leaking DNS requests when using openvpn

I’m new to Tumbleweed and used Mint and similar distributions previously.

I got openvpn working, but I still experience DNS leaks.

Mint etc. use a script called update-resolv-conf to update the nameservers, but that doesn’t seem to work with Tumbleweed.

How do I get this working?

I’m using KDE, but I would like to avoid yast and other GUI stuff.

What do you mean with this? What is a DNS leak?
You seem to think there is somthing wrong with your /etc/resolv.conf. Thus show it:

grep -v '^#' /etc/resolv.conf

YaST is not only available with a GUI, but also on the terminal with an ncurses interface, try (as root):


In any case, one important reason to prefer openSUSE above other distros is the availabliity of a good system management tool: YaST. Thus you better make yourself acqaintanced with it because many advice here will involve it’s usage.

https://en.wikipedia.org/wiki/DNS_leak … i.e. my computer uses my ISP’s DNS servers instead of my VPN provider’s.

grep -v '^#' /etc/resolv.conf


search local

But this is to be expected since openvpn can’t use resolvconf on Tumbleweed to update the DNS servers. (Since there is no resolvconf package.) The question is what Tumbleweed uses instead.

What I tried so far:

  • setting the NETCONFIG_DNS_STATIC_SERVERS variable in /etc/sysconfig/network/config
  • the /usr/share/doc/packages/openvpn/contrib/pull-resolv-conf/client.{up,down} scripts
  • setting the DNS servers in the networkmanager
    The first two actions showed no effect at all after a reboot. Setting the DNS servers had some limited effect. My computer used the DNS server that I provided, but only in addition to my ISP’s DNS servers. It didn’t replace them. Also I would have to do that for each and every one of my connections; cumbersome since the computer is a laptop and uses several wifi networks.

I wasn’t aware that yast can the used via a shell. Nevertheless I would prefer to solve this by editing text files. Unless yast can export my settings so that I can make a backup of them.

Okay, I got it. There is no resolvconf package needed. I try to write down the necessary steps:

  1. Download the VPN conf files etc. from your VPN provider.
    – I’m not going into details and assume that you know how to do this.
  2. Copy this stuff to /etc/openvpn (you must be root or using sudo!).
    In the following I assume that your VPN provider’s configuration file is called vpn1.conf
  3. sudo cp /usr/share/doc/packages/openvpn/contrib/pull-resolv-conf/client.up /etc/vpn1.up
    – Alter the target accordingly if necessary. This is the first script that you need.
  4. sudo cp /usr/share/doc/packages/openvpn/contrib/pull-resolv-conf/client.down /etc/vpn1.down
    – Alter the target accordingly if necessary. This is the second and last script that you need.
  5. Add

script-security 2
up /etc/openvpn/vpn1.up
down /etc/openvpn/vpn1.down

to /etc/openvpn/vpn1.conf.
– See also the “INSTALL NOTES” in /usr/share/doc/packages/openvpn/contrib/pull-resolv-conf/client.{up,down}. Note that they don’t mention “script-security 2”, but without that line openvpn isn’t allowed to call the scripts and therefore they won’t be used.
6) sudo chmod +x /etc/openvpn/vpn1.{up,down}
– Needed to make the scripts executable.

Now you are done and after a reboot everything should work.

Hope this helps!

edit: You might still experience leaking WebRTC request. If so you have to change your browser’s setting, but there are enough guides out there about this (and they work).

Sorry, I started this post about 6 hourse agom, but I my wife got an anaphylactic shoque and I had to call an amulance, etc. etc. All is well now.

I will send this off nevertheless.

Please dot make it difficult for yourself by seperating command and output. You only need to copy/paste onece, including the prompt, the command, the output and the next prompe. Then we see what you saw. The best communication. Example:

henk@boven:~> grep -v '^#' /etc/resolv.conf
search xs4all.nl

And you can of course edit /etc/resolv.conf using any editor you love. YaST does the same.

I see you were able to help yourself. Perfect!

So forget my delayed post above.

Yes and let’s hope it helps others too. After all it took me a while to figure it out.

Thanks for trying to help. I’m glad your wife is well again too.

First, this “DNS Leak” is a common issue for all VPNs (not just OpenVPN) if a DNS setting isn’t configured (defaults to use non-VPN DNS).

I guess the first question should be whether this is a VPN you are creating and managing or a VPN that is set up and provided by someone else? If you’re not managing the VPN, you can’t implement a proper fix, only workarounds.

If you’re managing the VPN
Then you can push your VPN DNS setting pointing to your own DNS using a “push” directive as described in the following OpenVPN documentation

And, found in the following sample Client configuration file

You can manually modify /etc/resolv.conf but of course any edits you make directly to this file will be erased on reboot, and as you’ve discovered your modified settings will apply all the time whether you’re connecting through your VPN or not.


IMHO the overwriting at network startup (at reboot or otherwise) will only happen if you ignore what is written in /etc/resolve.conf:

### Please remove (at least) this line when you modify the file!

The OP seems to want to fall back to old manual configuring. When not, you can of course use the files in /etc/sysconfig/network. In this case /etc/sysconfig/network/config where you will find several parameters:

boven:/etc/sysconfig/network # grep NETCONFIG_DNS  config
boven:/etc/sysconfig/network #

But I assume that that one is better managed by YaST.

However I must admit that I am not sure if the aversion of the OP against YaST is solely against using it’s GUI or againast using any management tools at all.

Note that the above makes changes to your DNS resolution that will affect <all> network connections, if your OpenVPN isn’t connected, you will likely have problems.


I should have stressed that the above does not take VPN into account, just the DNS configuration in the “normal” case.

Actually, the OP’s summation of what was required (for those not using NetworkManager) is nicely detailed in post #4.

This allowed the ‘pushed VPN DNS’ to be handled by the client. (Some distros provide utilities such as resolvconf or openresolv to maintain DNS and handle /etc/resolv.conf management for this kind of thing).

For example, this ArchWiki page