[Tutorial] How to fix DNS leak while using VPN

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
Post Reply
KaptenKnasboll
Level 1
Level 1
Posts: 2
Joined: Thu May 09, 2019 6:06 pm

[Tutorial] How to fix DNS leak while using VPN

Post by KaptenKnasboll » Thu May 09, 2019 6:21 pm

First of all, I did not write this tutorial but since it is the only working solution that I found after days of googling and frustration.
I use a VPN provider that uses OpenVPN.

If you have a DNS leak as indicated by checking on browserleaks.com or dnsleaktest.com,

Shut off your VPN connection

Attempt to undo any .conf file edits you've wasted time already making. If you've been trying a lot of various suggestions, your best good chance might be to do a fresh install and ensure you've also installed networkmanager-openvpn-gnome as Ubuntu does not have VPN config importing provided by default.

Install dnsmasq

Code: Select all

sudo apt update
sudo apt install dnsmasq  
Disable resolved

Code: Select all

sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved.service 
Remove /etc/resolv.conf and create a new one:

Code: Select all

sudo rm /etc/resolv.conf
sudo nano /etc/resolv.conf  
Enter into your empty .conf file:

Code: Select all

nameserver 127.0.0.1
Press Ctrl+x to exit the editor. Enter y to save and then press Enter to overwrite your new resolv.conf file.

Edit your NetworkManager.conf file

Code: Select all

sudo nano /etc/NetworkManager/NetworkManager.conf 
and add the following:

Code: Select all

dns=dnsmasq 
beneath the lines (navigate using arrow keys), [main] and plugins=ifupdown, keyfile exactly like this with the new line added.

Code: Select all

[main]
plugins=ifupdown, keyfile
dns=dnsmasq
Press Ctrl+x to exit the editor. Enter y to save and then press Enter to overwrite the file.

Restart networking (Or reboot system)

Code: Select all

sudo service network-manager restart
Back out of the terminal, and reboot the system and check your dnsleak test site for results.

With thanks to the Ubuntu Forums whose solutions for Leaks on Ubuntu/Network Manager seem well researched and successful. THEY WORK and when no other solutions worked for me, these did. The above shown solution works for Ubuntu 17.x and 18.04 LTS. See his other solution for 16.04 LTS, and therefore on Linux MInt too!

User avatar
catweazel
Level 19
Level 19
Posts: 9184
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: [Tutorial] How to fix DNS leak while using VPN

Post by catweazel » Fri May 10, 2019 1:42 am

KaptenKnasboll wrote:
Thu May 09, 2019 6:21 pm
If you have a DNS leak as indicated by checking on browserleaks.com or dnsleaktest.com,
Or alternatively, and in one sentence or less:

Make sure these lines appear in the .ovpn before importing it:


block-outside-dns
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
down-pre
Last edited by catweazel on Sun May 19, 2019 1:23 am, edited 1 time in total.
¡uʍop ǝpısdn sı buıɥʇʎɹǝʌǝ os ɐıןɐɹʇsnɐ ɯoɹɟ ɯ,ı

User avatar
d00101
Level 1
Level 1
Posts: 4
Joined: Fri May 10, 2019 3:16 pm

Re: [Tutorial] How to fix DNS leak while using VPN

Post by d00101 » Fri May 10, 2019 3:57 pm

It seems there are a number of ways of going about this. First off, putting block-outside-dns in the conf files does not work on non-Windows systems, so don't trust in it:
This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error.
Refer to: https://community.openvpn.net/openvpn/w ... n23ManPage
What worked for me is dnscrypt-proxy and a custom kill switch. Here's how to do it:

First, enable IPv4 packet forwarding in sysctl.conf:

sudo nano /etc/sysctl.conf
Uncomment (remove the #) on the line: net.ipv4.ip_forward=1
Ctrl-S
Ctrl-X


Second, install dnscrypt-proxy:

sudo apt-get purge dnscrypt-proxy
sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy
sudo apt update
sudo apt install dnscrypt-proxy


Third, restart these services:

sudo systemctl restart NetworkManager
sudo systemctl restart dnscrypt-proxy


Fourth, install and configure resolvconf:

sudo apt install resolvconf
sudo nano /etc/NetworkManager/NetworkManager.conf


Add dns=default under [main] on its own line:
[main]
dns=default

plugins=ifupdown,keyfile

[ifupdown]
managed=false

[device]
wifi.scan-rand-mac-address=no
Fifth, restart these services:

sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl restart network-manager
sudo systemctl restart dnscrypt-proxy


