Answer 5 · edited Jun 11 '20 at 14:16

0

I managed to solve this issue by adding these lines to my OpenVPN config file :

script-security 2

up /etc/openvpn/update-resolv-conf

down /etc/openvpn/update-resolv-conf

from @ How To Fix OpenVPN DNS Leak in Linux

And for Windows users (OpenVPN +2.3.9) :

block-outside-dns

edited Jun 11 '20 at 14:16

Community

1

answered Mar 09 '19 at 20:29

Soren

101

score 0 · Answer 6 · answered Aug 11 '20 at 04:00

if - like me - you dont have the resolvconf package installed and dont want to, you can use the script below to update the resolv.conf file.

#!/bin/bash
------------------------------------------------------------------------------
EN: Update resolv.conf to use the DNS defined by the VPN
PT: Atualiza os DNS do resolv.conf para usar os definidos pela VPN
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Get DNS defined by the VPN service
Exit with error if the DNS array is empty
------------------------------------------------------------------------------
function getVpnDns() {
    for frgn_optn in ${!foreign_option_*} ; do
        for fo in "${!frgn_optn}" ; do
            DNSARRAY+=( $(echo $fo | awk '/dhcp-option DNS/{print $3}') )
        done
    done
    [ -z "$DNSARRAY" ] && exit 1
}
------------------------------------------------------------------------------
Write DNS to resolv.conf
------------------------------------------------------------------------------
function writeResolvConf() {
    getVpnDns
    for DNS in ${DNSARRAY[@]} ; do
        echo "nameserver $DNS"
    done | tee /etc/resolv.conf
}
------------------------------------------------------------------------------
Switch between resolv.conf configs on 'up' and 'down' events
------------------------------------------------------------------------------
case "$script_type" in
    up)
        mv -v /etc/resolv.conf /etc/resolv.conf.rag && writeResolvConf
    ;;
    down)
        mv -fv /etc/resolv.conf.rag /etc/resolv.conf
    ;;
esac

How to fix OpenVPN DNS leak

How to fix this DNS leak?

[Edit 1: Not solved! Actually my first answer is not the reason it works]

[Edit 2: routing tables]

6 Answers6

[Edit 1: Actually NOPE, this wasn't the reason it worked]

[Edit 2: I think I got it right this time]

------------------------------------------------------------------------------

EN: Update resolv.conf to use the DNS defined by the VPN

PT: Atualiza os DNS do resolv.conf para usar os definidos pela VPN

------------------------------------------------------------------------------

------------------------------------------------------------------------------

Get DNS defined by the VPN service

Exit with error if the DNS array is empty

------------------------------------------------------------------------------

------------------------------------------------------------------------------

Write DNS to resolv.conf

------------------------------------------------------------------------------

------------------------------------------------------------------------------

Switch between resolv.conf configs on 'up' and 'down' events

------------------------------------------------------------------------------