I’m new to Tumbleweed and used Mint and similar distributions previously.
I got openvpn working, but I still experience DNS leaks.
Mint etc. use a script called update-resolv-conf to update the nameservers, but that doesn’t seem to work with Tumbleweed.
How do I get this working?
I’m using KDE, but I would like to avoid yast and other GUI stuff.
What do you mean with this? What is a DNS leak?
You seem to think there is somthing wrong with your /etc/resolv.conf. Thus show it:
grep -v '^#' /etc/resolv.conf
YaST is not only available with a GUI, but also on the terminal with an ncurses interface, try (as root):
yast
In any case, one important reason to prefer openSUSE above other distros is the availabliity of a good system management tool: YaST. Thus you better make yourself acqaintanced with it because many advice here will involve it’s usage.
https://en.wikipedia.org/wiki/DNS_leak … i.e. my computer uses my ISP’s DNS servers instead of my VPN provider’s.
grep -v '^#' /etc/resolv.conf
returns
search local
nameserver 192.168.0.1
But this is to be expected since openvpn can’t use resolvconf on Tumbleweed to update the DNS servers. (Since there is no resolvconf package.) The question is what Tumbleweed uses instead.
What I tried so far:
I wasn’t aware that yast can the used via a shell. Nevertheless I would prefer to solve this by editing text files. Unless yast can export my settings so that I can make a backup of them.
Okay, I got it. There is no resolvconf package needed. I try to write down the necessary steps:
script-security 2
up /etc/openvpn/vpn1.up
down /etc/openvpn/vpn1.down
to /etc/openvpn/vpn1.conf.
– See also the “INSTALL NOTES” in /usr/share/doc/packages/openvpn/contrib/pull-resolv-conf/client.{up,down}. Note that they don’t mention “script-security 2”, but without that line openvpn isn’t allowed to call the scripts and therefore they won’t be used.
6) sudo chmod +x /etc/openvpn/vpn1.{up,down}
– Needed to make the scripts executable.
Now you are done and after a reboot everything should work.
Hope this helps!
edit: You might still experience leaking WebRTC request. If so you have to change your browser’s setting, but there are enough guides out there about this (and they work).
Sorry, I started this post about 6 hourse agom, but I my wife got an anaphylactic shoque and I had to call an amulance, etc. etc. All is well now.
I will send this off nevertheless.
Please dot make it difficult for yourself by seperating command and output. You only need to copy/paste onece, including the prompt, the command, the output and the next prompe. Then we see what you saw. The best communication. Example:
henk@boven:~> grep -v '^#' /etc/resolv.conf
search xs4all.nl
nameserver 194.109.6.66
nameserver 194.109.9.99
nameserver 194.109.104.104
henk@boven:~>
And you can of course edit /etc/resolv.conf using any editor you love. YaST does the same.
I see you were able to help yourself. Perfect!
So forget my delayed post above.
Yes and let’s hope it helps others too. After all it took me a while to figure it out.
Thanks for trying to help. I’m glad your wife is well again too.
First, this “DNS Leak” is a common issue for all VPNs (not just OpenVPN) if a DNS setting isn’t configured (defaults to use non-VPN DNS).
So,
I guess the first question should be whether this is a VPN you are creating and managing or a VPN that is set up and provided by someone else? If you’re not managing the VPN, you can’t implement a proper fix, only workarounds.
If you’re managing the VPN
Then you can push your VPN DNS setting pointing to your own DNS using a “push” directive as described in the following OpenVPN documentation
https://openvpn.net/index.php/open-source/documentation/howto.html#dhcp
And, found in the following sample Client configuration file
https://openvpn.net/index.php/open-source/documentation/howto.html#client
Otherwise,
You can manually modify /etc/resolv.conf but of course any edits you make directly to this file will be erased on reboot, and as you’ve discovered your modified settings will apply all the time whether you’re connecting through your VPN or not.
HTH,
TSU
IMHO the overwriting at network startup (at reboot or otherwise) will only happen if you ignore what is written in /etc/resolve.conf:
### Please remove (at least) this line when you modify the file!
The OP seems to want to fall back to old manual configuring. When not, you can of course use the files in /etc/sysconfig/network. In this case /etc/sysconfig/network/config where you will find several parameters:
boven:/etc/sysconfig/network # grep NETCONFIG_DNS config
NETCONFIG_DNS_POLICY="auto"
NETCONFIG_DNS_FORWARDER="resolver"
NETCONFIG_DNS_FORWARDER_FALLBACK="yes"
NETCONFIG_DNS_STATIC_SEARCHLIST="xs4all.nl"
NETCONFIG_DNS_STATIC_SERVERS="194.109.6.66 194.109.9.99 194.109.104.104"
NETCONFIG_DNS_RANKING="auto"
NETCONFIG_DNS_RESOLVER_OPTIONS=""
NETCONFIG_DNS_RESOLVER_SORTLIST=""
boven:/etc/sysconfig/network #
But I assume that that one is better managed by YaST.
However I must admit that I am not sure if the aversion of the OP against YaST is solely against using it’s GUI or againast using any management tools at all.
Note that the above makes changes to your DNS resolution that will affect <all> network connections, if your OpenVPN isn’t connected, you will likely have problems.
TSU
I should have stressed that the above does not take VPN into account, just the DNS configuration in the “normal” case.
Actually, the OP’s summation of what was required (for those not using NetworkManager) is nicely detailed in post #4.
This allowed the ‘pushed VPN DNS’ to be handled by the client. (Some distros provide utilities such as resolvconf or openresolv to maintain DNS and handle /etc/resolv.conf management for this kind of thing).
For example, this ArchWiki page
https://wiki.archlinux.org/index.php/OpenVPN#DNS