2

I've just set up an OpenVPN server. It connects fine and all, but after a check on dnsleaktest.com, I've discovered, there is a DNS leak. I've searched for solutions, and could only come up with these few lines:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

They did not help the situation. Here is my client config file:

client
dev tun
proto udp
remote **SERVER IP ADDRESS CENSORED** 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA256
comp-lzo
verb 3
key-direction 1
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Here is my resolv.conf files, for both my client and server:

Client:

nameserver 127.0.0.1

Server:

nameserver 8.8.8.8

P.S. I'm not using the gnome network manager, I'm using the CLI. Which confuses me, as to why I have a DNS leak.

slm
  • 7,615
  • 16
  • 56
  • 76
pharmish
  • 21
  • 2
  • Are you trying to have the client change the resolver it uses or just use the same resolver over OpenVPN? What resolver software is running on the client? – Torin Jun 17 '18 at 14:37
  • @TorinCarey I'm trying to get the server to push certain dns settings to the client machine. The client receives instructions for what to change, but it just doesn't. Update-resolv-conf isn't updating resolv.conf. – pharmish Jun 17 '18 at 17:21
  • @HarryJohnston Block-outside-dns is for Windows, my client is on Ubuntu. The results of the test show my client's dns servers, not the pushed ones. – pharmish Jun 17 '18 at 17:21
  • 1
    You may be missing the package `resolvconf`. The `update-resolv-conf` script doesn't directly touch the file. – Torin Jun 17 '18 at 18:07
  • @pharmish, you're right about block-outside-dns, I should have checked the documentation. So I take it that when you run the test on the server you see Google name servers and when you run it on the client you see your ISPs name servers? – Harry Johnston Jun 17 '18 at 21:24
  • @HarryJohnston Yes – pharmish Jun 18 '18 at 02:09
  • @TorinCarey Resolvconf is installed – pharmish Jun 18 '18 at 02:10
  • Are you pushing the DNS config to the client from the server using `push`? – Torin Jun 18 '18 at 09:38
  • @TorinCarey I've tried push, and putting it in the client config manually. Neither work. But like I said, I can see in the console, the client receives the push instructions from the server. – pharmish Jun 18 '18 at 14:39

1 Answers1

0

There is nothing in your configuration that indicates how you are actually directing your client's dns requests over the vpn connection. You can set the client's nameservers to localhost/127.0.0.1, but whatever resolver is listening on 127.0.0.1:53 is still going to need to forward dns requests to an outside resolver.

In your client config you could use the combination

--redirect-gateway

--dhpc-option DNS 10.8.0.1 (Or whatever the server's address happens to be)

Or for more granular control, and if you don't want to direct all traffic over the vpn tunnel, you could use the mangle/prerouting chain to mark packets with destination port 53 and then add a rule (ip rule add fwmark (mark value) table VPN_TABLE) that directs marked packets to a routing table that has its default gateway set to your client's tun's peer address.

Community
  • 1
cburn11
  • 141
  • 4