Linux Mint Forums

So I just got started using a VPN, Mint 18.2 x64 is my OS,

I'm using VyprVPN, using the OpenVPN "protocol" if that's what it's called on Mint.

I set it up using this page on their website, following exactly to a T what they said.

https://support.goldenfrog.com/hc/en-us ... ux-Ubuntu-

It was meant for Ubuntu but seeing as Mint is based on Ubuntu and the features are all pretty much the same down to the menu, it was relatively easy. Easier in some ways as ALL the openvpn packages were already installed by default in Mint 18.2.

Works perfectly, speedtest.net, and whatever what is my IP websites would read my IP as whatever I would set it EXCEPT when I would go on the various DNS Leak checker websites my VPN's server would show up as well as my local ISP's. Sometimes even with the VPN connected, I would get 4 or more of my local ISP's servers/addresses showing up.

I used these two DNS checkers.

https://www.dnsleaktest.com/
http://ipleak.com/

So I freaked out a bit, and starting digging around the net. Most of the solutions were for Windows, and what little solutions were for Linux seemed to be based around Ubuntu, which while similar was confusing for me when trying to implement the solutions.

Two things I did, one seemed to do nothing and the other seemed to work...

I updated the stock update-resolv-conf file in /etc/openvpn
with this little line of code at the end

script-security 2 This was based on this guys post on this site

http://www.ubuntubuzz.com/2015/09/how-t ... linux.html

I could not understand what he meant in his final step #2 by
So I couldn't do it, and hence nothing happened.

Second solution that seemed to work was this youtube video where some guy basically showed himself in Ubuntu

Doing

sudo apt-get openresolv nscd


I did that, installed "openresolv nscd", it created a file called "update-resolv-conf.save" in my home directory and that's it.

I wasn't expecting anything but after that every DNS leak checker website I looked at could not expose my local ISP, it seemed my VPN was working fully and only it's address was being displayed. Good right?

So what is the proper way to go about this? Did I actually end up fixing the problem? I'm worried I might have just done some kind of band aid fix and I am not actually anonymous when using my VPN.

If this did somehow fix the issue it would be helpful to understand what exactly happened and what changed what.

If this is not the correct solution, and somebody knows how to stop the DNS leaks please help.


Really the goal here is using the VPN to the fullest extent for protection. Which seems a lot easier on Win/OSX, as most VPN providers all hand out proprietary software applets that allow you to control everything through a nice GUI, where as in Linux I'm stuck editing text files and messing around with OpenVPN.

anotheri wrote:If this is not the correct solution, and somebody knows how to stop the DNS leaks please help.

From one of the links you posted above...

https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html

Try the openvpn solution.

Here is a read you maybe interested in, been using it for years without any DNS leak.

viewtopic.php?f=90&t=260970

catweazel wrote:

anotheri wrote:If this is not the correct solution, and somebody knows how to stop the DNS leaks please help.

From one of the links you posted above...

https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html

Try the openvpn solution.

What exactly is the "openvpn" solution, I am using openvpn as it came installed in Mint.

That page says that as of version 2.3.9 you can prevent DNS leaks by opening the .conf (or .ovpn) file for the server that I am connecting to and adding "block-outside-dns" to it.

I am using OpenVPN version 2.3.10 as per whats listed in my Software Manager as installed.

I never set up my VPN using a .opvn file, as I said in the OP I set it up using exactly this tutorial my VPN provider had.
https://support.goldenfrog.com/hc/en-us ... ux-Ubuntu-

This method involves using ca.vyprvpn.com.crt file for the key. I do not have a .opvn file.


I was able to find VyprVPN's .opvn file download page
https://support.goldenfrog.com/hc/en-us ... VPN-files-

I figured the .opvn files are some kind of config file, like a bookmark file for a web browser (correct me if I am wrong here please), since when setting up OpenVPN you can pick your config by "importing" the file and it sets everything up for you.

I picked the 256bit config, imported the file. Opened the file later, and added the "block-outside-dns" to it.


I have not gotten around to testing it yet. I will report back soon.



With all of that being said. The whole thing that sketches me out in all of this is the repeatability.

The way I first set my VPN up using the instructions in the first link in this post, with the extra resolve-conf update file downloaded... My VPN does not seem to leak 90% of the time, out of all the sites I test it on.


Then all of a sudden I'll test it, and it'll show my local ISP servers 6 in a row, with my 1 VPN server as well. So the DNS is leaking, didn't change anything

It especially likes to leak if I disconnect for whatever reason and then re-connect, or change the location/servers for my VPN. It'll leak like hell, and then somehow "settle in" and stop leaking. Or so the test websites show anyway.

anotheri wrote:

catweazel wrote:

anotheri wrote:If this is not the correct solution, and somebody knows how to stop the DNS leaks please help.

