How to fix OpenVPN DNS leak

dns openvpn resolv.conf resolvconf
26,655

Solution 1

I had this DNS leak issue on Ubuntu 17.10 and now 18.04 LTS. It must have started when I updated from 16.10 a while back and I never thought to check until now, by accident. None of the above (and other things I found and tried) helped, until I ran into this URL below, reading all the way through the bug report. The comment on adding a dns-priority line worked for me.

https://bugs.launchpad.net/network-manager/+bug/1624317 look at comment #103.

Look for your installed NetworkManager VPN connections (the '$' is just my system prompt, to show you're at the command line in a terminal window):

$ ls -la /etc/NetworkManager/system-connections/*

Then choose the one you want to fix and run this command on it (or you can just edit the config file manually, as this command just adds a dns-priority entry under section ipv4):

$ sudo nmcli connection modify <vpn-connection-name> ipv4.dns-priority -42

And restart:

$ sudo service network-manager restart

Note that at least for me, putting it in the OpenVPN .ovpn config file that came from my VPN (ProtonVPN) did not work. For some reason it did not make it into the NetworkManager config when it was installed using the GUI dialog. Only by updating the config after it was installed, and then restarting NetworkManager, did it work. And you need to do this for each installed VPN config you want to use.

Solution 2

Sooo the answer is to carefully follow the always-on-point instructions from the ArchLinux wiki:

https://wiki.archlinux.org/index.php/OpenVPN#Update_systemd-resolved_script

and to append the corresponding lines.

So, in two steps:

sudo apt install openvpn-systemd-resolved

and append the following lines to your .ovpn file:

script-security 2
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
dhcp-option DNS 8.26.56.26
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved

If that's not clear, your file should now contain two lines "up" and two lines "down":

# old lines
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
# new lines
script-security 2
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
dhcp-option DNS 8.26.56.26
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved

[Edit 1: Actually NOPE, this wasn't the reason it worked]

See Edit 1 in my question.

[Edit 2: I think I got it right this time]

This issue of weird systemd-resolved.service behavior is referenced here.

It seems that the option to put in the client config file is the following:

dhcp-option DOMAIN-ROUTE .

which apparently routes all DNS through the selected connection...

Solution 3

This seems to be a bug due to Ubuntu switching to systemd-resolve before the network-manager-openvpn package was updated to be aware of systemd-resolve. Ubuntu 18.10 seems to have resolved this with network-manager 1.12.2-0ubuntu5. More information here: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/issues/10.

Until that's released, @Bob Willan's answer worked for me.

Solution 4

I was running into the DNS-LeakProblem also. The modification of my ovpn file didn't help. Reason was a missing package. OpenVPN didn't warn me about that. 

    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf

Having a look into the script cat /etc/openvpn/update-resolv-conf i was able to see that it calls another programm at /sbin/resolvconf. Doing an ls /sbin/resolvconf showed me that i was missing that file. A quick search brought me to the missing package.

After installing it with apt install openresolv the modifications in my ovpn script took effect.

Share:
26,655

Related videos on Youtube

PlasmaBinturong
Author by

PlasmaBinturong

Updated on September 18, 2022

Comments

  • PlasmaBinturong
    PlasmaBinturong over 1 year

    I just subscribed to a VPN provider.

    I have Xubuntu 17.10, openvpn 2.4.3. After launching the openvpn command I check the IP (fine) and performed a simple DNS leak test: not fine, it shows my Internet Service Provider!

    How to fix this DNS leak?

    I have one preliminary interrogation:

    • is it "fixable" on my side? Or is the remote server wrongly configured?

    On my side, I tried changing some values in the .ovpn config file for openvpn:

    1. Originally there were already these lines, that are expected to work, but nope:

      script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

    2. I changed them according to this reddit answer (explicitly specifying DNS addresses):

      dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
dhcp-option DNS 8.26.56.26
up "/etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS 208.67.222.222' foreign_option_2='dhcp-option DNS 208.67.220.220' foreign_option_3='dhcp-option DNS 8.26.56.26'"
down "/etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS 208.67.222.222' foreign_option_2='dhcp-option DNS 208.67.220.220' foreign_option_3='dhcp-option DNS 8.26.56.26'"

      Doing that seems to do the job, as the content of /etc/resolvconf gets updated by the up/down scripts:

      # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 8.26.56.26
search lan

      but DNSleaktest still showing my ISP.

    3. So then I learned the existence of the ubuntu package openvpn-systemd-resolved which provides a script similar to update-resolve-conf but makes it work with systemd (here I have no idea what processes use this: network-manager? openvpn?). I installed the package and replaced the script name in my .ovpn file:

      up "/etc/openvpn/update-systemd-resolved ..."
down "..."
down-pre

      Still no luck. [While writing this I just figured out the solution, see my answer below]

    4. Then I played a lot with the /etc/resolv.conf file. Normally it should not be changed, so I put my DNS servers addresses into /etc/resolvconf/resolv.conf.d/base, but issuing resolvconf -u did not appear to work.

    5. Chatted with a support person from the VPN company, no solution.

    6. I tried various solutions like this one, and subsequent unaccepted answers:

      • installing dnsmasq and putting server=... into /etc/dnsmasq.conf;
      • putting a "supersede" line in the /etc/dhcp/dhclient.conf (details);
      • the chattr-based hack.

