All is OK, the only problem is my expressvpn_vpn network interface use default DNS (from wwan) and not ExpressVPN one. Via : https://www.dnsleaktest.com
When I connect to VPN server via Windows client, DNS servers are ExpressVPN one.
I have wwan interface to connect LTE, wan to connect ADSL and expressvpn_vpn to connect VPN server.
My /etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd4d:fce4:95b5::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
option peerdns '0'
list dns '208.67.222.222'
list dns '208.67.220.220'
list dns '8.8.8.8'
list dns '8.8.4.4'
option metric '30'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6'
config interface 'wwan'
option proto 'ncm'
option device '/dev/ttyUSB0'
option ifname 'wwan0'
option apn 'xxxx'
option pincode '0000'
option mode 'preferlte'
option delay '30'
option ipv6 '0'
list dns '208.67.222.222'
list dns '208.67.220.220'
list dns '8.8.8.8'
list dns '8.8.4.4'
option peerdns '0'
option metric '20'
config interface 'expressvpn_vpn'
option proto 'dhcp'
option ifname 'tun0'
option metric '10'
script-security 2 system
up "/etc/openvpn/updns"
down "/etc/openvpn/downdns"
Pretty ugly...
I understand the /etc/openvpn/updns script update DNS in the file /tmp/resolv.conf.auto but what is $foreign_option_1, $foreign_option_2 and $foreign_option_3?
Your dnsmasq configuration points to /tmp/resolv.conf.auto which is populated when your wan connection gets established from DNS settings in the DHCP.
If you want dnsmasq to use your VPN DNS servers without having to explicitely replace that file, you need to put them in there.
For example, remove the resolvfile option and add the following ones instead:
option noresolv 1 # this tells dnsmasq not to read an resolv.conf file
list server 'DNS_IP_1'
list server 'DNS_IP_2'
Also, in your dhcp-options you're pushing opendns servers and google servers to your devices, this is not needed if their traffic ends up going to your dnsmasq implementation. So you should remove these lines.
Hope that helps.
I see,.. when the VPN comes up, it modifies the routing on your device and it uses DHCP to give the tun0 interface an IP but it keeps the original DNS resolution going for the wan traffic (even though the DNS requests will now go through the VPN).
"Why" is harder to answer.
Here are some elements that I believe are relevant (which unfortunately mostly look like questions considering I don't know the definitive answer)
It may be linked to this type of answers https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/691723
i.e. which package is in charge of which files. If dnsmasq "owns" the resolv.conf files, should we have openvpn modify them. What happens on restart of dnsmasq or in case of DHCP lease renewal?
Also what if there is traffic that still needs to go out through the normal wan with the existing DNS settings?
The file /tmp/resolv.conf.auto is created by the WAN dhcp client, your OpenVPN configuration does not affect this. As mentioned, you can set dnsmasq "noresolv" parameter to not use it and instead set your own DNS forwarders. This is not automated by any means, you should learn how and where DNS options are set if you want to prevent DNS leaks.
Hi after a lot of troubleshooting i finally found the DNS Leak solution here.
I was wondering how OpenVPN client was DNS Leaking on my router for every host in lan.
It was leaking because /etc/resolv.conf.auto had my ISP DNS server IP and dnsmasq daemon is forwarding DNS packets directly to it.
The solution (not perfect but works) is:
Modify /etc/config/dhcp
Remove:
option resolvfile '/tmp/resolv.conf.auto'
Add:
option noresolv '1'
list server '8.8.8.8'
list server '8.8.4.4'
The perfect solution would be to allow OpenVPN to modify /etc/resolv.conf.auto to set its IP by the one provided by OpenVPN server push dhcp-option, and then disallow dnsmasq to modify it again if DHCP lease renewal is issued on WAN interface. But this will need some hard-code by developers
Using your idea of removing /resolv.conf.auto (I added a #) in front of that and adding the lister server, upon reboot and surfing to: https://ipleak.net I have leaks.
Should I have entirely deleted the resolv.conf.auto?
Hi, you are wrong removing the file /resolv.conf.auto
You need to edit the text on this file: /etc/config/dhcp
You will see a text line: option resolvfile β/tmp/resolv.conf.autoβ
Delete this line and then write:
option noresolv '1β
list server '8.8.8.8β
list server β8.8.4.4β
Save changes, reboot router, check dns leaks, enjoy
Shouldn't the DNS servers of the VPN provider be used in list server, or were you providing Google's DNS servers as a non-specific example?
If I put Google's DNS servers there (per your example), and I check for a leak, Google's DNS servers show up. Don't I want my VPN's DNS servers to be the only thing anyone would see in a trace?
If I list both:
list server '209.222.18.222'
list server '209.222.18.218'
list server '8.8.8.8'
list server '8.8.4.4'
Google shows up some of the time along with the DNS server from PIA.
I've also this issue. Not only in OpenWRT, but also in desktop Linux like Ubuntu (and some other Debian-based OS), and also in Archlinux. I thought it was related to systemd (sytemd-resolved) but I'm not really sure since OpenWRT doesn't use this.
Thanks. I'm new to this so I'm trying to get use to the command.
It looks like the solution code for desktop/laptop is by making the ISP DNS priority low. Looks nice and simple workaround.
For the router one, are those google DNS going through VPN or normal connection?
pretty old thread but I have the same problem.
express vpn too, note that express vpn have their own dns and they are private, we can have it..
about your solution, I'M looking for your solution in /etc/config/dhcp, but don't have the file you give us.: