Jump to content
Not connected, Your IP: 3.14.135.82
Sign in to follow this  
lightleptonparticle

How to force everything through the tunnel?

Recommended Posts

How can I force all data through the tunnel? That would include all DNS requests, ICMP, TCP, UDP, but also anything else like raw sockets. In particular it seems that DNS requests are not routed through the tunnel.

Share this post


Link to post

Sorry I misread your post. Let me try to make up for it. About DNS:

 

https://airvpn.org/topic/9289-dns-leaks-and-how-to-fix-them/

 

and

 

https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/

 

There must be some discussion of AirVPN's DNS servers by staff somewhere, but I could not find it just now.

 

You can also of course run your own DNS resolver, which should use the default gateway. But this may interfere with the stuff AirVPN had to reroute network traffic to allow access to major geo-restricted services from any server. (which also must be documented somewhere by staff, but I can not find it right now).

Share this post


Link to post

Maybe I chould phrase this in another way.

 

I'm assuming that the reason why some data does not go through the tunnel is due to the routing table. So, in Linux, what does the routing table need to look like to prevent this? I can see that openvpn issues some route commands as it starts up, but does it take into account what the routing table may look like prior to its modifications? If it doesn't then I assume I need to ensure that myself, hence why I'm asking.

Share this post


Link to post

Hello,

 

you don't need to do anything like that (BUT: *). OpenVPN takes care of everything. Compare your routing table before, during and after a connection to an OpenVPN server. See also the routes pushed by our servers, look at the OpenVPN logs.

 

(*)

See here for some clarifications on DNS push in Linux: https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/

Also, it is assumed that you do not configure your client to actively reject OpenVPN servers routes push. If you do (directive route-nopull) for some very specific need, you can build your own routing table. Make sure that you know what you do in this case and proceed with caution (mistakes might crumble the anonymity layer).

 

Kind regards

Share this post


Link to post

Maybe I chould phrase this in another way.

 

I'm assuming that the reason why some data does not go through the tunnel is due to the routing table. So, in Linux, what does the routing table need to look like to prevent this? I can see that openvpn issues some route commands as it starts up, but does it take into account what the routing table may look like prior to its modifications? If it doesn't then I assume I need to ensure that myself, hence why I'm asking.

 

I wrote a long guide for setting up OpenVPN on Windows which talks about the sort of changes the OpenVPN client will want to make to the routing table (for Linux too I am sure):

 

https://airvpn.org/topic/9549-guide-to-setting-up-vpn-just-for-torrenting-on-windows-thanks-to-nadre/

 

In general, it will only add additional entries. The default gateway is changed by adding two entries with net mask 128.0.0.0, so that the original gateway entry is suppressed, but not removed from the routing table.

 

If you need to make additonal changes you can certainly do that. You can do this by adding additional directives to the OpenVPN client configuration files too, which can be a very elegant way to do it. The additional entries will get inserted and removed automatically.

Share this post


Link to post

Hello,

 

you don't need to do anything like that (BUT: *). OpenVPN takes care of everything. Compare your routing table before, during and after a connection to an OpenVPN server. See also the routes pushed by our servers, look at the OpenVPN logs.

 

(*)

See here for some clarifications on DNS push in Linux: https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/

Also, it is assumed that you do not configure your client to actively reject OpenVPN servers routes push. If you do (directive route-nopull) for some very specific need, you can build your own routing table. Make sure that you know what you do in this case and proceed with caution (mistakes might crumble the anonymity layer).

 

Kind regards

 

Ok, thank you.

 

However what are the results on http://ipleak.net/ supposed to be when the connection does not leak anything? Am I supposed to see anything under "Detected DNS addresses"? It shows one OpenDNS server in my case, although strangely not either of the ones I have in my resolv.conf file.

Share this post


Link to post

Ok, thank you.

 

However what are the results on http://ipleak.net/ supposed to be when the connection does not leak anything? Am I supposed to see anything under "Detected DNS addresses"? It shows one OpenDNS server in my case, although strangely not either of the ones I have in my resolv.conf file.

 

Hello,

 

the results show that you're tunneling DNS queries to OpenDNS (Linux has no DNS leaks). If you wish to use our DNS and you don't have resolvconf or openresolv packages installed, add 10.4.0.1 as first nameserver in your /etc/resolv.conf:

 

nameserver 10.4.0.1

 

If you have one of them installed just follow the previously mentioned How-To.

 

When you use our DNS you will get, in the DNS test of ipleak, the same VPN server exit-IP address (there's a very rare exception to this, in case of VPN server DNS failure you might get an Irish IP address, it's just a backup DNS for emergencies operated by us).

 

Kind regards

Share this post


Link to post

 

Ok, thank you.

 

However what are the results on http://ipleak.net/ supposed to be when the connection does not leak anything? Am I supposed to see anything under "Detected DNS addresses"? It shows one OpenDNS server in my case, although strangely not either of the ones I have in my resolv.conf file.

 

Hello,

 

the results show that you're tunneling DNS queries to OpenDNS (Linux has no DNS leaks). If you wish to use our DNS and you don't have resolvconf or openresolv packages installed, add 10.4.0.1 as first nameserver in your /etc/resolv.conf:

 

nameserver 10.4.0.1

 

If you have one of them installed just follow the previously mentioned How-To.

 

When you use our DNS you will get, in the DNS test of ipleak, the same VPN server exit-IP address (there's a very rare exception to this, in case of VPN server DNS failure you might get an Irish IP address, it's just a backup DNS for emergencies operated by us).

 

Kind regards

 

Thank you, again.

This is probably because I don't know how ipleak.net is implemented, but if there are no DNS leaks in Linux, how does ipleak.net know I am using the opendns servers?

Share this post


Link to post

Hello,

 

simply because your system IS sending DNS queries to OpenDNS servers.

 

Kind regards

 

I think I understand now.

 

So even though I see queries going to whatever DNS server (on ipleaks), they will always go through the VPN tunnel?

Share this post


Link to post

 

Hello,

 

simply because your system IS sending DNS queries to OpenDNS servers.

 

Kind regards

 

I think I understand now.

 

So even though I see queries going to whatever DNS server (on ipleaks), they will always go through the VPN tunnel?

 

Yes, the only exception is when DNS queries are sent to a destination inside your local network or to the entry-IP address of the OpenVPN server the system is connected to, in this case they will not be encrypted (see your routing table while connected to the VPN to understand why). This opens up the option (or the risk) to send out unencrypted DNS queries, for example when DNS queries are sent to your router which in turn forwards them to some other DNS server. However technically this is not a DNS leak, because the system complies to the settings (contrarily to Windows, where real DNS leaks can occur).

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...