OpenVPN Access Server on AWS and DNS leak

[encryptoid]

I have a question regarding OpenVPN and a DNS leak.

There are a few parts to this question. I am using an OpenVPN server and a router together, so I'll talk about the OpenVPN setup first.

I have an OpenVPN Access Server running on AWS. This is the exact instance:
https://aws.amazon.com/marketplace/pp/B ... duct_title

I configured the instance according to this guide:
https://docs.openvpn.net/how-to-tutoria ... art-guide/

I used all of the default configuration options except one. That option was: "Should client Internet traffic be routed through the VPN?"

I chose yes instead of the default no, because I do want all client traffic to route through the VPN instead of my home ISP.

Other than that, the configuration is default.

The VPN works perfectly through the OpenVPN client on Windows and through the OpenVPN network configuration in Ubuntu. When I connect to the VPN all of my client traffic routes through the VPN, my IP address shows the IP of the VPN, and my DNS leak test shows the DNS requests coming from IP addresses at AWS.

So all of my traffic and DNS requests are routed through the VPN, but I have a few questions.

1.) Are DNS requests actually encrypted and then sent to the VPN to be resolved or is my computer simply retrieving the DNS from my OpenVPN server via DHCP and then using them like it would any other DNS address through my ISP. Basically, does my home ISP see my DNS requests going out to AWS or are they all encrypted and sent over the VPN to AWS and then resolved?

Next, the router.

I have this exact router, it is a GL-AR150 from GLI:
https://www.gl-inet.com/ar150/

I have the router connected to my home internet via ethernet cable into the WAN port of the router and it pulls in it's IP address and DNS via DHCP from my ISP's modem. My computer connects to the router via Wi-Fi and functions normally, getting its IP and DNS via DHCP from the router. The router gets its IP from the ISP's model, my computer gets its private IP address from the router, and everything works as expected. My IP and DNS leak test both show my home ISP's information unless I enable the VPN via the OpenVPN client on my computer and then the IP and DNS display the information for AWS.

So the router works fine and the VPN software client works fine on my computer with the VPN at AWS. The OpenVPN Access Server I'm running seems to be configured correctly to allow the client to send its DNS through the VPN.

However, I encounter a few problems when I try to configure the router to use the VPN for all traffic via its OpenVPN option instead of having my computer's OpenVPN client make the connection.

I disconnect my computer from the VPN and exit the OpenVPN software to make sure the computer is connecting to the router via normal DHCP and not using the VPN.

Then I upload the exact same .ovpn configuration file to my GL-AR150 router via the web-based administration interface. I provide the username and password for the VPN and click the "enable" checkbox. The router then connects to the VPN as AWS and shows me the following in the status section of the OpenVPN administration area in the router:

OpenVpn is connected
IP Address: 172.27.232.14

The 172.27.232.14 IP address is a private address assigned to the router from the OpenVPN server.

When I use the web browser on my computer I am able to access the internet and my IP address test correctly shows the IP of the VPN at AWS, but the DNS test shows the information for my home ISP, not the VPN at AWS as it should.

If I SSH into the router and check /etc/resolv.conf.auto I see:
# Interface wan
nameserver 68.0.0.1
nameserver 68.0.0.2

So I still see the nameservers for my home ISP, not the VPN.

If I SSH into the VPN at AWS and check the etc/resolv.conf file I see:
nameserver 172.31.0.2

This IP address is a private IP address accessible only to the VPN, not to my home computer. This is the IP address the VPN server uses to resolve its DNS. This IP points to the internal IP of DNS servers at AWS.

If I go to the router's web admin and click the DHCP settings area I have an option for custom DNS. If I set both custom DNS servers to 172.31.0.2 and then enable the VPN through OpenVPN on the router I see correct behavior.

My internet works and the IP address test correctly show the IP address of the VPN at AWS. The DNS test also shows the IP address information for AWS.

So, setting custom DNS to a private IP seems to make my IP and DNS both work through the VPN.

Since the custom DNS I used is private that means it will only work once the router connects to the VPN, making the private IP available for DNS request to be sent to.

However, if I disable the VPN on the router the custom DNS is still set to the private IP address at AWS, so the DNS becomes inaccessible. My computer can still access the internet via the router and it shows the IP address of my home ISP, but the DNS requests do not work because the DNS is set to the private server that is no longer accessible since the VPN on the router is disconnected.

So this is question three...

3.) Since I am using the private IP address for DNS when connecting to the VPN, are the DNS requests sent encrypted via the VPN? Once the VPN is connected, does all traffic to private IP addresses on the VPN, such as the 172.31.0.2 for DNS, get encrypted? Is using this private IP for DNS in the router actually making sure my ISP doesn't see my DNS requests?

Next, the configuration of the OpenVPN server.

I have tried using block-outside-dns in my .ovpn file, but it doesn't seem to fix anything.

I have seen a number of suggestions for solutions to this problem that indicate it could be on the server side. Many of them suggest modifying the OpenVPN Access Server to allow pushing of the DNS to the client using a variety of options such as:
push "redirect-gateway"
push "dhcp-option DNS x.x.x.x"

I've tried to find the server.conf file for my OpenVPN server, but it appears that the OpenVPN Access Server I'm using doesn't have a server.conf, but rather I think some kind of .json file that it builds the configuration from.

I don't know how to make changes like adding push "dhcp-option DNS x.x.x.x" to my OpenVPN server becaues I don't have the .conf file you're supposed to add it to and I don't know the openvpnas way of pushing these options.

