You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 Re: Freedom Hacks » Fixing DNS Leaks with OpenVPN on Devuan: Workaround » 2024-08-12 14:31:19
[Micronaut]
I'm not sure what tweaks are you (specifically) referring to, but I'll send some additional options I use on my Client.conf file, plus some justifications ;P
#My default "extra" options
auth-nocache # Stops saving authentication info, so it’s more secure
auth SHA256 # Uses SHA-256 for checking data integrity
cipher AES-256-GCM # Applies strong AES-256 encryption for protecting data
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 # Chooses a solid encryption method for secure connections
proto udp # Uses UDP, which is usually faster and can be more secure than TCP
persist-key # Keeps the encryption key around after restarts
persist-tun # Keeps the VPN tunnel up and running after restarts
dh dh2048.pem # Uses 2048-bit DH parameters for secure key exchange
# ecdh-curve prime256v1 # (Alternative) Uses Elliptic Curve for faster key exchange
user nobody # Runs the VPN service with minimal permissions
group nobody # Ensures the VPN service runs in a low-privilege groupIf using Proton with OpenVPN, I would check this guide on hardening: https://openvpn.net/community-resources … -security/
I might have some other configurations done, but that's what I remember now, hope it's useful
#2 Re: Freedom Hacks » Fixing DNS Leaks with OpenVPN on Devuan: Workaround » 2024-08-06 19:36:55
[GlennW]
Great insight! I tried it just now with no success though. It is possible that the VPN client is (somehow) already configured to use a different DNS server or maybe there are conflicts in DNS settings between the VPN and my system's network configuration, so the pushed DNS server might be ignored or something. My suspicion is that either resolv.conf or NetworkManager are overriding my VPN DNS settings.
I tried querying DNS records too and confirmed I was still not using the expected server, so the DNS leakage problem persisted.
And yeah, I'm staying away from Cloudfare. Still looks to me like a major data collection and profiling entity, despite their privacy promises. No relevant evidences though, just pure paranoia aha
[Micronaut]
Never looked into Proton since it's generally not highly regarded and has privacy issues... Not surprised I wasn't aware of that recommendation aha.
Yeah openresolv did it for me. Had some struggles in avoiding conflicts with NetworkManager, but after implementing the package and doing some fixes, DNS settings were (finally) getting updated properly when the network changed (i.e when I connected to the VPN). Which means, no DNS leakage! Thank you for the tip!
Still using DoT and DoH in the majority of my software, but now the VPN makes a more comprehensive protection against leaks at least.
Thank you guys :P
#3 Freedom Hacks » Fixing DNS Leaks with OpenVPN on Devuan: Workaround » 2024-08-05 19:52:48
- lynch9
- Replies: 7
Hey,
Yet another VPN adventure gone awry I guess. I was connecting through OpenVPN to Mullvad’s servers. Mullvad provides a custom `.config` file according to your needs, so it was no big deal (although you need to edit it a bit for further security and privacy). Some notify-send problems aside, everything seemed okay and all until I ran into an annoying DNS leakage issue.
Despite having OpenVPN configured, a nice and stable connection, DNS leakage was still a problem. While the Mullvad VPN app does a great job preventing this, I prefer using OpenVPN directly or even WireGuard in last resort since getting mullvad-vpn to work properly on any non-systemd distro is near impossible (I tried it hard). But you probably shouldn't be using any software like that anyways. So, I was left high and dry with DNS leaks.
What I Tried (And failed):
1. `resolv.conf` Tweaks:
- Directly editing `/etc/resolv.conf` didn’t solve the leakage.
2. NetworkManager Settings:
- I tinkered with NetworkManager settings, manually setting DNS servers, but still faced DNS leaks.
3. Mullvad custom .config file:
- Even with Mullvad’s custom .config file, using "dhcp-option", with no results :p
Not sure what was failing, logs showed nothing relevant, I would restart the service multiple times, the VPN always resorted to the same unwanted dns server.
After struggling with the most obvious solutions, I gave up to a simple one: DNS over HTTPS in every applicable software. Instead of dealing with messy system settings, I set up DoH in my browsers and so on to use custom DNS servers. Mullvad has also some promising-looking ones in terms of privacy (https://mullvad.net/pt/help/dns-over-ht … s-over-tls). It's very trivial to do it in most browsers.
By using DNS over HTTPS in your browser, you encrypt your DNS queries, preventing them from leaking outside your VPN tunnel. Surely you may want to turn it off if not using a VPN, and it might make the connection slightly slower. Still it’s a neat, although not ideal, way to bypass the complicated system-wide configuration issues, especially when working with Devuan and SysVinit. It’s a simple fix that doesn’t really require much knowledge and work.
Has someone run into this problem? Would love suggestions :P
Note: dnsmasq for DNS management could be a viable system-wide solution to handle this but I haven't tried it.
#4 Re: Off-topic » Secure Boot? Yes, we've heard of it ... » 2024-07-29 15:33:17
@igorzwx
ahaha yeah, often it just ends up causing more headaches (much like other Poettering projects, IMO).
Personally, I just find it tricky to set up and too buggy in practice. It feels like a temporary fix rather than a real solution.. still waiting for something that actually works smoothly :P
#5 Re: Hardware & System Configuration » black screen on boot or splash screen stuck [PSA] » 2024-07-29 15:15:19
Great PSA on BIOS/UEFI issues. Disabling fast boot and Legacy might help a lot. One should consider updating the BIOS/UEFI firmware or kernel too...
Some years ago I had the same problem, but reinstalling GRUB and forcing the machine to boot from UEFI did it for me :P different root causes too i guess
Thanks for sharing the information.
#6 Re: Off-topic » Secure Boot probably not as secure as users would prefer » 2024-07-28 21:44:33
Secure boot just kind off sucks, it can be quite a hassle to manage and update keys, especially if you’re dealing with custom or older hardware like me..
@nahkhiirmees
Running {Core/Libre}boot in a VM sounds like a cool idea, actually. It’s like trying out new firmware without committing to the hardware. Just don’t expect it to be the exact same experience as the real deal i guess aha
@quickfur
Totally agree. Logging into X as root is too risky with all that code running. A single flaw could be a major issue there... best to keep root access limited and avoid unnecessary risks :p
#7 Re: Installation » After installing firmware, runlevel is unknown » 2024-07-28 21:17:49
Heyo, start by checking the runlevel of your runlevel settings and check your init scripts in /etc/init.d/ for any incorrect settings. Might want to check into your boot logs with dmesg and journalctl -xb too. then check /etc/lxc/auto and check the LXC logs in /var/log/lxc/ to verify that your LXC container's autostart settings are correct. Re-configuring all packages with dpkg-reconfigure -a may also help... If the problem persists, hit up the #devuan IRC channel or something... anyways, good luck 
P.s. In last resort, reinstall the firmware packages one by one to see if any of them are the culprits 
#8 Re: Other Issues » Chrome updates again, and ad-block still works » 2024-07-28 20:59:56
ηMatrix is just a superior add-on to your browser. I actually just noticed it's for PaleMoon only, so for chrome you might want to go with uMatrix. It just overall manages better the creepy websites requests and targets a wider spectrum of those...
#9 Re: Other Issues » Chrome updates again, and ad-block still works » 2024-07-17 17:52:59
They aim for weekly patches to fix bugs, still sometimes delays happen for bigger changes or stability checks i guess. As for the new extensions platform (Manifest V3) affecting ad-blockers and privacy tools, i don't know about any major delay announcements. If you haven’t seen any changes or warnings, they might be rolling it out gradually to avoid issues or something. It's good news that your extensions are still working fine, though. I would just recommend ηMatrix and not using chrome maybe 
#10 Re: Installation » Some problems after upgrading to Daedalus » 2024-07-17 17:43:37
in regards to the first problem, is pulseaudio installed?
#11 Re: Freedom Hacks » Frustration with Mullvad » 2024-07-17 17:38:07
I think it's pretty straightforward. Just download the Mullvad signing key and save it to /usr/share/keyrings using curl or whatever and then add the Mullvad repository to your APT sources list and reference the signing key.
Pages: 1
Board footer
