Fix ipv6 and DNS leaks connected to the Access Server

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
axvpn
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 15, 2022 7:50 am

Fix ipv6 and DNS leaks connected to the Access Server

Post by axvpn » Mon Aug 15, 2022 8:34 am

Hello.
I have successfully installed the OpenVPN Access Server on a Linode instance with Ubuntu 20.04.
I connect to it using the downloaded .ovpn profile with my linux laptop client with no issues.
The configuration on the OpenVPN server is pretty much vanilla, except i changed the port to 443 for the tunnel, disabled UDP,
and added the users i needed to connect. (please let me know if there is a way to export the current configuration settings with a private switch for easier reading)

Now, running some checks for IP and DNS leaks on this site while connected to the server, i can see my ISP is leaking ipv6 and DNS all over the place.

I got around the ISP's DNS leak by configuring opendns in my web browser, which is not ideal.
I see a section under Configuration>VPN settings>DNS settings and i have the "Have clients use the same DNS servers as the Access Server host" switch ON, but is not helping to prevent the DNS leak.

For the IPV6 leak issue, i am reading some workarounds online, and found this:
Editing our current OpenVPN config
You will simply have to add two lines to your OpenVPN server config, which is usually found at /etc/openvpn/server.conf or /etc/openvpn/server/server.conf or similar. Simply edit using nano or vim or your favorite editor:

nano /etc/openvpn/server/server.conf
And add the following two lines:

server-ipv6 2001:db8:0:123::/64
push "route-ipv6 2000::/3"
This will assign the network address of 2001:db8:0:123::/64 to your OpenVPN server, and then push a route so that all IPv6-internet addresses on the client side will be connected to through the VPN server.
I added the 2 lines to my /usr/local/openvpn_as/as.conf file and restarted the server, but it is not doing anything, my ipv6 still leaks.

The router i am currently using is from my ISP, and it does NOT have an option to disable ipv6. Meanwhile i am waiting for another router to replace it.

Is there a way to configure some settings in the OpenVPN AS to make the tunnel only show the IPv4 address on it and not leak the DNS/IPv6 from my ISP regardless of which device / location i use to connect to it?

Thank you guys for any tips.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1024
Joined: Tue Feb 16, 2021 10:41 am

Re: Fix ipv6 and DNS leaks connected to the Access Server

Post by openvpn_inc » Tue Aug 23, 2022 1:54 pm

Hi,

A bunch of things here, and I don't have time to go into detail on all, sorry.

First, why would you disable UDP? Did you not know that is the recommended protocol? The only reason we have TCP as an option is for users behind web proxies or broken firewalls. Bad idea to disable UDP. Access Server by default listens on both.

Second, what Linux client are you using? If it's the open source 2.x, it doesn't have magical ways to change your resolv.conf file to fix "leaks". You have to do that manually. It's a solved problem, but the open source client won't hold your hand through it the way we do for Windows and Mac users with OpenVPN Connect.

The newer openvpn3-linux client will integrate better with systemd-resolved, and handle this automagically on the right distros.

Your web search found stuff completely irrelevant to Access Server. Please stick with the documentation on our web site. Access Server is not configured in the same way as community version openvpn servers. The "as.conf" file only handles a few settings; it is not an openvpn(8) "--config" file. Access Server does not have one you can directly edit. (The --config is generated in the Python code and fed to the openvpn daemons at run time.)

Re: the ipv6 "leak" you're again up against the Linux issue. Users of Windows and Mac do not have this issue, because Access Server (yuck) disables their ipv6 routes. You can do the same on Linux, manually or with a script.

Like I said, not much detail here, but I hope it is enough to get you pointed in the right direction.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

axvpn
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 15, 2022 7:50 am

Re: Fix ipv6 and DNS leaks connected to the Access Server

Post by axvpn » Thu Sep 01, 2022 8:41 am

openvpn_inc wrote:
Tue Aug 23, 2022 1:54 pm
First, why would you disable UDP? Did you not know that is the recommended protocol? The only reason we have TCP as an option is for users behind web proxies or broken firewalls. Bad idea to disable UDP. Access Server by default listens on both.
TCP 443 only as i need to hide the fact that i am using a VPN, although after a bit more reading, i see i should actually implement an SSL tunnel, as the OpenVPN server alone is not enough.
openvpn_inc wrote:
Tue Aug 23, 2022 1:54 pm
Second, what Linux client are you using?
OpenVPN 3/Linux v18_beta (openvpn3)
OpenVPN core 3.git:HEAD:c4fa5a69 linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

I tried a bunch of things, disabling IPv6 from my client computer and other settings and ended up unable to connect to my wifi network, so i had to revert back some things. Ill keep experimenting.
openvpn_inc wrote:
Tue Aug 23, 2022 1:54 pm
The newer openvpn3-linux client will integrate better with systemd-resolved, and handle this automagically on the right distros.
Linux Mint 20.3 here. No luck so far.
openvpn_inc wrote:
Tue Aug 23, 2022 1:54 pm
Your web search found stuff completely irrelevant to Access Server. Please stick with the documentation on our web site.
I checked the documentation first, nothing related to my problem, thats why i went looking somewhere else. Thanks for the clarification.
openvpn_inc wrote:
Tue Aug 23, 2022 1:54 pm
Re: the ipv6 "leak" you're again up against the Linux issue. Users of Windows and Mac do not have this issue, because Access Server (yuck) disables their ipv6 routes. You can do the same on Linux, manually or with a script.
I messed around with the graphical network tools.
Ill try disabling from the command line and configuration files next time. I am able to use the VPN with my android phone and have no leaks connecting from the same network as my laptop, so im sure i just need to tweak something in my system.
openvpn_inc wrote:
Tue Aug 23, 2022 1:54 pm
Like I said, not much detail here, but I hope it is enough to get you pointed in the right direction.

regards, rob0
Thanks for the tips rob0. :D

Post Reply