From one of the links you posted above...

https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html

Try the openvpn solution.

What exactly is the "openvpn" solution

It's documented right there on the page.

As of OpenVPN version 2.3.9 you can now prevent DNS leaks by specifying a new OpenVPN option. Simply open the .conf (or .ovpn) file for the server that you are connecting to and add the following on a new line. For more information see the OpenVPN manual.

Code: Select all

block-outside-dns

If for any reason you are unable to use the solution above continue reading.

I have not gotten around to testing it yet.

I have. It works. Simply edit the config file you import to create a connection.

Okay so I added block-outside-dns to my .ovpn, it sort of seemed to work but after connecting/disconnecting quickly and then testing my DNS using a few websites I did manage to get my DNS to leak.

I did the steps outlined in the thread sammiev linked to.

viewtopic.php?f=90&t=260970

I added the following to my .ovpn file
I also edited

/etc/NetworkManager/NetworkManager.conf

to

#dns=dnsmasq

I had to go even further though...

I had to disable IPV6 on my router/modem in the network manager, the "wired" connection showed in the network manager, as well as on the VPN.

I had to edit the IPV4 settings for the listed router, "wired" connection and VPN in the network manager to Address = Automatic DHCP AND change the DNS server address to 127.0.0.1 for all of them.

My /etc/resolv.conf file is already as such.
The only thing I did not do is install "bind9", no idea what it is.

It would appear that after all of that my DNS is no longer leaking after doing about 50 tests over the course of a few days. I will keep an eye though.



One thing that worries me though is if I look at my network configurations with the command ifconfig
it shows my tun0 as this...

I have no idea what any of that means except for "POINTTOPOINT", as in POINT TO POINT TUNNELING PROTOCOL.

My VPN is supposed to offer OpenVPN 256bit encryption and I'm pretty sure that's the way I set it up but I know they do have a PPTP option.


Does this mean I am using PPTP and not OpenVPN 256bit encryption?

The idea of bind9 is to stop the dns leak by using bind9 and 127.0.0.1

This will stop dns leaking without even using a VPN.

After installing the VPN there should be no leaks there as well and if there is, it's your vpn provider that has a leaking dns.

Included are a few pics.


pic of no vpn and no dns leak


pic of vpn and no dns leak




pics of connection

Install dnscrypt from the software manager - I use dnscrypt and no DNS leak weather I use my VPN or not.

Charlie wrote: ⤴Fri Feb 09, 2018 8:31 am

majpooper wrote: ⤴Wed Feb 07, 2018 5:23 pm Install dnscrypt from the software manager - I use dnscrypt and no DNS leak weather I use my VPN or not.

Is it possible to use dnscrypt and Bind9 together? I am happily using Bind9 alone at the moment.

Nope, bind9 will not work with dnscrypt.

Dnscrypt uses there own type of bind9.

It's like using Dnscrypt and a VPN, the VPN runs along side of Dnscrypt, not inside.

I had a test machine on Dnscrypt for months and it worked very well, a few times there was a dns leak ( usually in the evening ) but it's free.

Use Dnscrypt or a VPN, whatever works best for you.

do you have a .ovpn certificate? if so open file manager where it is, rightclick an empty space in the file manager where your .ovpn is open terminal here and then sudo openvpn --config FreeVPN.me-TCP80.ovpn replace FreeVPN.me-TCP80.ovpn with your certificate name

Hi.
I struggled with this for a while.
It is not a bug just a not so well documented feature.
In network manager interface after importing an openvpn config file.
go into the ipv4 section
and specify a default search domain.
The wild card for ALL is a tilde ~
Then all searches will go through that interface and no leaks.
This works with systemd-resolve.
Or you can add the folllowing line to each config file in the /etc/NetworkManager/system-connections/ directory:
dns-search=~;

There should already be a dns-search key already there but it will be blank.
Adding the tilde makes it the default search interface.
If there are no defaults specified it will go to the first interface or all of them...

No more DNS leaks.
There has been much flaming and debates on github and redit. the developers are correct it is not a bug.
However it should be better documented.

Troub

sammiev wrote: ⤴Wed Feb 07, 2018 1:12 pm

if you read this there are two things wrong with your lasp post in this thread. first DON'T use Ghostery if you already use ublock origin and second if you use this privacy measure why do you use your ISP DNS?

oh, and third we can all see your Home IP address, i would delete these pictures