DNS Leak on Linux

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
smugcloud
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 22, 2022 11:49 pm

DNS Leak on Linux

Post by smugcloud » Sat Jan 22, 2022 11:53 pm

Hey Folks,

I am running Pop OS 21.10, and appear to have a DNS leak. Here are my configs:

Client

Code: Select all

remote <IP> 1194
persist-key
persist-tun
dev tun
proto udp
cipher AES-256-CBC
reneg-sec 0
resolv-retry infinite
nobind
ifconfig 10.8.0.2 10.8.0.1
comp-lzo
verb 4
tls-client
redirect-gateway
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
Server

Code: Select all

port 1194
proto udp
dev tun
ifconfig 10.8.0.1 10.8.0.2
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
reneg-sec 28800
keepalive 10 120
comp-lzo
persist-tun
status server-tcp.log
verb 4
cipher AES-256-CBC
My public IP is as expected. What am I missing to protect the DNS queries?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: DNS Leak on Linux

Post by TinCanTech » Sun Jan 23, 2022 12:24 am

When you say DNS Leak, what do you mean ?

You have configured your VPN client to use google DNS (8.8.8.8).

smugcloud
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 22, 2022 11:49 pm

Re: DNS Leak on Linux

Post by smugcloud » Wed Jan 26, 2022 6:04 pm

TinCanTech wrote:
Sun Jan 23, 2022 12:24 am
When you say DNS Leak, what do you mean ?

You have configured your VPN client to use google DNS (8.8.8.8).
I am referring to sites like https://dnsleak.com/ indicating that the DNS queries are leaking my actual IP. I am trying make all traffic appear as if it originates from the OpenVPN server.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: DNS Leak on Linux

Post by TinCanTech » Wed Jan 26, 2022 6:11 pm

smugcloud wrote:
Wed Jan 26, 2022 6:04 pm
I am trying make all traffic appear as if it originates from the OpenVPN server.
Use NAT at your server firewall.

https://community.openvpn.net/openvpn/w ... oughtheVPN

smugcloud
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 22, 2022 11:49 pm

Re: DNS Leak on Linux

Post by smugcloud » Wed Jan 26, 2022 6:27 pm

TinCanTech wrote:
Wed Jan 26, 2022 6:11 pm
smugcloud wrote:
Wed Jan 26, 2022 6:04 pm
I am trying make all traffic appear as if it originates from the OpenVPN server.
Use NAT at your server firewall.

https://community.openvpn.net/openvpn/w ... oughtheVPN
Thanks @TinCanTech. I have previously tried this, and am curious about this note:
push "dhcp-option DNS 10.8.0.1"

will configure Windows clients (or non-Windows clients with some extra server-side scripting) to use 10.8.0.1 as their DNS server. Any address which is reachable from clients may be used as the DNS server address.
I am using a Linux client as well, so what is the "extra server-side scripting" that is needed for this?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: DNS Leak on Linux

Post by TinCanTech » Wed Jan 26, 2022 6:34 pm

smugcloud wrote:
Wed Jan 26, 2022 6:27 pm
I am using a Linux client as well, so what is the "extra server-side scripting" that is needed for this?
That .. is a bug. It should read "client-side scripting".

Linux requires a script to configure your client DNS resolver, usually one of these:
https://github.com/jonathanio/update-systemd-resolved
https://github.com/alfredopalhares/open ... esolv-conf

smugcloud
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 22, 2022 11:49 pm

Re: DNS Leak on Linux

Post by smugcloud » Wed Jan 26, 2022 6:54 pm

Thanks @TinCanTech.

So I have the OpenVPN update-resolv-conf on the client machine

Code: Select all

$ file /etc/openvpn/update-resolv-conf 
/etc/openvpn/update-resolv-conf: Bourne-Again shell script, ASCII text executable
My client is configured to use it

Code: Select all

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
The server has iptables configured

Code: Select all

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    MASQUERADE  all  --  10.8.0.0/24          anywhere    
and I've reconfigured the server conf to mirror the config guide

Code: Select all

push "redirect-gateway local def1"
push "dhcp-option DNS 10.8.0.1"
The OpenVPN client seems to be using the resolve-confg script correctl

Code: Select all

2022-01-26 10:53:12 us=708461 net_addr_ptp_v4_add: 10.8.0.2 peer 10.8.0.1 dev tun0
2022-01-26 10:53:12 us=709377 /etc/openvpn/update-resolv-conf tun0 1500 1558 10.8.0.2 10.8.0.1 init
Yet I still see the "DNS leaks" on sites like I posted. Is that perhaps a red herring? Is there a better test to validate this?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: DNS Leak on Linux

Post by TinCanTech » Wed Jan 26, 2022 7:06 pm

Are your server and client located at the same IP address, like your home ?

smugcloud
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 22, 2022 11:49 pm

Re: DNS Leak on Linux

Post by smugcloud » Wed Jan 26, 2022 7:09 pm

No, the server is in a remote location.

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: DNS Leak on Linux

Post by Pippin » Wed Jan 26, 2022 7:11 pm

Your browser might "leak"...
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

smugcloud
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 22, 2022 11:49 pm

Re: DNS Leak on Linux

Post by smugcloud » Wed Jan 26, 2022 7:28 pm

Pippin wrote:
Wed Jan 26, 2022 7:11 pm
Your browser might "leak"...
Hmm, is it not possible to force all traffic from the client machine to route through the tunnel/server?

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: DNS Leak on Linux

Post by Pippin » Wed Jan 26, 2022 7:41 pm

Not easily.
Look into "browser leaks", which is off topic here...
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: DNS Leak on Linux

Post by TinCanTech » Wed Jan 26, 2022 7:42 pm

smugcloud wrote:
Wed Jan 26, 2022 7:28 pm
is it not possible to force all traffic from the client machine to route through the tunnel/server?
If you setup your VPN correctly it is.

I just carefully read your configs .. where did you get that crap from ?

smugcloud
OpenVpn Newbie
Posts: 7
Joined: Sat Jan 22, 2022 11:49 pm

Re: DNS Leak on Linux

Post by smugcloud » Wed Jan 26, 2022 7:57 pm

TinCanTech wrote:
Wed Jan 26, 2022 7:42 pm
I just carefully read your configs .. where did you get that crap from ?
Ha, some from the OpenVPN docs, and some hacked together. I'm all ears if there is a simpler/better config to use.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: DNS Leak on Linux

Post by TinCanTech » Wed Jan 26, 2022 8:41 pm


Post Reply