DNS Leak On SUSE Tumbleweed 64bit; NetworkManager, VyprVPN, WireGuard, OpenVPN, vpn.crt

Hello,

I’ve determined that I have a DNS leak with my NetworkManager. I need to solve this since I do sensitive work on my machine.

I saw in another thread someone posted a possible solution here, https://forums.opensuse.org/showthread.php/536471-DNS-leak-NetworkManager-openVPN post #2 specifically.

The author from post #2 wrote this:

“You need to set ipv{4,6}.dns-priority connection property to negative value on VPN connection. Default makes VPN DNS servers preferred but leaves both in resolv.conf. If this option is not exposed by your GUI, you may use nmcli:”

Code:

$ nmcli --fields ipv4.dns-priority,ipv6.dns-priority connection show vpngate_vpn484800360.opengw.net_tcp_1781 
ipv4.dns-priority:                      0
ipv6.dns-priority:                      0
$ nmcli  connection modify vpngate_vpn484800360.opengw.net_tcp_1781 ipv4.dns-priority -1
$ nmcli  connection modify vpngate_vpn484800360.opengw.net_tcp_1781 ipv6.dns-priority -1
$ nmcli --fields ipv4.dns-priority,ipv6.dns-priority connection show vpngate_vpn484800360.opengw.net_tcp_1781 
ipv4.dns-priority:                      -1
ipv6.dns-priority:                      -1

Now, in that output I can see that they are using vpngate, however I’m not using vpngate, but VyprVPN. I don’t even know how to do that code or implement that code. I’ve asked the folks at VyprVPN for support, but they don’t really deal with GNU/Linux so they couldn’t help me. I am also not so good with things like this in GNU/Linux, but I use SUSE since it’s very secure. Perhaps the above solution doesn’t apply anymore since it’s old so if there is a new solution I would be very grateful for some help.

Here are a few links from VyprVPN/GoldenFrog that may be of use:

*https://support.vyprvpn.com/hc/en-us/articles/360037721812-VyprVPN-OpenVPN-Setup-for-Linux-Ubuntu-
https://support.vyprvpn.com/hc/en-us/articles/360037728912

*My system info:
Operating System: openSUSE Tumbleweed 20210803
KDE Plasma Version: 5.22.4
KDE Frameworks Version: 5.84.0
Qt Version: 5.15.2
Kernel Version: 5.13.6-1-default (64-bit)
Graphics Platform: X11
Processors: 4 × Intel® Core™ i5-2400 CPU @ 3.10GHz
Memory: 7.7 GiB of RAM
Graphics Processor: AMD OLAND
Thank you so much if you can help.
Regards.

How do you establish your VPN connection? Are you using NetworkManager or some third-party program?

I’m using the default network manager that comes with Tumbleweed. With a username, password, gateway url, and .crt file.

So you created connection in NetworkManager for your VPN. Then just use commands you found replacing connection name “vpngate_vpn484800360.opengw.net_tcp_1781” with connection name that you have created. As you preferred to hide actual connection name (for reasons I do not understand but it is up to you), nobody can give you exact commands to use.

Okay, here is the output from the terminal. At first I did the actual home network name with nmcli, but I realized that might prefer ISP DNS over VPN DNS, so I set that one back to zero from negative one. Then I did nmcli for the vpn connection name and set it to negative one for both ipv4 and ipv6.

name@localhost:~> nmcli --fields ipv4.dns-priority,ipv6.dns-priority connection show NetworkName
ipv4.dns-priority:                      0
ipv6.dns-priority:                      0
name@localhost:~> nmcli connection modify NetworkName ipv4.dns-priority -1
name@localhost:~> nmcli connection modify NetworkName ipv6.dns-priority -1
name@localhost:~> nmcli --fields ipv4.dns-priority,ipv6.dns-priority connection show NetworkName
ipv4.dns-priority:                      -1
ipv6.dns-priority:                      -1
name@localhost:~> nmcli connection modify NetworkName ipv6.dns-priority 0
name@localhost:~> nmcli connection modify NetworkName ipv4.dns-priority 0
name@localhost:~> nmcli --fields ipv4.dns-priority,ipv6.dns-priority connection show NetworkName
ipv4.dns-priority:                      0
ipv6.dns-priority:                      0
name@localhost:~> nmcli --fields ipv4.dns-priority,ipv6.dns-priority connection show VyprVPNSanFrancisco
ipv4.dns-priority:                      0
ipv6.dns-priority:                      0
name@localhost:~> nmcli connection modify VyprVPNSanFrancisco ipv4.dns-priority -1
name@localhost:~> nmcli connection modify VyprVPNSanFrancisco ipv6.dns-priority -1
name@localhost:~> nmcli --fields ipv4.dns-priority,ipv6.dns-priority connection show VyprVPNSanFrancisco
ipv4.dns-priority:                      -1
ipv6.dns-priority:                      -1

Do I need to leave my home network set at 0 and the vpn network profile set at -1? Not -1 and -1 for former and latter?

(Note: If someone knows the name of a WiFi network that is connected to the web, they can look up that network name on public WiFi maps even if it’s a home network. Kind of scary, eh?)

Okay, I tested the connection with a DNS leak test, the first test was good. After I disconnected and reconnected again to test again, it was leaking again. The first test showed only 3 servers all of which were from the VPN service. On the second test there were over 20 ip addresses from my ISP. So it is leaking still. I don’t know what could have caused the change between the first DNS leak test and the second DNS leak test.

Edit: Checked with nmcli. Dns-priority is back at 0. So it seems that the dns-priority resets to 0 after a disconnect. Is there a way to save the configuration after disconnect?

I would say “yes” although it is something that you need to decide. It is important only if you may have multiple connections active at the same time (e.g. wireless and wired). Negative dns-priority for a connection replaces all DNS servers in /etc/resolv.conf with DNS servers for this connection. Non-negative value adds DNS servers but leaves existing. VPN always means at least two simultaneous connections - “base” one (to reach VPN server) and VPN connection. So you need to tell NetworkManager to replace DNS servers from “base” connection with DNS servers from VPN connections.

In general if you are not sure you need to change something better not to change.

If someone knows the name of a WiFi network

I was not interested in your WiFi connection. We are talking about VPN here.

Show content of /etc/resolv.conf before and after VPN connection is established.

I briefly tested GNOME and KDE TW in default settings and although base DNS server is retained, VPN servers by default have higher priority so checks with https://ipleak.net/ do not show “my ISP servers”. This is expected as by default Linux resolver tries the first server listed in /etc/resolv.conf.

Applications can modify resolver behavior, in particular request server rotation, but setting ipv4.dns-priority to -1 leaves only VPN DNS servers.