Page 1 of 1
DNS Leak on Linux
Posted: Sat Jan 22, 2022 11:53 pm
by smugcloud
Hey Folks,
I am running Pop OS 21.10, and appear to have a DNS leak. Here are my configs:
Client
Code: Select all
remote <IP> 1194
persist-key
persist-tun
dev tun
proto udp
cipher AES-256-CBC
reneg-sec 0
resolv-retry infinite
nobind
ifconfig 10.8.0.2 10.8.0.1
comp-lzo
verb 4
tls-client
redirect-gateway
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
Server
Code: Select all
port 1194
proto udp
dev tun
ifconfig 10.8.0.1 10.8.0.2
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
reneg-sec 28800
keepalive 10 120
comp-lzo
persist-tun
status server-tcp.log
verb 4
cipher AES-256-CBC
My public IP is as expected. What am I missing to protect the DNS queries?
Re: DNS Leak on Linux
Posted: Sun Jan 23, 2022 12:24 am
by TinCanTech
When you say DNS Leak, what do you mean ?
You have configured your VPN client to use google DNS (8.8.8.8).
Re: DNS Leak on Linux
Posted: Wed Jan 26, 2022 6:04 pm
by smugcloud
TinCanTech wrote: ↑Sun Jan 23, 2022 12:24 am
When you say
DNS Leak, what do you mean ?
You have configured your VPN client to use google DNS (8.8.8.8).
I am referring to sites like
https://dnsleak.com/ indicating that the DNS queries are leaking my actual IP. I am trying make all traffic appear as if it originates from the OpenVPN server.
Re: DNS Leak on Linux
Posted: Wed Jan 26, 2022 6:11 pm
by TinCanTech
smugcloud wrote: ↑Wed Jan 26, 2022 6:04 pm
I am trying make all traffic appear as if it originates from the OpenVPN server.
Use NAT at your server firewall.
https://community.openvpn.net/openvpn/w ... oughtheVPN
Re: DNS Leak on Linux
Posted: Wed Jan 26, 2022 6:27 pm
by smugcloud
Thanks @TinCanTech. I have previously tried this, and am curious about this note:
push "dhcp-option DNS 10.8.0.1"
will configure Windows clients (or non-Windows clients with some extra server-side scripting) to use 10.8.0.1 as their DNS server. Any address which is reachable from clients may be used as the DNS server address.
I am using a Linux client as well, so what is the "extra server-side scripting" that is needed for this?
Re: DNS Leak on Linux
Posted: Wed Jan 26, 2022 6:34 pm
by TinCanTech
smugcloud wrote: ↑Wed Jan 26, 2022 6:27 pm
I am using a Linux client as well, so what is the "
extra server-side scripting" that is needed for this?
That .. is a bug. It should read "
client-side scripting".
Linux requires a script to configure your client DNS resolver, usually one of these:
https://github.com/jonathanio/update-systemd-resolved
https://github.com/alfredopalhares/open ... esolv-conf
Re: DNS Leak on Linux
Posted: Wed Jan 26, 2022 6:54 pm
by smugcloud
Thanks @TinCanTech.
So I have the OpenVPN update-resolv-conf on the client machine
Code: Select all
$ file /etc/openvpn/update-resolv-conf
/etc/openvpn/update-resolv-conf: Bourne-Again shell script, ASCII text executable
My client is configured to use it
Code: Select all
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
The server has iptables configured
Code: Select all
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 10.8.0.0/24 anywhere
and I've reconfigured the server conf to mirror the config guide
Code: Select all
push "redirect-gateway local def1"
push "dhcp-option DNS 10.8.0.1"
The OpenVPN client seems to be using the resolve-confg script correctl
Code: Select all
2022-01-26 10:53:12 us=708461 net_addr_ptp_v4_add: 10.8.0.2 peer 10.8.0.1 dev tun0
2022-01-26 10:53:12 us=709377 /etc/openvpn/update-resolv-conf tun0 1500 1558 10.8.0.2 10.8.0.1 init
Yet I still see the "DNS leaks" on sites like I posted. Is that perhaps a red herring? Is there a better test to validate this?
Re: DNS Leak on Linux
Posted: Wed Jan 26, 2022 7:06 pm
by TinCanTech
Are your server and client located at the same IP address, like your home ?
Re: DNS Leak on Linux
Posted: Wed Jan 26, 2022 7:09 pm
by smugcloud
No, the server is in a remote location.
Re: DNS Leak on Linux
Posted: Wed Jan 26, 2022 7:11 pm
by Pippin
Your browser might "leak"...
Re: DNS Leak on Linux
Posted: Wed Jan 26, 2022 7:28 pm
by smugcloud
Pippin wrote: ↑Wed Jan 26, 2022 7:11 pm
Your browser might "leak"...
Hmm, is it not possible to force all traffic from the client machine to route through the tunnel/server?
Re: DNS Leak on Linux
Posted: Wed Jan 26, 2022 7:41 pm
by Pippin
Not easily.
Look into "browser leaks", which is off topic here...
Re: DNS Leak on Linux
Posted: Wed Jan 26, 2022 7:42 pm
by TinCanTech
smugcloud wrote: ↑Wed Jan 26, 2022 7:28 pm
is it not possible to force all traffic from the client machine to route through the tunnel/server?
If you setup your VPN correctly it is.
I just carefully read your configs .. where did you get that crap from ?
Re: DNS Leak on Linux
Posted: Wed Jan 26, 2022 7:57 pm
by smugcloud
TinCanTech wrote: ↑Wed Jan 26, 2022 7:42 pm
I just carefully read your configs .. where did you get that crap from ?
Ha, some from the OpenVPN docs, and some hacked together. I'm all ears if there is a simpler/better config to use.
Re: DNS Leak on Linux
Posted: Wed Jan 26, 2022 8:41 pm
by TinCanTech