How to fix OpenVPN DNS leak
Solution 1
I had this DNS leak issue on Ubuntu 17.10 and now 18.04 LTS. It must have started when I updated from 16.10 a while back and I never thought to check until now, by accident. None of the above (and other things I found and tried) helped, until I ran into this URL below, reading all the way through the bug report. The comment on adding a dns-priority line worked for me.
https://bugs.launchpad.net/network-manager/+bug/1624317 look at comment #103.
Look for your installed NetworkManager VPN connections (the '$
' is just my system prompt, to show you're at the command line in a terminal window):
$ ls -la /etc/NetworkManager/system-connections/*
Then choose the one you want to fix and run this command on it (or you can just edit the config file manually, as this command just adds a dns-priority entry under section ipv4):
$ sudo nmcli connection modify <vpn-connection-name> ipv4.dns-priority -42
And restart:
$ sudo service network-manager restart
Note that at least for me, putting it in the OpenVPN .ovpn config file that came from my VPN (ProtonVPN) did not work. For some reason it did not make it into the NetworkManager config when it was installed using the GUI dialog. Only by updating the config after it was installed, and then restarting NetworkManager, did it work. And you need to do this for each installed VPN config you want to use.
Solution 2
Sooo the answer is to carefully follow the always-on-point instructions from the ArchLinux wiki:
https://wiki.archlinux.org/index.php/OpenVPN#Update_systemd-resolved_script
and to append the corresponding lines.
So, in two steps:
sudo apt install openvpn-systemd-resolved
and append the following lines to your .ovpn file:
script-security 2
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
dhcp-option DNS 8.26.56.26
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
If that's not clear, your file should now contain two lines "up" and two lines "down":
# old lines
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
# new lines
script-security 2
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
dhcp-option DNS 8.26.56.26
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
[Edit 1: Actually NOPE, this wasn't the reason it worked]
See Edit 1 in my question.
[Edit 2: I think I got it right this time]
This issue of weird systemd-resolved.service
behavior is referenced here.
It seems that the option to put in the client config file is the following:
dhcp-option DOMAIN-ROUTE .
which apparently routes all DNS through the selected connection...
Solution 3
This seems to be a bug due to Ubuntu switching to systemd-resolve before the network-manager-openvpn package was updated to be aware of systemd-resolve. Ubuntu 18.10 seems to have resolved this with network-manager 1.12.2-0ubuntu5. More information here: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/issues/10.
Until that's released, @Bob Willan's answer worked for me.
Solution 4
I was running into the DNS-LeakProblem also. The modification of my ovpn file didn't help. Reason was a missing package. OpenVPN didn't warn me about that.
script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
Having a look into the script cat /etc/openvpn/update-resolv-conf
i was able to see that it calls another programm at /sbin/resolvconf
.
Doing an ls /sbin/resolvconf
showed me that i was missing that file. A quick search brought me to the missing package.
After installing it with apt install openresolv
the modifications in my ovpn script took effect.
Related videos on Youtube
PlasmaBinturong
Updated on September 18, 2022Comments
-
PlasmaBinturong over 1 year
I just subscribed to a VPN provider.
I have Xubuntu 17.10, openvpn 2.4.3. After launching the openvpn command I check the IP (fine) and performed a simple DNS leak test: not fine, it shows my Internet Service Provider!
How to fix this DNS leak?
I have one preliminary interrogation:
- is it "fixable" on my side? Or is the remote server wrongly configured?
On my side, I tried changing some values in the .ovpn config file for openvpn:
-
Originally there were already these lines, that are expected to work, but nope:
script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
-
I changed them according to this reddit answer (explicitly specifying DNS addresses):
dhcp-option DNS 208.67.222.222 dhcp-option DNS 208.67.220.220 dhcp-option DNS 8.26.56.26 up "/etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS 208.67.222.222' foreign_option_2='dhcp-option DNS 208.67.220.220' foreign_option_3='dhcp-option DNS 8.26.56.26'" down "/etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS 208.67.222.222' foreign_option_2='dhcp-option DNS 208.67.220.220' foreign_option_3='dhcp-option DNS 8.26.56.26'"
Doing that seems to do the job, as the content of
/etc/resolvconf
gets updated by the up/down scripts:# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN # 127.0.0.53 is the systemd-resolved stub resolver. # run "systemd-resolve --status" to see details about the actual nameservers. nameserver 208.67.222.222 nameserver 208.67.220.220 nameserver 8.26.56.26 search lan
but DNSleaktest still showing my ISP.
