DNS leak with OpenVPN

Hi!

I follow this guide to set up OpenVPN client on my router: https://lede-project.org/docs/user-guide/openvpn.client [edit: and this one : https://gist.github.com/braian87b/64440dec125d2b2f0ddc600c490988db]

All is OK, the only problem is my expressvpn_vpn network interface use default DNS (from wwan) and not ExpressVPN one. Via : https://www.dnsleaktest.com

When I connect to VPN server via Windows client, DNS servers are ExpressVPN one.

I have wwan interface to connect LTE, wan to connect ADSL and expressvpn_vpn to connect VPN server.

My /etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4d:fce4:95b5::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option peerdns '0'
        list dns '208.67.222.222'
        list dns '208.67.220.220'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option metric '30'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6'

config interface 'wwan'
        option proto 'ncm'
        option device '/dev/ttyUSB0'
        option ifname 'wwan0'
        option apn 'xxxx'
        option pincode '0000'
        option mode 'preferlte'
        option delay '30'
        option ipv6 '0'
        list dns '208.67.222.222'
        list dns '208.67.220.220'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option peerdns '0'
        option metric '20'

config interface 'expressvpn_vpn'
        option proto 'dhcp'
        option ifname 'tun0'
        option metric '10'

My /etc/config/openvpn:

config openvpn 'expressvpn_belgium'
        option config '/etc/openvpn/expressvpn_belgium.ovpn'
        option enabled '1'

My /etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        list dhcp_option '6,208.67.222.222,208.67.220.220'
        list dhcp_option '6,8.8.8.8,8.8.4.4'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

Try this with no success:

Thank you very much! :slight_smile:

Hum.... strange...

DNS work only with one .ovpn file, one of 7.

The 7 .ovpn files are exactly the sames (downloaded from ExpressVPN), except remote of course.

I have compared openvpn logs with working .ovpn file and non-working .ovpn files and it's the same logs.

Maybe a coincidence...

I don't know where to look at :confused:

I solved the problem but the solution is ugly... :nauseated_face:

Thanks to:

The solution is to create two scripts: /etc/openvpn/updns:

#!/bin/sh
mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf.auto
echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto

and /etc/openvpn/downdns:

#!/bin/sh
mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto

And add them to .ovpn files with this:

script-security 2 system
up "/etc/openvpn/updns"
down "/etc/openvpn/downdns"

Pretty ugly... :sneezing_face:

I understand the /etc/openvpn/updns script update DNS in the file /tmp/resolv.conf.auto but what is $foreign_option_1, $foreign_option_2 and $foreign_option_3? :face_with_raised_eyebrow:

And why the DNS are not updated automatically? :face_with_raised_eyebrow:

If anyone knows... :sweat_smile:

1 Like

Your dnsmasq configuration points to /tmp/resolv.conf.auto which is populated when your wan connection gets established from DNS settings in the DHCP.
If you want dnsmasq to use your VPN DNS servers without having to explicitely replace that file, you need to put them in there.

For example, remove the resolvfile option and add the following ones instead:

option noresolv 1 # this tells dnsmasq not to read an resolv.conf file
list server 'DNS_IP_1'
list server 'DNS_IP_2'

Also, in your dhcp-options you're pushing opendns servers and google servers to your devices, this is not needed if their traffic ends up going to your dnsmasq implementation. So you should remove these lines.
Hope that helps.

Thanks for help!

But I don't understand why after express_vpn interface connection, this file /tmp/resolv.conf.auto is not updated with ExpressVPN DNS?

After wan interface connection, this file is automaticaly updated with my ISP DNS (when I do not set explicity OpenDNS/GoogleDNS).

I see,.. when the VPN comes up, it modifies the routing on your device and it uses DHCP to give the tun0 interface an IP but it keeps the original DNS resolution going for the wan traffic (even though the DNS requests will now go through the VPN).

