Kali Linux openVPN does not pass the DNS Leak test
5,882
By default, OpenVPN does not reconfigure the DNS on non-Windows. You could use a hook (sorry the explanations are in French) in order to do this:
#!/bin/sh
# Write foreign options to stdout:
foreign_options() {
local i
while true; do
local varname=foreign_option_$i
local value="$(eval echo \$$varname)"
if [ -z "$value" ]; then
return
fi
i=$((i+1))
done
}
# Get resolvconf configuration:
create_resolvconf() {
foreign_options | grep "^dhcp-option DNS " | sed "s/^dhcp-option DNS /nameserver /"
}
route_up() {
# Append nameservers to resolvconf (it would be better to override them):
create_resolvconf | resolvconf -a $rdev
}
route_pre_down() {
# Kill switch (adjust with your real network interface):
sudo ip link set eth0 up
# Restore the DNS config:
resolvconf -d $rdev
}
case "$script_type" in
route-up) route_up "$@" ;;
pre_down) route_pre_down "$@" ;;
esac
With this OpenVPN configuration snippet:
script-security 2
down my_script
route-pre-down my_script
Related videos on Youtube
Author by
user01230
Updated on September 18, 2022Comments
-
user01230 over 1 year
I recently installed Kali Linux on VMWare. I was able to successfully install openVPN following these instructions, but it seems that it does not pass the DNS Leak test. Is there anything that can fix that?
Also, how can I stop my internet connection if my VPN fails? I do not want to expose my real IP.
-
casey about 9 yearsWhat is the "DNS test"?
-
user01230 about 9 yearsI tried the DNS Leak test, check here: dnsleak.com
-
Overloaded_Operator about 9 yearsIn addition to @ysdx man openvpn is always a good place to start. Write a config file too so you can just run
openvpn conf.ovpn
as root. Basically you want to use the--route-up cmd
,--up cmd
,--down-pre cmd
, etc to run custom scripts, and--route network/IP [netmask] [gateway] [metric]
which will tear down the routes automatically in reverse order when the conn closes. All these cmd-line directives can be put in a config file also once it works. Sounds like your not routing properly. -
Overloaded_Operator about 9 yearsAlso, you can use
iptables
to block all egress traffic except destined to you VPN provider or proxy. If your really paranoid, you can try connecting to your VPN from behind a whonix vm. The VPN must be TCP, and it would probably be best to do it from within a VM with Kali configured as a workstation for the whonix gateway. Don't expect any solution to protect you against the NSA or anything like that.
-