11

I just subscribed to a VPN provider.

I have Xubuntu 17.10, openvpn 2.4.3. After launching the openvpn command I check the IP (fine) and performed a simple DNS leak test: not fine, it shows my Internet Service Provider!

How to fix this DNS leak?

I have one preliminary interrogation:

  • is it "fixable" on my side? Or is the remote server wrongly configured?

On my side, I tried changing some values in the .ovpn config file for openvpn:

  1. Originally there were already these lines, that are expected to work, but nope:

    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf
    
  2. I changed them according to this reddit answer (explicitly specifying DNS addresses):

    dhcp-option DNS 208.67.222.222
    dhcp-option DNS 208.67.220.220
    dhcp-option DNS 8.26.56.26
    up "/etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS 208.67.222.222' foreign_option_2='dhcp-option DNS 208.67.220.220' foreign_option_3='dhcp-option DNS 8.26.56.26'"
    down "/etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS 208.67.222.222' foreign_option_2='dhcp-option DNS 208.67.220.220' foreign_option_3='dhcp-option DNS 8.26.56.26'"
    

    Doing that seems to do the job, as the content of /etc/resolvconf gets updated by the up/down scripts:

    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    # 127.0.0.53 is the systemd-resolved stub resolver.
    # run "systemd-resolve --status" to see details about the actual nameservers.
    
    nameserver 208.67.222.222
    nameserver 208.67.220.220
    nameserver 8.26.56.26
    search lan
    

    but DNSleaktest still showing my ISP.

  3. So then I learned the existence of the ubuntu package openvpn-systemd-resolved which provides a script similar to update-resolve-conf but makes it work with systemd (here I have no idea what processes use this: network-manager? openvpn?). I installed the package and replaced the script name in my .ovpn file:

    up "/etc/openvpn/update-systemd-resolved ..."
    down "..."
    down-pre
    

    Still no luck. [While writing this I just figured out the solution, see my answer below]

  4. Then I played a lot with the /etc/resolv.conf file. Normally it should not be changed, so I put my DNS servers addresses into /etc/resolvconf/resolv.conf.d/base, but issuing resolvconf -u did not appear to work.

  5. Chatted with a support person from the VPN company, no solution.

  6. I tried various solutions like this one, and subsequent unaccepted answers:

    • installing dnsmasq and putting server=... into /etc/dnsmasq.conf;
    • putting a "supersede" line in the /etc/dhcp/dhclient.conf (details);
    • the chattr-based hack.
  7. I forgot the other things I tried, then I thought, stackexchange will save me from my misery, and it miraculously did, just by the power of formulating a question.

[Edit 1: Not solved! Actually my first answer is not the reason it works]

I noticed it after more checking. I can remove the systemd-update-resolved lines and it still works, but only on certain conditions:

When the openvpn service is running, I get DNS leaks. If I stop it, and then restart only the service for my client:

sudo service openvpn stop
sudo service openvpn@client start

then it works.

Sorry, I suppose I haven't check the openvpn manual thoroughly, but why is that? Isn't it a security leak? Especially because the openvpn service is activated automatically after installation from apt. How to make the change permanent? (I tried sudo systemctl disable openvpn, but at next startup I still had the same problem).

[Edit 2: routing tables]

Once I stopped openvpn and started openvpn@client, I don't have DNS leaks and the output of route -n is:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         91.240.65.1     128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.254   0.0.0.0         UG    100    0        0 eno1
91.240.64.17    192.168.1.254   255.255.255.255 UGH   0      0        0 eno1
91.240.65.0     0.0.0.0         255.255.255.224 U     0      0        0 tun0
128.0.0.0       91.240.65.1     128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1

After a sudo service openvpn restart:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         91.240.66.1     128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.254   0.0.0.0         UG    100    0        0 eno1
91.240.64.16    192.168.1.254   255.255.255.255 UGH   0      0        0 eno1
91.240.66.0     0.0.0.0         255.255.255.224 U     0      0        0 tun0
128.0.0.0       91.240.66.1     128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1

Not working anymore, I get DNS leaks in both cases. I tried installing the package openresolv (which replaces resolvconf), and it seems to work. Here is the new routing table:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         91.240.66.161   128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.254   0.0.0.0         UG    100    0        0 eno1
91.240.64.15    192.168.1.254   255.255.255.255 UGH   0      0        0 eno1
91.240.66.160   0.0.0.0         255.255.255.224 U     0      0        0 tun0
128.0.0.0       91.240.66.161   128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1
terdon
  • 242,166

6 Answers6

8

Sooo the answer is to carefully follow the always-on-point instructions from the ArchLinux wiki:

https://wiki.archlinux.org/index.php/OpenVPN#Update_systemd-resolved_script

and to append the corresponding lines.