-
So then I learned the existence of the ubuntu package
openvpn-systemd-resolved
which provides a script similar toupdate-resolve-conf
but makes it work with systemd (here I have no idea what processes use this: network-manager? openvpn?). I installed the package and replaced the script name in my .ovpn file:up "/etc/openvpn/update-systemd-resolved ..." down "..." down-pre
Still no luck. [While writing this I just figured out the solution, see my answer below]
Then I played a lot with the
/etc/resolv.conf
file. Normally it should not be changed, so I put my DNS servers addresses into/etc/resolvconf/resolv.conf.d/base
, but issuingresolvconf -u
did not appear to work.Chatted with a support person from the VPN company, no solution.
-
I tried various solutions like this one, and subsequent unaccepted answers:
I forgot the other things I tried, then I thought, stackexchange will save me from my misery, and it miraculously did, just by the power of formulating a question.
[Edit 1: Not solved! Actually my first answer is not the reason it works]
I noticed it after more checking. I can remove the
systemd-update-resolved
lines and it still works, but only on certain conditions:When the
openvpn
service is running, I get DNS leaks. If I stop it, and then restart only the service for my client:sudo service openvpn stop sudo service openvpn@client start
then it works.
Sorry, I suppose I haven't check the openvpn manual thoroughly, but why is that? Isn't it a security leak? Especially because the openvpn service is activated automatically after installation from apt. How to make the change permanent? (I tried
sudo systemctl disable openvpn
, but at next startup I still had the same problem).[Edit 2: routing tables]
Once I stopped
openvpn
and startedopenvpn@client
, I don't have DNS leaks and the output ofroute -n
is:Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 91.240.65.1 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.1.254 0.0.0.0 UG 100 0 0 eno1 91.240.64.17 192.168.1.254 255.255.255.255 UGH 0 0 0 eno1 91.240.65.0 0.0.0.0 255.255.255.224 U 0 0 0 tun0 128.0.0.0 91.240.65.1 128.0.0.0 UG 0 0 0 tun0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eno1 192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eno1
After a
sudo service openvpn restart
:Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 91.240.66.1 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.1.254 0.0.0.0 UG 100 0 0 eno1 91.240.64.16 192.168.1.254 255.255.255.255 UGH 0 0 0 eno1 91.240.66.0 0.0.0.0 255.255.255.224 U 0 0 0 tun0 128.0.0.0 91.240.66.1 128.0.0.0 UG 0 0 0 tun0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eno1 192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eno1
Not working anymore, I get DNS leaks in both cases. I tried installing the package
openresolv
(which replaces resolvconf), and it seems to work. Here is the new routing table:Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 91.240.66.161 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.1.254 0.0.0.0 UG 100 0 0 eno1 91.240.64.15 192.168.1.254 255.255.255.255 UGH 0 0 0 eno1 91.240.66.160 0.0.0.0 255.255.255.224 U 0 0 0 tun0 128.0.0.0 91.240.66.161 128.0.0.0 UG 0 0 0 tun0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eno1 192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eno1
-
Rui F Ribeiro about 6 yearsPlease add your routing table while you have the VPN active.
-
PlasmaBinturong about 6 yearsJust did! But damned***, I can't make it work anymore, I get DNS leaks even when stopping the openvpn service!
-
Rui F Ribeiro about 6 yearsNo changes in routing. Are you setting up a client or a server?
-
PlasmaBinturong about 6 yearsYes I saw no changes. I'm setting up a client.
-
PlasmaBinturong about 6 yearsBasically nothing works, lastly
openresolv
neither. What services should I restart after each config edit? network-manager? openvpn? Is my browser caching some data? -
PlasmaBinturong about 6 yearsI uninstalled openresolv. I think I have some hints about
systemd-resolved
. It uses a file in/run/systemd/resolve/resolv.conf
(not the one symlinked from/etc/resolv.conf
) where the first "nameserver" is my router... It gets overwritten when I change it, so I need to find out how to configure it. -
Rui F Ribeiro about 6 yearsyou can always do
systemctl disable systemd-resolved
-
PlasmaBinturong about 6 yearsYes indeed, but then I need to use dnsmasq for example. I just found that
/etc/systemd/resolved.conf
seems to be the config file, and thatman resolved.conf
is the corresponding documentation. -
Finn Joe almost 6 yearsYou should need to check if your VPN working properly or not, here you can check vpninsights.com/ip-leak-test
-
PlasmaBinturong about 6 yearsHowever, when the computer goes out of sleep, I have to restart the openvpn service and then it's leaking again...
-
32r34wgf3e about 5 yearsTested in 18.10 with NetworkManager and works! Hopefully they will fix this in the next LTS release.
-
PlasmaBinturong over 4 yearsThanks for pointing out this issue discussion. Too bad they aren't providing the fix for ubuntu 18.04, but at least @bobwillan's answer indeed worked.
-
iAndroid almost 4 yearswant to confirm that this also worked for 20.04 LTS version (after upgrading from 19.04 -> 19.10 -> 20.04)
-
Julien B. almost 4 yearsyup, that did it for me, thanks mate
-
Zaid Gharaybeh over 3 yearsDid not work for me on Debian Buster