[Tutorial] How to fix DNS leak while using VPN

[KaptenKnasboll]

First of all, I did not write this tutorial but since it is the only working solution that I found after days of googling and frustration.
I use a VPN provider that uses OpenVPN.

If you have a DNS leak as indicated by checking on browserleaks.com or dnsleaktest.com,

Shut off your VPN connection

Attempt to undo any .conf file edits you've wasted time already making. If you've been trying a lot of various suggestions, your best good chance might be to do a fresh install and ensure you've also installed networkmanager-openvpn-gnome as Ubuntu does not have VPN config importing provided by default.

Install dnsmasq

Code: Select all

sudo apt update
sudo apt install dnsmasq  

Disable resolved

Code: Select all

sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved.service 

Remove /etc/resolv.conf and create a new one:

Code: Select all

sudo rm /etc/resolv.conf
sudo nano /etc/resolv.conf  

Enter into your empty .conf file:

Code: Select all

nameserver 127.0.0.1

Press Ctrl+x to exit the editor. Enter y to save and then press Enter to overwrite your new resolv.conf file.

Edit your NetworkManager.conf file

Code: Select all

sudo nano /etc/NetworkManager/NetworkManager.conf 

and add the following:

Code: Select all

dns=dnsmasq 

beneath the lines (navigate using arrow keys), [main] and plugins=ifupdown, keyfile exactly like this with the new line added.

Code: Select all

[main]
plugins=ifupdown, keyfile
dns=dnsmasq

Press Ctrl+x to exit the editor. Enter y to save and then press Enter to overwrite the file.

Restart networking (Or reboot system)

Code: Select all

sudo service network-manager restart

Back out of the terminal, and reboot the system and check your dnsleak test site for results.

With thanks to the Ubuntu Forums whose solutions for Leaks on Ubuntu/Network Manager seem well researched and successful. THEY WORK and when no other solutions worked for me, these did. The above shown solution works for Ubuntu 17.x and 18.04 LTS. See his other solution for 16.04 LTS, and therefore on Linux MInt too!

[catweazel]

If you have a DNS leak as indicated by checking on browserleaks.com or dnsleaktest.com,

Or alternatively, and in one sentence or less:

Make sure these lines appear in the .ovpn before importing it:

block-outside-dns
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
down-pre

[d00101]

It seems there are a number of ways of going about this. First off, putting block-outside-dns in the conf files does not work on non-Windows systems, so don't trust in it:

This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error.
Refer to: https://community.openvpn.net/openvpn/w ... n23ManPage

What worked for me is dnscrypt-proxy and a custom kill switch. Here's how to do it:

First, enable IPv4 packet forwarding in sysctl.conf:

sudo nano /etc/sysctl.conf
Uncomment (remove the #) on the line: net.ipv4.ip_forward=1
Ctrl-S
Ctrl-X

Second, install dnscrypt-proxy:

sudo apt-get purge dnscrypt-proxy
sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy
sudo apt update
sudo apt install dnscrypt-proxy

Third, restart these services:

sudo systemctl restart NetworkManager
sudo systemctl restart dnscrypt-proxy

Fourth, install and configure resolvconf:

sudo apt install resolvconf
sudo nano /etc/NetworkManager/NetworkManager.conf

Add dns=default under [main] on its own line:

[main]
dns=default

plugins=ifupdown,keyfile

[ifupdown]
managed=false

[device]
wifi.scan-rand-mac-address=no

Fifth, restart these services:

sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl restart network-manager
sudo systemctl restart dnscrypt-proxy

Lastly, IPv6 will still leak DNS information even if DNS leak testers are showing everything to be fine on IPv4. https://ipleak.net will exploit this flaw. The way to secure this is to create a custom kill switch using ufw to deny all network traffic except through the VPN tunnel (tun0):

sudo apt install ufw

To restrict all traffic to tun0:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0 from any to any
sudo ufw enable

And if you want to re-enable all traffic through every network interface:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

I like to make these into aliases in ~./bash_aliases, for instance:

alias firewallup='sudo ufw reset && sudo ufw default deny incoming && sudo ufw default deny outgoing && sudo ufw allow out on tun0 from any to any && sudo ufw enable'
alias firewalldown='sudo ufw reset && sudo ufw default deny incoming && sudo ufw default allow outgoing && sudo ufw enable'

Basically, I have to un-restrict the traffic to connect to my VPN and then immediately restrict the traffic after successfully connecting. This will prevent IPv6 from leaking. And in case the VPN connection is lost and the ufw restrictions are up, then it functions as a perfect kill switch.

Hope this helps. FYI, it works for me on Mint 19.1 Tessa with ProtonVPN servers.

[KaptenKnasboll]

It seems there are a number of ways of going about this. First off, putting block-outside-dns in the conf files does not work on non-Windows systems, so don't trust in it:

This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error.
Refer to: https://community.openvpn.net/openvpn/w ... n23ManPage

What worked for me is dnscrypt-proxy and a custom kill switch. Here's how to do it:

First, enable IPv4 packet forwarding in sysctl.conf:

sudo nano /etc/sysctl.conf
Uncomment (remove the #) on the line: net.ipv4.ip_forward=1
Ctrl-S
Ctrl-X

Second, install dnscrypt-proxy:

sudo apt-get purge dnscrypt-proxy
sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy
sudo apt update
sudo apt install dnscrypt-proxy

Third, restart these services:

sudo systemctl restart NetworkManager
sudo systemctl restart dnscrypt-proxy

Fourth, install and configure resolvconf:

sudo apt install resolvconf
sudo nano /etc/NetworkManager/NetworkManager.conf

Add dns=default under [main] on its own line:

[main]
dns=default

plugins=ifupdown,keyfile

[ifupdown]
managed=false

[device]
wifi.scan-rand-mac-address=no

Fifth, restart these services:

sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl restart network-manager
sudo systemctl restart dnscrypt-proxy

Lastly, IPv6 will still leak DNS information even if DNS leak testers are showing everything to be fine on IPv4. https://ipleak.net will exploit this flaw. The way to secure this is to create a custom kill switch using ufw to deny all network traffic except through the VPN tunnel (tun0):

sudo apt install ufw

To restrict all traffic to tun0:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0 from any to any
sudo ufw enable

And if you want to re-enable all traffic through every network interface:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

I like to make these into aliases in ~./bash_aliases, for instance:

alias firewallup='sudo ufw reset && sudo ufw default deny incoming && sudo ufw default deny outgoing && sudo ufw allow out on tun0 from any to any && sudo ufw enable'
alias firewalldown='sudo ufw reset && sudo ufw default deny incoming && sudo ufw default allow outgoing && sudo ufw enable'

Basically, I have to un-restrict the traffic to connect to my VPN and then immediately restrict the traffic after successfully connecting. This will prevent IPv6 from leaking. And in case the VPN connection is lost and the ufw restrictions are up, then it functions as a perfect kill switch.

Hope this helps. FYI, it works for me on Mint 19.1 Tessa with ProtonVPN servers.

Thank you for some new ideas and insights!
My VPN service providers solution for even using IPv6 was to Permanently disable it sysctl.conf lol.
So your killswitch is something I'll implement straight away!
Thank you my good man!

And as you said in the begining, you can't block outside DNS anymore since Ubuntu just overrides the OpenVPN resolved conf no matter what.

It's always good with more input. I hope our combined posts can help some people out.

Cheers!

[catweazel]

It seems there are a number of ways of going about this. First off, putting block-outside-dns in the conf files does not work on non-Windows systems, so don't trust in it:

AAAARRRGGGHHH!

This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error. You may want to use –setenv opt or –ignore-unknown-option (not suitable for Windows XP) to ignore said error. Note that pushing unknown options from server does not trigger fatal errors.

[kypec]

Thank you very much for this tutorial. I have wasted 2 days while trying to fix my problems with VPN provided DNS not being honored. I use openconnect (Cisco AnyConnect protocol) and nothing worked. I have read discussions on systemd-resolved about this issue https://github.com/systemd/systemd/issues/6076 and https://github.com/systemd/systemd/pull/11050 but it looks like Mint has only older version of systemd 237 available at the moment and I didn't dare to update it above version 240 (which should have some fixes on domain routing implemented) on my own.
Your approach is simple and uses old but reliable utilities that have been working for ages. Now I'm starting to understand why so many users frown upon systemd

[sunshine299]

Not sure what’s gone wrong with mine but now I don’t have internet access at all, even with the settings to re_allow or with firewall disabled.


I attempt to connect the the ProtonVPN but no success

I followed the commands exactly.

Anyone have ideas on how to fix?

[maxue]

Hello!

KaptenKnasboll tutorial perfectly worked for me, I'm using protonVPN as well.
Thank you !

[sunshine299]

As soon as I stop systemd, all internet stops. The only thing that allows any internet access, even connection the the PtotonVPN is by starting systemd again.

Tested on a virtual Mint and still the same.

sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved


Restarting network manager and dnscrypt proxy does nothing.

sudo systemctl restart network-manager
sudo systemctl restart dnscrypt-proxy

[sunshine299]

Solution found.

I found that lots of people are having the same problem as me. When systemd is disabled, it disables all internet access on the system. The only was I got it back on was a timeshift restore.

Then found ProtonVPN have a way round but you have to execute every time from the Terminal, then I use the "kill switch" commands with Firewall to only allow tunnel0 (VPN) connection. Every resource I can find only displays IP addresses & DNS details from the VPN.

* ProtonVPN's solution (Use Option B): https://protonvpn.com/support/linux-vpn-setup/
* Activating/Deactivating the firewall with regards to tunnel0 (as quoted in earlier post by d00101

Lastly, IPv6 will still leak DNS information even if DNS leak testers are showing everything to be fine on IPv4. https://ipleak.net will exploit this flaw. The way to secure this is to create a custom kill switch using ufw to deny all network traffic except through the VPN tunnel (tun0):

sudo apt install ufw

To restrict all traffic to tun0:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0 from any to any
sudo ufw enable

And if you want to re-enable all traffic through every network interface:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

NOTE: Once the VPN is connected, if you close the terminal window it will end the VPN session. To connect next time you must allow all traffic from the firewall commands (or turn off firewall), then only allow traffic from tunnel0 again.

TO CHECK FOR DNS LEAKS:
https://whoer.net/
https://www.dnsleaktest.com/ (use extended test)