So, in two steps:

sudo apt install openvpn-systemd-resolved

and append the following lines to your .ovpn file:

script-security 2
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
dhcp-option DNS 8.26.56.26
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved

If that's not clear, your file should now contain two lines "up" and two lines "down":

# old lines
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
# new lines
script-security 2
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
dhcp-option DNS 8.26.56.26
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved

[Edit 1: Actually NOPE, this wasn't the reason it worked]

See Edit 1 in my question.

[Edit 2: I think I got it right this time]

This issue of weird systemd-resolved.service behavior is referenced here.

It seems that the option to put in the client config file is the following:

dhcp-option DOMAIN-ROUTE .

which apparently routes all DNS through the selected connection...

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
5

I had this DNS leak issue on Ubuntu 17.10 and now 18.04 LTS. It must have started when I updated from 16.10 a while back and I never thought to check until now, by accident. None of the above (and other things I found and tried) helped, until I ran into this URL below, reading all the way through the bug report. The comment on adding a dns-priority line worked for me.

https://bugs.launchpad.net/network-manager/+bug/1624317 look at comment #103.

Look for your installed NetworkManager VPN connections (the '$' is just my system prompt, to show you're at the command line in a terminal window):

$ ls -la /etc/NetworkManager/system-connections/*

Then choose the one you want to fix and run this command on it (or you can just edit the config file manually, as this command just adds a dns-priority entry under section ipv4):

$ sudo nmcli connection modify <vpn-connection-name> ipv4.dns-priority -42

And restart:

$ sudo service network-manager restart

Note that at least for me, putting it in the OpenVPN .ovpn config file that came from my VPN (ProtonVPN) did not work. For some reason it did not make it into the NetworkManager config when it was installed using the GUI dialog. Only by updating the config after it was installed, and then restarting NetworkManager, did it work. And you need to do this for each installed VPN config you want to use.

  • This works, but actually NOT really as desired. I monitor both my physical interface and tun0, DNS query for every domain actually gets sent, thus can be observed from both interfaces. – 32r34wgf3e Mar 09 '19 at 14:22
  • want to confirm that this also worked for 20.04 LTS version (after upgrading from 19.04 -> 19.10 -> 20.04) – bakytn May 16 '20 at 13:03
  • Did not work for me on Debian Buster – WalksB Oct 18 '20 at 00:46
2

This seems to be a bug due to Ubuntu switching to systemd-resolve before the network-manager-openvpn package was updated to be aware of systemd-resolve. Ubuntu 18.10 seems to have resolved this with network-manager 1.12.2-0ubuntu5. More information here: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/issues/10.

Until that's released, @Bob Willan's answer worked for me.

chizou
  • 131
2

I was running into the DNS-LeakProblem also. The modification of my ovpn file didn't help. Reason was a missing package. OpenVPN didn't warn me about that.

    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf

Having a look into the script cat /etc/openvpn/update-resolv-conf i was able to see that it calls another programm at /sbin/resolvconf. Doing an ls /sbin/resolvconf showed me that i was missing that file. A quick search brought me to the missing package.

After installing it with apt install openresolv the modifications in my ovpn script took effect.

0

I managed to solve this issue by adding these lines to my OpenVPN config file :

script-security 2

up /etc/openvpn/update-resolv-conf

down /etc/openvpn/update-resolv-conf

from @ How To Fix OpenVPN DNS Leak in Linux

And for Windows users (OpenVPN +2.3.9) :

block-outside-dns

Soren
  • 101
0

if - like me - you dont have the resolvconf package installed and dont want to, you can use the script below to update the resolv.conf file.

#!/bin/bash

------------------------------------------------------------------------------

EN: Update resolv.conf to use the DNS defined by the VPN

PT: Atualiza os DNS do resolv.conf para usar os definidos pela VPN

------------------------------------------------------------------------------

------------------------------------------------------------------------------

Get DNS defined by the VPN service

Exit with error if the DNS array is empty

------------------------------------------------------------------------------

function getVpnDns() { for frgn_optn in ${!foreign_option_*} ; do for fo in "${!frgn_optn}" ; do DNSARRAY+=( $(echo $fo | awk '/dhcp-option DNS/{print $3}') ) done done [ -z "$DNSARRAY" ] && exit 1 }

------------------------------------------------------------------------------

Write DNS to resolv.conf

------------------------------------------------------------------------------

function writeResolvConf() { getVpnDns for DNS in ${DNSARRAY[@]} ; do echo "nameserver $DNS" done | tee /etc/resolv.conf }

------------------------------------------------------------------------------

Switch between resolv.conf configs on 'up' and 'down' events

------------------------------------------------------------------------------

case "$script_type" in up) mv -v /etc/resolv.conf /etc/resolv.conf.rag && writeResolvConf ;; down) mv -fv /etc/resolv.conf.rag /etc/resolv.conf ;; esac

RASG
  • 221