I just subscribed to a VPN provider.
I have Xubuntu 17.10, openvpn 2.4.3. After launching the openvpn command I check the IP (fine) and performed a simple DNS leak test: not fine, it shows my Internet Service Provider!
How to fix this DNS leak?
I have one preliminary interrogation:
- is it "fixable" on my side? Or is the remote server wrongly configured?
On my side, I tried changing some values in the .ovpn config file for openvpn:
Originally there were already these lines, that are expected to work, but nope:
script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
I changed them according to this reddit answer (explicitly specifying DNS addresses):
dhcp-option DNS 208.67.222.222 dhcp-option DNS 208.67.220.220 dhcp-option DNS 8.26.56.26 up "/etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS 208.67.222.222' foreign_option_2='dhcp-option DNS 208.67.220.220' foreign_option_3='dhcp-option DNS 8.26.56.26'" down "/etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS 208.67.222.222' foreign_option_2='dhcp-option DNS 208.67.220.220' foreign_option_3='dhcp-option DNS 8.26.56.26'"
Doing that seems to do the job, as the content of
/etc/resolvconf
gets updated by the up/down scripts:# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN # 127.0.0.53 is the systemd-resolved stub resolver. # run "systemd-resolve --status" to see details about the actual nameservers. nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 8.26.56.26 search lan
but DNSleaktest still showing my ISP.
So then I learned the existence of the ubuntu package
openvpn-systemd-resolved
which provides a script similar toupdate-resolve-conf
but makes it work with systemd (here I have no idea what processes use this: network-manager? openvpn?). I installed the package and replaced the script name in my .ovpn file:up "/etc/openvpn/update-systemd-resolved ..." down "..." down-pre
Still no luck. [While writing this I just figured out the solution, see my answer below]
Then I played a lot with the
/etc/resolv.conf
file. Normally it should not be changed, so I put my DNS servers addresses into/etc/resolvconf/resolv.conf.d/base
, but issuingresolvconf -u
did not appear to work.Chatted with a support person from the VPN company, no solution.
I tried various solutions like this one, and subsequent unaccepted answers:
I forgot the other things I tried, then I thought, stackexchange will save me from my misery, and it miraculously did, just by the power of formulating a question.
[Edit 1: Not solved! Actually my first answer is not the reason it works]
I noticed it after more checking. I can remove the systemd-update-resolved
lines and it still works, but only on certain conditions:
When the openvpn
service is running, I get DNS leaks.
If I stop it, and then restart only the service for my client:
sudo service openvpn stop
sudo service openvpn@client start
then it works.
Sorry, I suppose I haven't check the openvpn manual thoroughly, but why is that? Isn't it a security leak? Especially because the openvpn service is activated automatically after installation from apt. How to make the change permanent? (I tried sudo systemctl disable openvpn
, but at next startup I still had the same problem).
[Edit 2: routing tables]
Once I stopped openvpn
and started openvpn@client
, I don't have DNS leaks and the output of route -n
is:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 91.240.65.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.254 0.0.0.0 UG 100 0 0 eno1
91.240.64.17 192.168.1.254 255.255.255.255 UGH 0 0 0 eno1
91.240.65.0 0.0.0.0 255.255.255.224 U 0 0 0 tun0
128.0.0.0 91.240.65.1 128.0.0.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eno1
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eno1
After a sudo service openvpn restart
:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 91.240.66.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.254 0.0.0.0 UG 100 0 0 eno1
91.240.64.16 192.168.1.254 255.255.255.255 UGH 0 0 0 eno1
91.240.66.0 0.0.0.0 255.255.255.224 U 0 0 0 tun0
128.0.0.0 91.240.66.1 128.0.0.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eno1
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eno1
Not working anymore, I get DNS leaks in both cases. I tried installing the package openresolv
(which replaces resolvconf), and it seems to work. Here is the new routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 91.240.66.161 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.254 0.0.0.0 UG 100 0 0 eno1
91.240.64.15 192.168.1.254 255.255.255.255 UGH 0 0 0 eno1
91.240.66.160 0.0.0.0 255.255.255.224 U 0 0 0 tun0
128.0.0.0 91.240.66.161 128.0.0.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eno1
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eno1
openresolv
neither. What services should I restart after each config edit? network-manager? openvpn? Is my browser caching some data? – PlasmaBinturong Apr 02 '18 at 11:06systemd-resolved
. It uses a file in/run/systemd/resolve/resolv.conf
(not the one symlinked from/etc/resolv.conf
) where the first "nameserver" is my router... It gets overwritten when I change it, so I need to find out how to configure it. – PlasmaBinturong Apr 02 '18 at 13:47systemctl disable systemd-resolved
– Rui F Ribeiro Apr 02 '18 at 14:18/etc/systemd/resolved.conf
seems to be the config file, and thatman resolved.conf
is the corresponding documentation. – PlasmaBinturong Apr 02 '18 at 14:32