    7. I forgot the other things I tried, then I thought, stackexchange will save me from my misery, and it miraculously did, just by the power of formulating a question.

    [Edit 1: Not solved! Actually my first answer is not the reason it works]

    I noticed it after more checking. I can remove the systemd-update-resolved lines and it still works, but only on certain conditions:

    When the openvpn service is running, I get DNS leaks. If I stop it, and then restart only the service for my client:

    sudo service openvpn stop
sudo service openvpn@client start

    then it works.

    Sorry, I suppose I haven't check the openvpn manual thoroughly, but why is that? Isn't it a security leak? Especially because the openvpn service is activated automatically after installation from apt. How to make the change permanent? (I tried sudo systemctl disable openvpn, but at next startup I still had the same problem).

    [Edit 2: routing tables]

    Once I stopped openvpn and started openvpn@client, I don't have DNS leaks and the output of route -n is:

    Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         91.240.65.1     128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.254   0.0.0.0         UG    100    0        0 eno1
91.240.64.17    192.168.1.254   255.255.255.255 UGH   0      0        0 eno1
91.240.65.0     0.0.0.0         255.255.255.224 U     0      0        0 tun0
128.0.0.0       91.240.65.1     128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1

    After a sudo service openvpn restart:

    Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         91.240.66.1     128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.254   0.0.0.0         UG    100    0        0 eno1
91.240.64.16    192.168.1.254   255.255.255.255 UGH   0      0        0 eno1
91.240.66.0     0.0.0.0         255.255.255.224 U     0      0        0 tun0
128.0.0.0       91.240.66.1     128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1

    Not working anymore, I get DNS leaks in both cases. I tried installing the package openresolv (which replaces resolvconf), and it seems to work. Here is the new routing table:

    Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         91.240.66.161   128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.254   0.0.0.0         UG    100    0        0 eno1
91.240.64.15    192.168.1.254   255.255.255.255 UGH   0      0        0 eno1
91.240.66.160   0.0.0.0         255.255.255.224 U     0      0        0 tun0
128.0.0.0       91.240.66.161   128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1
    • Rui F Ribeiro
      Rui F Ribeiro about 6 years
      Please add your routing table while you have the VPN active.
    • PlasmaBinturong
      PlasmaBinturong about 6 years
      Just did! But damned***, I can't make it work anymore, I get DNS leaks even when stopping the openvpn service!
    • Rui F Ribeiro
      Rui F Ribeiro about 6 years
      No changes in routing. Are you setting up a client or a server?
    • PlasmaBinturong
      PlasmaBinturong about 6 years
      Yes I saw no changes. I'm setting up a client.
    • PlasmaBinturong
      PlasmaBinturong about 6 years
      Basically nothing works, lastly openresolv neither. What services should I restart after each config edit? network-manager? openvpn? Is my browser caching some data?
    • PlasmaBinturong
      PlasmaBinturong about 6 years
      I uninstalled openresolv. I think I have some hints about systemd-resolved. It uses a file in /run/systemd/resolve/resolv.conf (not the one symlinked from /etc/resolv.conf) where the first "nameserver" is my router... It gets overwritten when I change it, so I need to find out how to configure it.
    • Rui F Ribeiro
      Rui F Ribeiro about 6 years
      you can always do systemctl disable systemd-resolved
    • PlasmaBinturong
      PlasmaBinturong about 6 years
      Yes indeed, but then I need to use dnsmasq for example. I just found that /etc/systemd/resolved.conf seems to be the config file, and that man resolved.conf is the corresponding documentation.
    • Finn Joe
      Finn Joe almost 6 years
      You should need to check if your VPN working properly or not, here you can check vpninsights.com/ip-leak-test
  • PlasmaBinturong
    PlasmaBinturong about 6 years
    However, when the computer goes out of sleep, I have to restart the openvpn service and then it's leaking again...
  • 32r34wgf3e
    32r34wgf3e about 5 years
    Tested in 18.10 with NetworkManager and works! Hopefully they will fix this in the next LTS release.
  • PlasmaBinturong
    PlasmaBinturong over 4 years
    Thanks for pointing out this issue discussion. Too bad they aren't providing the fix for ubuntu 18.04, but at least @bobwillan's answer indeed worked.
  • iAndroid
    iAndroid almost 4 years
    want to confirm that this also worked for 20.04 LTS version (after upgrading from 19.04 -> 19.10 -> 20.04)
  • Julien B.
    Julien B. almost 4 years
    yup, that did it for me, thanks mate
  • Zaid Gharaybeh
    Zaid Gharaybeh over 3 years
    Did not work for me on Debian Buster

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Setting DNS via NetworkManager/nm-applet doesn't update the /etc/resolv.conf (17.10)
resolveconf -u keeps adding an unwanted search domain to resolve.conf
Accidentally deleted /etc/resolv.conf and now can't access any domain
Cannot resolve custom domains when VPN is up
List all DNS Servers, including those pushed by VPN
How to stop dhclient from updating resolvconf on Debian?
How to make resolvconf append nameservers to the list instead of prepending them?
What is the difference between resolvconf, systemd-resolve, and avahi?
Ubuntu: How to configure DNS servers in /etc/network/interfaces correctly for resolvconf?
Auto generate /etc/resolv.conf