Hello,
I’m trying to setup a vpn using openvpn and wireguard. I’m using Network Manager with the configuration files from my vpn provider’s website. While the connection is working, I’m getting dns leaks. Such thing doesn’t happen on android with the wireguard app so it’s not the vpn’s fault, but a configuration issue. I would want to use only dns servers provided by the vpn. Looking at /etc/resolv.conf after connecting to the vpn I see two lines of which the first line is the vpn nameserver’s ip address. The second line is the router’s ip address which uses the isp’s dns servers. Checking on ipleak.net and I get most of dns requests through vpn but still some from the isp’s dns servers. What should I change to fix the dns leak? If somebody knows the solution then I think it should be set as default in tumbleweed to avoid dns leaks for vpn users.
Thanks for helping
@piotrus3g does the vpn provider have a second dns ip address you can add? Check the vpn profile either via looking at the connection in /etc/NetworkManager/system-connections/ and check the dns= entry for the local router, edit as required. Or use nmtui or nm-connection-editor to tweak…
The vpn dns is probably the same as on my android phone. I understand that by local router you mean the router, not the vpn connection. If yes, then the router has only [ipv4] method=auto it doesn’t have anything about dns so I guess it’s automatic for the router.
The vpn connection however has these fields for ipv4:
address1=x.x.x.x/x
dns=x.x.x.x;
dns-search=~;
method=manual
@piotrus3g Is there a semi-colon at the end of the dns address? if not add one. Do you have a second to add from the VPN provider?
Edited so it looks the same as the config now
This server works, that’s from the vpn provider’s config file. I just want to use it as my only dns server when the vpn is active.
@piotrus3g I think if you add ignore-auto-dns in the ipv4 section it should get rid of the router one from that connection.
Set dns-priority in VPN connection to the negative value. It will exclude all other DNS servers from other still active connections. See man nm-settings, search for dns-priority.
ignore-auto-dns=true doesn’t seem to fix the issue
All connections seem to default to dns-priority=0 in tumbleweed, but setting dns-priority to -1 on the vpn connection itself doesn’t solve the issue.
@malcolmlewis @arvidjaar I think I found a solution on the arch wiki. This is an article for my vpn provider https://wiki.archlinux.org/title/Mullvad. I only had to install dnsmasq and create a file
/etc/NetworkManager/conf.d/dns.conf
[main]
dns=dnsmasq
I’m not sure if it’s the optimal solution but for now I’m not getting leaks. So the options discussed before don’t fix the issue.
But I have another question. I don’t know if it works the other way around, but I can’t do dns lookups with ipv6 only drill -6 example.com. They say that it won’t work properly https://wiki.archlinux.org/title/NetworkManager#IPv6, but is ipv6 dns used at all?
Another question is about DNSSEC. The configuration instructions mention something about breaking queries to servers that don’t use DNSSEC https://wiki.archlinux.org/title/NetworkManager#DNSSEC. But is it actually used at all by default, or is it an additional security feature that isn’t necessary?
If security for you is necessary, you better go with something like Tails OS.
Yes, I also find it fun to understand how things can be done better but in the end, what is way more important is that the government set rules so privacy is preserved, so I also support an organization that is campaigning for that.
For DNS security you might want to have a look at dnscrypt-proxy, according to zypper “A tool for securing communications between a client and a DNS resolver”, I have that running.