I've also read that Linux doesn't support the push dhcp-option without an --up script.

But these kind of changes are probably not the solution to the problem because I assume that the server isalready correctly configured because the OpenVPN clients on Windows and Ubuntu use the proper DNS from the VPN when they are connected. It seems like the issue is probably in the way the router connects since the OpenVPN software client on Windows and Ubuntu works as expected but the OpenVPN option on the router does not properly use the DNS pushed by the server.

I've also seen suggestions to use:
script-security 2

Although I don't know I'm supposed to modify the way the router connects to the VPN using the .ovpn file by adding --script-security 2 as a flag when running it or if I'm supposed to put that in some sort of configuration file for the client or for the server as a simple variable.

I probably don't need to change my OpenVPN Access Server at all, but I'm not sure. Since the software clients work properly that makes me think the server is sending and allowing the proper configuration for both IP and DNS to be routed through it.

I have tried an endless amount of configurations and the only thing that seems to allow the router to connect to the VPN and use the DNS from the VPN at AWS is using the private IP address 172.31.0.2 for the DNS.

This works, but if I disconnect the VPN on the router and want to use my regular ISP internet connect I have to delete the private IP from the DNS servers or else DNS won't resolve since the private IP is no longer accessible. Then I have to add it back in whenever I enable the VPN again.

I don't know where the problem actually is, but I think it's something about the router not pulling the DNS that the VPN is pushing.

I have been looking into using a script like this to use the external hardware switch on the router to enable/disable the VPN:
https://www.gl-inet.com/forums/topic/gl ... sable-vpn/

I was thinking perhaps I could add something into the script that would set the DNS to the private IP when the VPN connects and then restore it default when not connected to the VPN.

So, my basic goal is to have the VPN installed on the router using the .ovpn file throug the router's OpenVPN admin area. Then my computer connects to the router and the IP and DNS tests show the IP from the VPN at AWS, not my ISP. I can make this work using the private IP for DNS, but I need a better solution that doesn't require me to manually set the DNS whenver I connect / disconnect from the VPN. I'm pretty sure the VPN itself is set up correctly since the computer's OpenVPN client works perfectly, so the problem is most likely something I need to change in the router.

Any suggestions to these issues? Thanks!

[TinCanTech]

That's a long post .. I am only going to offer one action you can test.

When I use the web browser on my computer I am able to access the internet and my IP address test correctly shows the IP of the VPN at AWS, but the DNS test shows the information for my home ISP, not the VPN at AWS as it should.

Your computer is not connected to any VPN therefore it has not had it's DNS changed by the VPN software .. try, for testing, setting the DNS server to the one you want to use over the VPN.

[encryptoid]

That's a long post .. I am only going to offer one action you can test.

When I use the web browser on my computer I am able to access the internet and my IP address test correctly shows the IP of the VPN at AWS, but the DNS test shows the information for my home ISP, not the VPN at AWS as it should.

Your computer is not connected to any VPN therefore it has not had it's DNS changed by the VPN software .. try, for testing, setting the DNS server to the one you want to use over the VPN.

Thanks! But please read again, I say "my IP address test correctly shows the IP of the VPN at AWS" so you're right, the computer isn't connected to a VPN, but the router is. Since the computer uses DHCP, its IP and DNS come from the router. It is the router that has the wrong DNS. I know this because if I go into the router into /etc/resolv.conf.auto and change the nameserver to the private IP of the VPN I don't need to make any modifications to the computer for it to work. Giving the router the right DNS makes the computer use that one via the router.

So just changing the router's DNS works, because if I log into the router I see the DNS of my home ISP unless I change it. So the leak is coming from the router because my computer doesn't leak if the router has the custom DNS set but it leaks if the router DNS isn't manually changed.

As my post said, I think it's more about the router than anything. Thanks for your suggestion!

[TinCanTech]

If you read the documentation you would understand that pushing DNS servers only works on Windows not any version of Linux.

You require extra client side scripting to install any pushed DNS to Linux ..

[encryptoid]

If you read the documentation you would understand that pushing DNS servers only works on Windows not any version of Linux.

You require extra client side scripting to install any pushed DNS to Linux ..

I did see that. I mentioned it in my post: "I've also read that Linux doesn't support the push dhcp-option without an --up script."

The VPN configuration in network manage in Ubuntu uses the pushed DNS and it is Linux. I was just wondering if there was a way to make it work on my router.

[TinCanTech]

In ubuntu, if you have installed openvpn from a standard repo, you should find a script
called /etc/openvpn/update-resolve-conf .. run that with --up and --down script hooks.

[encryptoid]

In ubuntu, if you have installed openvpn from a standard repo, you should find a script
called /etc/openvpn/update-resolve-conf .. run that with --up and --down script hooks.

I don't have any problems in Ubuntu. The default VPN client used by network manager properly connects and resolves the DNS.

I don't have anything to change on Ubuntu. My Ubuntu setup works perfectly, it is the example of how I want the router to work.

Again, my question is how to make the router do the same thing as Ubuntu which is already working.

[novaflash]

> Again, my question is how to make the router do the same thing as Ubuntu which is already working.

Presumably this router runs a variety of Linux, so in theory with resolvconf or openresolv on it, the information given should do the trick; you need that script that changes the DNS servers using resolvconf or openresolv. It's available on github as well if you look for it, but it comes with most Linux distributions automatically when you install the 'openvpn' package, like what you have seen on Ubuntu.

If that script doesn't work on this router, then you need to contact whoever made that router, to find out how to implement DNS servers there, and get things fixed up.