DNS leak, NetworkManager, openVPN

bryga · June 19, 2019, 5:18am

Hi all,
I am having a problem with openVPM + NetworkManager - DNS leak. I launch an openVPN connection either from Network Manager applet or using nmcli. To verify that there is (or there are no) DNS leak I use https://ipleak.net/.

I noticed that while there is no VPN connection , /etc/resolv.conf file has only one nameserver entry, 192.168.1.1 (my router). When an openVPN connection is up there are 2 entries for nameservers, one is 192.168.1.1 and the other one supplied by VPN server. Am I right to conclude that the fact that local router’s IP (192.168.1.1) stays in resolv.conf is what causing the DNS leak?
When I manually edit the file and leave only nameserver provided by VPN provider, the DNS leak does not go away. Do I need to restart any services for that to take an effect?

Ultimately I want to have no DNS leaks. How do I fix this ?

Will be greatful for any suggestions or links.

arvidjaar · June 19, 2019, 5:58am

You need to set ipv{4,6}.dns-priority connection property to negative value on VPN connection. Default makes VPN DNS servers preferred but leaves both in resolv.conf. If this option is not exposed by your GUI, you may use nmcli:

$ nmcli --fields ipv4.dns-priority,ipv6.dns-priority connection show vpngate_vpn484800360.opengw.net_tcp_1781 
ipv4.dns-priority:                      0
ipv6.dns-priority:                      0
$ nmcli  connection modify vpngate_vpn484800360.opengw.net_tcp_1781 ipv4.dns-priority -1
$ nmcli  connection modify vpngate_vpn484800360.opengw.net_tcp_1781 ipv6.dns-priority -1
$ nmcli --fields ipv4.dns-priority,ipv6.dns-priority connection show vpngate_vpn484800360.opengw.net_tcp_1781 
ipv4.dns-priority:                      -1
ipv6.dns-priority:                      -1

See man nm-settings and https://bugzilla.gnome.org/show_bug.cgi?id=758772 for background.

There are some suggestions that using internal NM dnsmasq supports split DNS, but it is up to you to evaluate whether this fits your requiremenrs.

bryga · June 19, 2019, 5:07pm

Hi,
thank you for the help. I set up priorities as you recommended, the corresponding files in /etc/NetworkManager/system-connections got entries dns-priority=-1 in ipv{4,6} sections. But when I start/restart connection the DNS seems to be still leaking.
For example, when I connect to a VPN server located in Switzerland ipleak.net detects two IP addresses for DNS servers - one is same as my VPN “exit” address and the other one is an US address, 68.237.161.{231,173, …}. One of the DNS server addresses that are configured in my router is 68.237.161.14. So the detected DNS server address sits on my ISP network.
I tested vpn connections to other servers belonging to different VPN providers. And result is the same - at least one of the detected DNS servers sit on my ISP network.

tsu2 · June 19, 2019, 5:21pm

I hadn’t looked at this in quite awhile personally, so decided to look up the documentation.
Surprisingly, I found that the ifconfig command is required in the latest/current openvpn configuration, else the DHCP option that specifies DNS servers won’t work (!!).
I’m unclear why this is a requirement (still musing about this), but it seems to be mentioned in a few articles, so is likely a real requirement.
May need verification that someone hasn’t implemented a custom fix outside of openvpn (eg either Network Manager or openSUSE), but openvpn by itself may require installing the legacy net tools package.

OpenVPN documentation
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
https://linux.die.net/man/8/openvpn

Else, if you’re using the VPN strictly as a way to access Internet resources without revealing your location and aren’t using the VPN to access a private network (eg corporate LAN), then I highly recommend allowing the DNS leak but encrypting your DNS traffic using dnscrypt-proxy (package available in openSUSE software search). The bottom line for this solution is the same as using DNS within the OpenVPN tunnel… your DNS traffic is encrypted and cannot be read by 3rd parties. of course the additional benefit of this solution is that your DNS is always encrypted whether you’re using a VPN or not.

TSU

bryga · June 19, 2019, 6:30pm

Hi, thank you for pointing to dnscrypt.

ifconfig is present in the system (package net-tools installed).

I will take a look at dnscrypt and see if I able to set it up. The corporate VPN is a different story, I only need an encrypted channel in that case. Often SSH is available and is a much better option for that purpose.

7syntax.error · July 28, 2021, 8:04am

Can someone help me with this? I am having a dns leak. How do I configure:

You need to set ipv{4,6}.dns-priority connection property to negative value on VPN connection. Default makes VPN DNS servers preferred but leaves both in resolv.conf. If this option is not exposed by your GUI, you may use nmcli:
How do I do this? ^^^^^

My System
Operating System: openSUSE Tumbleweed 20210724
KDE Plasma Version: 5.22.3
KDE Frameworks Version: 5.84.0
Qt Version: 5.15.2
Kernel Version: 5.13.4-1-default (64-bit)
Graphics Platform: X11
Processors: 4 × Intel® Core™ i5-2400 CPU @ 3.10GHz
Memory: 7.7 GiB of RAM
Graphics Processor: AMD OLAND

hcvv · July 28, 2021, 10:29am

This thread is two years old and Tumbleweed has gone a long way since.
Also a new thread will probably draw the attention of people that look for new subjects much better then the end of an old thread where almost nobody looks.

So, please start a new thread, with a good title. That is the way to advertise your problem.

This thread is closed.