"Why" is harder to answer.
Here are some elements that I believe are relevant (which unfortunately mostly look like questions considering I don't know the definitive answer)
It may be linked to this type of answers https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/691723
i.e. which package is in charge of which files. If dnsmasq "owns" the resolv.conf files, should we have openvpn modify them. What happens on restart of dnsmasq or in case of DHCP lease renewal?
Also what if there is traffic that still needs to go out through the normal wan with the existing DNS settings?

1 Like

The file /tmp/resolv.conf.auto is created by the WAN dhcp client, your OpenVPN configuration does not affect this. As mentioned, you can set dnsmasq "noresolv" parameter to not use it and instead set your own DNS forwarders. This is not automated by any means, you should learn how and where DNS options are set if you want to prevent DNS leaks.

1 Like

Hi after a lot of troubleshooting i finally found the DNS Leak solution here.

I was wondering how OpenVPN client was DNS Leaking on my router for every host in lan.

It was leaking because /etc/resolv.conf.auto had my ISP DNS server IP and dnsmasq daemon is forwarding DNS packets directly to it.

The solution (not perfect but works) is:

Modify /etc/config/dhcp

  • Remove:
    option resolvfile '/tmp/resolv.conf.auto'
  • Add:
    option noresolv '1'
    list server '8.8.8.8'
    list server '8.8.4.4'

The perfect solution would be to allow OpenVPN to modify /etc/resolv.conf.auto to set its IP by the one provided by OpenVPN server push dhcp-option, and then disallow dnsmasq to modify it again if DHCP lease renewal is issued on WAN interface. But this will need some hard-code by developers

Using your idea of removing /resolv.conf.auto (I added a #) in front of that and adding the lister server, upon reboot and surfing to: https://ipleak.net I have leaks.

Should I have entirely deleted the resolv.conf.auto?

Hi, you are wrong removing the file /resolv.conf.auto
You need to edit the text on this file: /etc/config/dhcp
You will see a text line: option resolvfile β€˜/tmp/resolv.conf.auto’
Delete this line and then write:
option noresolv '1’
list server '8.8.8.8’
list server β€˜8.8.4.4’
Save changes, reboot router, check dns leaks, enjoy

Shouldn't the DNS servers of the VPN provider be used in list server, or were you providing Google's DNS servers as a non-specific example?

If I put Google's DNS servers there (per your example), and I check for a leak, Google's DNS servers show up. Don't I want my VPN's DNS servers to be the only thing anyone would see in a trace?

If I list both:

	list server '209.222.18.222'
	list server '209.222.18.218'
	list server '8.8.8.8'
	list server '8.8.4.4'

Google shows up some of the time along with the DNS server from PIA.

Google DNS servers show up because according to you other post, you send them to be used by your local devices with DHCP 6 option.

I've also this issue. Not only in OpenWRT, but also in desktop Linux like Ubuntu (and some other Debian-based OS), and also in Archlinux. I thought it was related to systemd (sytemd-resolved) but I'm not really sure since OpenWRT doesn't use this.

DNS-leak fix for router/server and desktop/laptop:

1 Like

Thanks. I'm new to this so I'm trying to get use to the command.
It looks like the solution code for desktop/laptop is by making the ISP DNS priority low. Looks nice and simple workaround.

For the router one, are those google DNS going through VPN or normal connection?

Make sure there's option redirect-gateway either in client config, or it's pushed by server, then it goes via VPN-connection.

1 Like

hi,

pretty old thread but I have the same problem.
express vpn too, note that express vpn have their own dns and they are private, we can have it..
about your solution, I'M looking for your solution in /etc/config/dhcp, but don't have the file you give us.:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option doh_backup_noresolv '-1'
	list server '127.0.0.1#5053'
	list server '127.0.0.1#5054'
	list doh_backup_server '127.0.0.1#5053'
	list doh_backup_server '127.0.0.1#5054'
	option serversfile '/tmp/adb_list.overall'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'