DNS leaks running OpenVPN directly

[smegma 0]

I want to run openvpn directly because Eddie is too cpu intensive on my machine but I keep getting dns leaks. I am on manjaro linux 17.01 and have tried a number of methods: update-systemd-resolved scripts, adding 10.4.0.1 directly to the resolv.conf, etc. I've tried to read the arch wiki but I just end up frustrated and confused every single time. 

[nick75 25]

Hi,

 

Can you tell us what ipleak.net tells you?

[smegma 0]

It shows airvpn as my ip but both my isp's dns servers in the dns section appear. 

[nick75 25]

OK then try this

 

Add this to your ovpn file

script-security 2
up /etc/openvpn/add_rule.sh
down /etc/openvpn/del_rule.sh
 

Create the file /etc/openvpn/add_rule.sh with:

#!/bin/sh
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 10.4.0.1:53
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 10.4.0.1:53
 

And create the file /etc/openvpn/del_rule.sh with:

#!/bin/sh
iptables -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 10.4.0.1:53
iptables -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 10.4.0.1:53
 

Type these in a terminal window:

sudo chmod +x /etc/openvpn/add_rule.sh
sudo chmod +x /etc/openvpn/del_rule.sh

 

Re-try with ipleak.net, it should work now.

[smegma 0]

I tried and its not resolving dns now. Do I need to open ports for the dns? I was just doing generic UDP 443 for the config

[nick75 25]

Have you modified your DNS setup?

Does your system check for DNSSEC or anything specifically?

Otherwise that must work

[smegma 0]

No I haven't. I got your method working by prepending 10.4.0.1 to my resolv.conf file so far. I didn't realise it wasn't doing that automatically. How do I go about automating the overwrite? 

[gmask 0]

I tried and its not resolving dns now. Do I need to open ports for the dns? I was just doing generic UDP 443 for the config

Same problem here. Using Parabola Arch 4.10.3

[nick75 25]

There seems to be a problem with OpenVPN and DNS in Arch/Manjaro. See here.

I don't use Arch so I can't be of any help!

Unless someone else here knows how Arch works you're more likely to get help from Arch users in its forums, they surely know how it handles DNS when using OpenVPN.

[smegma 0]

My method of manually prepending 10.4.0.1 to the resolv.conf after adding your solution seems to have been working all day, I have tested on ipleak multiple times and haven't seen any dns leaks

[nick75 25]

Very surprising but I'm glad you carried it off!

As I said, I don't know how Arch works but in most distributions there's a process (generally network-manager) that regularly overwrites changes in resolv.conf

So be careful.

[smegma 0]

  https://wiki.archlinux.org/index.php/Resolv.conf covers some methods to prevent it depending on what network manager people are running. 

[gmask 0]

My method of manually prepending 10.4.0.1 to the resolv.conf after adding your solution seems to have been working all day, I have tested on ipleak multiple times and haven't seen any dns leaks

This solved it also for me thank you! Basically prepending the dns server seems to work. However what happens when I am not connected to the vpn? Does the system not find the dns server of airvpn?

[smegma 0]

I assume it just skips over the 10.4.0.1 and uses whatever default dns you had set up under that. When you reset you may have to prepend again or use chattr +i or one of the other methods in arch wiki

[b51 0]

i'm using Arch and Airvpn with no problems. i use eddie-cli