Asus AX3000 new router OpenVPN DNS leak question

[BobbyTee 0]

Hi guys

Just setup a new router for use with Airvpn. Followed their website instructions and all seems well. All devices report back vpn ip. 

I did wonder though how likely is a DNS and ip leak? How best prevent these from happening? Do router settings needs configuring and if so which settings and what should they be?

Also is it worth using Eddie client using another VPN  as well as having it setup on the router for the extra layer of protection?

Thanks

[OpenSourcerer 1435]

37 minutes ago, BobbyTee said:

I did wonder though how likely is a DNS and ip leak?

It's not about probability, it's either "yes, there is" or "no, there isn't". Did you check IPLeak to see if there are leaks?
 

38 minutes ago, BobbyTee said:

Also is it worth using Eddie client using another VPN  as well as having it setup on the router for the extra layer of protection?

Nope. First, because it's just feeding your felling of security without actually providing it, second, Tor is a better software for that, third, the CPU in your router likely won't be able to handle two such connections if you aim for throughput.

[BobbyTee 0]

Thanks for getting back. I have attached to the msg here a screenshot of the ipleak test. Does that look ok to you? I don't need to add any additional entries to the router configuration at all then no? No 10.1 DNS addresses or anything?

I did wonder if I may suddenly get a DNS leak though if maybe the VPN would cut out suddenly would expose my normal ip? Just wondered the best way to prevent that but still using the router method.

Thanks again😊

Edited ... by BobbyTee

[OpenSourcerer 1435]

50 minutes ago, BobbyTee said:

Does that look ok to you?

IPLeak tells you if it's okay or not:

Quote

If you are now connected to a VPN and between the detected DNS you see your ISP DNS, then your system is leaking […].

So, your IP address above is 217 in Austria, the only DNS server is 217 in Austria. Question: Are you leaking DNS requests?

What you are leaking is your ISP IP in the browser via WebRTC. Click on the link there for possible solutions.

Have some faith in what you do, and don't panic about trifles. Even if you accidentally leak one or two DNS requests, it's not the end of your freedom or something. You're not living in North Korea. Besides, an IP address leak does far more harm, so look into the WebRTC leak you have when browsing while being connected.
 

55 minutes ago, BobbyTee said:

No 10.1 DNS addresses or anything?

OpenVPN pulls the appropriate 10.x.x.x DNS server itself. You can set the v4 and v6 DNS servers written on the Specs page explicitly, but then you lose all DNS functionality if you're not connected.
 

1 hour ago, BobbyTee said:

I did wonder if I may suddenly get a DNS leak though if maybe the VPN would cut out suddenly would expose my normal ip?

I don't quite understand the question. You want to know if it's possible that DNS leaks can cause IP address leaks?

[go558a83nk 362]

https://www.asuswrt-merlin.net/about
I strongly encourage you to use Merlin firmware on an Asus router.  With that you'll get actual options in your openvpn client setup, including an option to use the VPN DNS exclusively.  That should prevent leaks.  Even better is the policy routing capability. 

[Staff 9972]

5 hours ago, OpenSourcerer said:

What you are leaking is your ISP IP in the browser via WebRTC. Click on the link there for possible solutions.
 

Probably not, the screenshot is not extremely clear but it seems WebRTC test displays the private IP address of @BobbyTee system network interface (192.168.50.61). @BobbyTee - the ipleak test thus seems completely fine but please check the above anyway

Kind regards
 

[OpenSourcerer 1435]

Well, I'm concerned because it's showing the local address of the physical NIC. If it would've been the tun address, all good.
By the way, if I do this test, I'm shown the private v4, too, alongside the v6 UGA. Are you expecting this to show people's public v4?

[BobbyTee 0]

Sorry for late response people. I have since upgraded to Merlin. Thank you for your recommendations there guys. I was having trouble with activating the config file on OpenVPN Client. However after removing these 2 lines of text from the config file (push-peer-info
setenv UV_IPV6 yes) the setting of the VPN was successfully enabled.

I have since then done a test on a Swedish VPN. Here are the results. Do these look ok? Are there any leaks? If there are how do i stop them? Thanks again!

Clearer pic here: https://i.imgur.com/2xuXdvu.png

Edited ... by BobbyTee

[Staff 9972]

17 hours ago, OpenSourcerer said:

By the way, if I do this test, I'm shown the private v4, too, alongside the v6 UGA. Are you expecting this to show people's public v4?

Hello!

Of course. That's the risk with WebRTC: the disclosure of the "real" IP address when you don't want that. The "noble" purpose is allowing two or more peers to connect directly with each other for video chats and so on. Each peer must know the public IP address of the other ones to accomplish the task. WebRTC (when it is active) provides developers with an API which can disclose it. See
https://webrtc.org/getting-started/peer-connections
and following docs.

https://webrtc.org/getting-started/peer-connections

Quote

Well, I'm concerned because it's showing the local address of the physical NIC.

As long as the local address is private and assigned by your home router, that's the only case of no concern.
 

Quote

If it would've been the tun address, all good.

With OpenVPN, disclosure of the tun address is not a concern, right, because we are unable to correlate a VPN IP address to a user when the connection is over.

But it's not all good in general, unfortunately: with Wireguard, disclosure of the tun address (the VPN IP address) is risky too, because of the bijection between client keys and static VPN IP addresses which Wireguard also mandates to replicate in a file on every server. Under this respect we can only mitigate the problem by randomizing IP addresses assigned to keys and deleting periodically the file entries when we suppose a client is no more connected (Wireguard lacks even the disconnection notification feature by explicit design). But in the whole time between deletions, we know who is who, and we must provide this information for example after a court order, which could also include prohibition to delete relevant data whereas it is an ACTIVE action that we (and not some third-party app) perform in spite of lack of technical necessity.

Kind regards
 

[Social_House 0]

Hi,

Sorry to bump up this old thread. I've got an issue with DNS leak here and would like some help. This is the most relevant thread I found.

I'm based in China and using ASUS Merlin with OpenVPN. The China Great Firewall blocks us from accessing google/youtube/twitter etc. AirVPN has been a tremendous help for us to access the internet freely. However, sometimes I found myself losing access to these websites. When I try ipleak.net, it usually shows my local ISPs. So I suspect that's the reason.

What would be the best practice to avoid this? If I specify an open DNS server, it usually massively reduce my internet speed accessing local websites. I tried to change the OpenVPN DNS config to "Exclusive" and sometimes it works, but I'd love to know what's the best solution here. 

Thanks in advance!

[go558a83nk 362]

Set it to exclusive, of course.  But also check that your browser isn't using some built in "secure dns" which would be encrypted and thus bypass AirVPN's DNS.