Lastly, IPv6 will still leak DNS information even if DNS leak testers are showing everything to be fine on IPv4. https://ipleak.net will exploit this flaw. The way to secure this is to create a custom kill switch using ufw to deny all network traffic except through the VPN tunnel (tun0):

sudo apt install ufw

To restrict all traffic to tun0:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0 from any to any
sudo ufw enable


And if you want to re-enable all traffic through every network interface:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable


I like to make these into aliases in ~./bash_aliases, for instance:

alias firewallup='sudo ufw reset && sudo ufw default deny incoming && sudo ufw default deny outgoing && sudo ufw allow out on tun0 from any to any && sudo ufw enable'
alias firewalldown='sudo ufw reset && sudo ufw default deny incoming && sudo ufw default allow outgoing && sudo ufw enable'


Basically, I have to un-restrict the traffic to connect to my VPN and then immediately restrict the traffic after successfully connecting. This will prevent IPv6 from leaking. And in case the VPN connection is lost and the ufw restrictions are up, then it functions as a perfect kill switch.

Hope this helps. FYI, it works for me on Mint 19.1 Tessa with ProtonVPN servers.

KaptenKnasboll
Level 1
Level 1
Posts: 2
Joined: Thu May 09, 2019 6:06 pm

Re: [Tutorial] How to fix DNS leak while using VPN

Post by KaptenKnasboll » Sun May 19, 2019 12:12 am

d00101 wrote:
Fri May 10, 2019 3:57 pm
It seems there are a number of ways of going about this. First off, putting block-outside-dns in the conf files does not work on non-Windows systems, so don't trust in it:
This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error.
Refer to: https://community.openvpn.net/openvpn/w ... n23ManPage
What worked for me is dnscrypt-proxy and a custom kill switch. Here's how to do it:

First, enable IPv4 packet forwarding in sysctl.conf:

sudo nano /etc/sysctl.conf
Uncomment (remove the #) on the line: net.ipv4.ip_forward=1
Ctrl-S
Ctrl-X


Second, install dnscrypt-proxy:

sudo apt-get purge dnscrypt-proxy
sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy
sudo apt update
sudo apt install dnscrypt-proxy


Third, restart these services:

sudo systemctl restart NetworkManager
sudo systemctl restart dnscrypt-proxy


Fourth, install and configure resolvconf:

sudo apt install resolvconf
sudo nano /etc/NetworkManager/NetworkManager.conf


Add dns=default under [main] on its own line:
[main]
dns=default

plugins=ifupdown,keyfile

[ifupdown]
managed=false

[device]
wifi.scan-rand-mac-address=no
Fifth, restart these services:

sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl restart network-manager
sudo systemctl restart dnscrypt-proxy


Lastly, IPv6 will still leak DNS information even if DNS leak testers are showing everything to be fine on IPv4. https://ipleak.net will exploit this flaw. The way to secure this is to create a custom kill switch using ufw to deny all network traffic except through the VPN tunnel (tun0):

sudo apt install ufw

To restrict all traffic to tun0:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0 from any to any
sudo ufw enable


And if you want to re-enable all traffic through every network interface:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable


I like to make these into aliases in ~./bash_aliases, for instance:

alias firewallup='sudo ufw reset && sudo ufw default deny incoming && sudo ufw default deny outgoing && sudo ufw allow out on tun0 from any to any && sudo ufw enable'
alias firewalldown='sudo ufw reset && sudo ufw default deny incoming && sudo ufw default allow outgoing && sudo ufw enable'


Basically, I have to un-restrict the traffic to connect to my VPN and then immediately restrict the traffic after successfully connecting. This will prevent IPv6 from leaking. And in case the VPN connection is lost and the ufw restrictions are up, then it functions as a perfect kill switch.

Hope this helps. FYI, it works for me on Mint 19.1 Tessa with ProtonVPN servers.

Thank you for some new ideas and insights!
My VPN service providers solution for even using IPv6 was to Permanently disable it sysctl.conf lol.
So your killswitch is something I'll implement straight away!
Thank you my good man!

And as you said in the begining, you can't block outside DNS anymore since Ubuntu just overrides the OpenVPN resolved conf no matter what.

It's always good with more input. I hope our combined posts can help some people out.

