Results 1 to 5 of 5

Thread: DNS leak, NetworkManager, openVPN

  1. #1

    Default DNS leak, NetworkManager, openVPN

    Hi all,
    I am having a problem with openVPM + NetworkManager - DNS leak. I launch an openVPN connection either from Network Manager applet or using nmcli. To verify that there is (or there are no) DNS leak I use https://ipleak.net/.

    I noticed that while there is no VPN connection , /etc/resolv.conf file has only one nameserver entry, 192.168.1.1 (my router). When an openVPN connection is up there are 2 entries for nameservers, one is 192.168.1.1 and the other one supplied by VPN server. Am I right to conclude that the fact that local router's IP (192.168.1.1) stays in resolv.conf is what causing the DNS leak?
    When I manually edit the file and leave only nameserver provided by VPN provider, the DNS leak does not go away. Do I need to restart any services for that to take an effect?

    Ultimately I want to have no DNS leaks. How do I fix this ?

    Will be greatful for any suggestions or links.

  2. #2
    Join Date
    Sep 2012
    Posts
    4,977

    Default Re: DNS leak, NetworkManager, openVPN

    You need to set ipv{4,6}.dns-priority connection property to negative value on VPN connection. Default makes VPN DNS servers preferred but leaves both in resolv.conf. If this option is not exposed by your GUI, you may use nmcli:
    Code:
    $ nmcli --fields ipv4.dns-priority,ipv6.dns-priority connection show vpngate_vpn484800360.opengw.net_tcp_1781 
    ipv4.dns-priority:                      0
    ipv6.dns-priority:                      0
    $ nmcli  connection modify vpngate_vpn484800360.opengw.net_tcp_1781 ipv4.dns-priority -1
    $ nmcli  connection modify vpngate_vpn484800360.opengw.net_tcp_1781 ipv6.dns-priority -1
    $ nmcli --fields ipv4.dns-priority,ipv6.dns-priority connection show vpngate_vpn484800360.opengw.net_tcp_1781 
    ipv4.dns-priority:                      -1
    ipv6.dns-priority:                      -1
    See man nm-settings and https://bugzilla.gnome.org/show_bug.cgi?id=758772 for background.

    There are some suggestions that using internal NM dnsmasq supports split DNS, but it is up to you to evaluate whether this fits your requiremenrs.

  3. #3

    Default Re: DNS leak, NetworkManager, openVPN

    Quote Originally Posted by arvidjaar View Post
    You need to set ipv{4,6}.dns-priority connection property to negative value on VPN connection. ...
    Hi,
    thank you for the help. I set up priorities as you recommended, the corresponding files in /etc/NetworkManager/system-connections got entries dns-priority=-1 in ipv{4,6} sections. But when I start/restart connection the DNS seems to be still leaking.
    For example, when I connect to a VPN server located in Switzerland ipleak.net detects two IP addresses for DNS servers - one is same as my VPN "exit" address and the other one is an US address, 68.237.161.{231,173, ...}. One of the DNS server addresses that are configured in my router is 68.237.161.14. So the detected DNS server address sits on my ISP network.
    I tested vpn connections to other servers belonging to different VPN providers. And result is the same - at least one of the detected DNS servers sit on my ISP network.

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,953
    Blog Entries
    2

    Default Re: DNS leak, NetworkManager, openVPN

    I hadn't looked at this in quite awhile personally, so decided to look up the documentation.
    Surprisingly, I found that the ifconfig command is required in the latest/current openvpn configuration, else the DHCP option that specifies DNS servers won't work (!!).
    I'm unclear why this is a requirement (still musing about this), but it seems to be mentioned in a few articles, so is likely a real requirement.
    May need verification that someone hasn't implemented a custom fix outside of openvpn (eg either Network Manager or openSUSE), but openvpn by itself may require installing the legacy net tools package.

    OpenVPN documentation
    https://openvpn.net/community-resour...r-openvpn-2-4/
    https://linux.die.net/man/8/openvpn

    Else, if you're using the VPN strictly as a way to access Internet resources without revealing your location and aren't using the VPN to access a private network (eg corporate LAN), then I highly recommend allowing the DNS leak but encrypting your DNS traffic using dnscrypt-proxy (package available in openSUSE software search). The bottom line for this solution is the same as using DNS within the OpenVPN tunnel... your DNS traffic is encrypted and cannot be read by 3rd parties. of course the additional benefit of this solution is that your DNS is always encrypted whether you're using a VPN or not.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  5. #5

    Default Re: DNS leak, NetworkManager, openVPN

    Hi, thank you for pointing to dnscrypt.

    Quote Originally Posted by tsu2 View Post
    I hadn't looked at this in quite awhile personally, so decided to look up the documentation.
    Surprisingly, I found that the ifconfig command is required in the latest/current openvpn configuration, else the DHCP option that specifies DNS servers won't work (!!).
    I'm unclear why this is a requirement (still musing about this), but it seems to be mentioned in a few articles, so is likely a real requirement.
    TSU
    ifconfig is present in the system (package net-tools installed).

    I will take a look at dnscrypt and see if I able to set it up. The corporate VPN is a different story, I only need an encrypted channel in that case. Often SSH is available and is a much better option for that purpose.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •