Knighthammer 0 Posted ... Can someone please help me understand how to read the ipleak.net results? I don't know how to determine if a leak exists. Quote Share this post Link to post
OpenSourcerer 1435 Posted ... Your IP address shows the IP you opened ipleak.net with. If you are connected to a VPN server, this should show the server's IP. If not, you've got an IP address leak. Check if OpenVPN really is connected. Your IP address - WebRTC detection tries to get your IP by using WebRTC functionality of your browser. If Your IP address shows the one of the server you connected, but you see your real IP here, you've got an IP address leak.Generally this is a useful feature, but it completely "ignores" OpenVPN's settings and connection. It's therefore a good idea to disable it in your browser when you use a VPN service like AirVPN. Scroll down to the bottom of the site to see some brief How-Tos. DNS address detection tries to detect which DNS servers are used to resolve ipleak.net. Seeing only one server - the IP you see in Your IP address - is the best result. If you see more, of if you don't see it at all, you've probably got a DNS leak.Probably, because real leaks are technically possible only on Windows. On Linux and Mac seeing more than one DNS server might just be a misconfiguration thing. Torrent address detection is there to check what data your torrent client sends to ipleak.net. This test is used by torrent client users (uTorrent, Transmission, qBittorrent and the like) and is of no use to those who don't. That's why you need to activate it manually clicking on the button. You should see the same IP as in Your IP address. If not, your client has got an IP address leak, it either uses a proxy or is misconfigured. Geolocation detection tries to determine your current location regardless of your OpenVPN connection. It uses some features of your browser's HTML5 functionality to discover it. Generally, the result should not be too close to your real location or should even tell you geolocation is not supported by your browser. If you see your location, you've got a location leak. This feature can be disabled in some browsers, too. The other outputs are details of Your IP address, geolocation of Your IP address and some geek info about your browser. They are not important, unless if you're paranoid and would like to make your browser fingerprint as common as possible to mitigate correlation "attacks". You can find many many many many guides on this on the forums (have I already said there are many?) If you want me to help, just ask. And also ask if something is unclear. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
starkerphoenix 0 Posted ... Thank you for those information I am using openvpn on my OpenWRT router, but the router I use OpenDNS server manual config. ipleak.net reports DNS servers of my ISP, so I am doing something wrong. Should I not use OpenDNS manual config on my OpenWRT box? How can I make sure the ISP can not see DNS requests in this case? Quote Share this post Link to post
dj77 6 Posted ... Can you Post a Screenshot from dns configuration page (openwrt) ? Quote Share this post Link to post
starkerphoenix 0 Posted ... Wow, I just finished some battle to fix my DNS leak. I hope this info can help other OpenWRT users. I connect to AirVPN on port 80 or 443 UDP so my DNS servers had to be 10.4.0.1 or 10.6.0.1 for my internal VLAN, br-lan (this is br0 for DD-WRT users I think). on the command line of your OpenWRT box, edit /etc/config/dhcp and add the following two lines to the top "config dnsmasq" section: list server '10.4.0.1' list server '10.6.0.1' Then add this line to the config dhcp 'lan' section: list dhcp_option '6,10.4.0.1,10.6.0.1' According to test at ipleak.net and dnsleaktest.com, this fixed my DNS leaks. Again, change your DNS server IP based on which ports you connect to AirVPN based on the info at https://airvpn.org/specs at the bottom of the page. If you want to configure this via Luci web interface, then go to Network --> Interfaces --> LAN page and scroll to the bottom where it says DHCP Server, then click on Advanced Settings tab. What you need to edit is DHCP-Options field (I added 6,10.4.0.1,10.6.0.1). Also I denied all traffic to/from my LAN if the VPN is not enabled by creating a new file /etc/firewall.user : iptables -I FORWARD -i br-lan -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br-lan -j ACCEPT iptables -I FORWARD -i br-lan -o eth0.2 -j DROP iptables -I INPUT -i tun0 -j REJECT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 10.4.0.1:53 iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 10.4.0.1:53 (The last two lines are credit of user zahng888 who suggested it to force clients to use AirVPN DNS servers even if their local config is different)Again if you just want to do this with Luci Web UI, you can go to Network --> Firewall --> Custom Rules and paste you iptables lines there. They will be applied every time the firewall restarts, making sure your computers do not leak if the VPN is not active. I hope this helps another OpenWRT user who wants to run OpenVPN on their router! Quote Share this post Link to post
OpenSourcerer 1435 Posted ... DNS server is always reachable on 10.4.0.1. Don't know if there's a daemon listening on 10.6.0.1, but you should edit out this one (Sent via Tapatalk - this generally means I'm not sitting in front of my PC) Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
starkerphoenix 0 Posted ... DNS server is always reachable on 10.4.0.1. Don't know if there's a daemon listening on 10.6.0.1, but you should edit out this one (Sent via Tapatalk - this generally means I'm not sitting in front of my PC) Some of the ¨remote¨ lines in my OpenVPN config connect to AirVPN servers on port 80 UDP. If you connect on port 80 UDP, then tun0 is assigned a 10.6.x.x/16 address meaning the DNS server should be 10.6.0.1. All of my remote lines are either port 80 or 443 on UDP, which is why I chose those two DNS servers. If you connect to AirVPN on different ports (or TCP) then yes indeed you must change the DNS server to match you setup. Also, if you add a firewall zone in OpenWRT's /etc/config/firewall file for the VPN tunnel, be SURE to enable Masquerading, like this section here: config zone option name 'vpn' option input 'ACCEPT' option forward 'ACCEPT' option output 'ACCEPT' option network 'vpn' option masq '1' Without Masquerading enabled, none of my client machines connected to the br-lan VLAN could access the Internet. This section above in the firewall config assumes you have a corresponding section in /etc/config/network that defines an interface called 'vpn' like this: config interface 'vpn' option ifname 'tun0' option proto 'none' Quote Share this post Link to post
OpenSourcerer 1435 Posted ... the DNS server should be 10.6.0.1 Well, you're right. I can also query 10.5.0.1, 6.0.1, 7.0.1,.. I think they're all pointing to the same daemon Well then, config it the way you want, I'm fine with 10.4.0.1 Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
zhang888 1066 Posted ... Just a small note, if you want all users to use -only- your configured DNS, and will not be able to bypass that by static DNSthat was previously set in the network adapter or whatsoever, a simple iptables rule will work for you: iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 10.4.0.1:53iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 10.4.0.1:53 Then, if someone had 8.8.8.8 hardcoded in his network adapter, this request will be interceptedand sent to the 10.4.0.1 resolver, and the response will be forwarded back just like it came fromthe original (i.e. 8.8.8.8) server. This way users cannot bypass your global leak-proof policy. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
starkerphoenix 0 Posted ... Well, you're right. I can also query 10.5.0.1, 6.0.1, 7.0.1,.. I think they're all pointing to the same daemon Well then, config it the way you want, I'm fine with 10.4.0.1 You seem to be correct, because I can also ping those IP addresses regardless of which IP address & gateway my tun0 device is connected to. The reason I thought it would not work is because on the https://airvpn.org/specs/ page at the very bottom, they specify a Subnet Mask of 255.255.0.0 This led me to believe that the gateways were on different subnets, for example 10.4.0.1/16 and 10.6.0.1/16 and therefor could not access one when connected to the other. Does this mean the specs page is wrong, or is there something I do not understand about IP addressing that can allow pings & DNS requests to traverse a subnet like this?Just a small note, if you want all users to use -only- your configured DNS, and will not be able to bypass that by static DNSthat was previously set in the network adapter or whatsoever, a simple iptables rule will work for you: iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to 10.4.0.1:53iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to 10.4.0.1:53 Wow thank you for that tip! That is extremely useful, I will edit my post above to add those lines for easy copying. When I had OpenNIC DNS servers manually configured in /etc/resolv.conf on my client computers behind my NAT, I was failing the DNS leak tests. This is a great way to keep the OpenNIC configuration on the clients but have all requests go thru the VPN anyway. OpenNIC is better than Google/NSA DNS servers logging all of my DNS traffic, but I still did not want my ISP and my country's federal spy service to log my DNS traffic either. These iptables rules force stop the DNS leaks I was having originally, so thank you! Quote Share this post Link to post
OpenSourcerer 1435 Posted ... Does this mean the specs page is wrong, or is there something I do not understand about IP addressing that can allow pings & DNS requests to traverse a subnet like this? No, it's not wrong, I get those settings via PUSH_REPLY.I don't know what causes this. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post