Cheers! :D

User avatar
catweazel
Level 19
Level 19
Posts: 9184
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: [Tutorial] How to fix DNS leak while using VPN

Post by catweazel » Sun May 19, 2019 1:18 am

d00101 wrote:
Fri May 10, 2019 3:57 pm
It seems there are a number of ways of going about this. First off, putting block-outside-dns in the conf files does not work on non-Windows systems, so don't trust in it:
AAAARRRGGGHHH!
This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error. You may want to use –setenv opt or –ignore-unknown-option (not suitable for Windows XP) to ignore said error. Note that pushing unknown options from server does not trigger fatal errors.
¡uʍop ǝpısdn sı buıɥʇʎɹǝʌǝ os ɐıןɐɹʇsnɐ ɯoɹɟ ɯ,ı

kypec
Level 1
Level 1
Posts: 5
Joined: Sun Jan 21, 2018 1:45 pm
Location: Poprad (SK)
Contact:

Re: [Tutorial] How to fix DNS leak while using VPN

Post by kypec » Wed May 29, 2019 3:34 pm

Thank you very much for this tutorial. I have wasted 2 days while trying to fix my problems with VPN provided DNS not being honored. I use openconnect (Cisco AnyConnect protocol) and nothing worked. I have read discussions on systemd-resolved about this issue https://github.com/systemd/systemd/issues/6076 and https://github.com/systemd/systemd/pull/11050 but it looks like Mint has only older version of systemd 237 available at the moment and I didn't dare to update it above version 240 (which should have some fixes on domain routing implemented) on my own.
Your approach is simple and uses old but reliable utilities that have been working for ages. Now I'm starting to understand why so many users frown upon systemd :x

sunshine299
Level 1
Level 1
Posts: 10
Joined: Mon Apr 01, 2019 5:46 am

Re: [Tutorial] How to fix DNS leak while using VPN

Post by sunshine299 » Tue Jul 23, 2019 9:43 am

Not sure what’s gone wrong with mine but now I don’t have internet access at all, even with the settings to re_allow or with firewall disabled.


I attempt to connect the the ProtonVPN but no success

I followed the commands exactly.

Anyone have ideas on how to fix?

maxue
Level 1
Level 1
Posts: 4
Joined: Fri Jul 26, 2019 1:50 pm

Re: [Tutorial] How to fix DNS leak while using VPN

Post by maxue » Sat Jul 27, 2019 4:21 pm

Hello!

KaptenKnasboll tutorial perfectly worked for me, I'm using protonVPN as well.
Thank you !

sunshine299
Level 1
Level 1
Posts: 10
Joined: Mon Apr 01, 2019 5:46 am

Re: [Tutorial] How to fix DNS leak while using VPN

Post by sunshine299 » Tue Jul 30, 2019 7:54 am

As soon as I stop systemd, all internet stops. The only thing that allows any internet access, even connection the the PtotonVPN is by starting systemd again.

Tested on a virtual Mint and still the same.

sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved


Restarting network manager and dnscrypt proxy does nothing.

sudo systemctl restart network-manager
sudo systemctl restart dnscrypt-proxy

sunshine299
Level 1
Level 1
Posts: 10
Joined: Mon Apr 01, 2019 5:46 am

Re: [Tutorial] How to fix DNS leak while using VPN

Post by sunshine299 » Tue Aug 27, 2019 10:51 am

Solution found.

I found that lots of people are having the same problem as me. When systemd is disabled, it disables all internet access on the system. The only was I got it back on was a timeshift restore.

Then found ProtonVPN have a way round but you have to execute every time from the Terminal, then I use the "kill switch" commands with Firewall to only allow tunnel0 (VPN) connection. Every resource I can find only displays IP addresses & DNS details from the VPN.

* ProtonVPN's solution (Use Option B): https://protonvpn.com/support/linux-vpn-setup/
* Activating/Deactivating the firewall with regards to tunnel0 (as quoted in earlier post by d00101
Lastly, IPv6 will still leak DNS information even if DNS leak testers are showing everything to be fine on IPv4. https://ipleak.net will exploit this flaw. The way to secure this is to create a custom kill switch using ufw to deny all network traffic except through the VPN tunnel (tun0):

sudo apt install ufw

To restrict all traffic to tun0:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on tun0 from any to any
sudo ufw enable

And if you want to re-enable all traffic through every network interface:
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

NOTE: Once the VPN is connected, if you close the terminal window it will end the VPN session. To connect next time you must allow all traffic from the firewall commands (or turn off firewall), then only allow traffic from tunnel0 again.

TO CHECK FOR DNS LEAKS:
https://whoer.net/
https://www.dnsleaktest.com/ (use extended test)

Post Reply

Return to “Tutorials”