The officially official Devuan Forum!

You are not logged in.

#1 2024-08-05 19:52:48

lynch9
Member
Registered: 2024-07-17
Posts: 11  

Fixing DNS Leaks with OpenVPN on Devuan: Workaround

Hey,

Yet another VPN adventure gone awry I guess. I was connecting through OpenVPN to Mullvad’s servers. Mullvad provides a custom `.config` file according to your needs, so it was no big deal (although you need to edit it a bit for further security and privacy). Some notify-send problems aside, everything seemed okay and all until I ran into an annoying DNS leakage issue.

Despite having OpenVPN configured, a nice and stable connection, DNS leakage was still a problem. While the Mullvad VPN app does a great job preventing this, I prefer using OpenVPN directly or even WireGuard in last resort since getting mullvad-vpn to work properly on any non-systemd distro is near impossible (I tried it hard). But you probably shouldn't be using any software like that anyways. So, I was left high and dry with DNS leaks.

What I Tried (And failed):
1. `resolv.conf` Tweaks:
   - Directly editing `/etc/resolv.conf` didn’t solve the leakage.

2. NetworkManager Settings:
   - I tinkered with NetworkManager settings, manually setting DNS servers, but still faced DNS leaks.

3. Mullvad custom .config file:
   - Even with Mullvad’s custom .config file, using "dhcp-option", with no results :p

Not sure what was failing, logs showed nothing relevant, I would restart the service multiple times, the VPN always resorted to the same unwanted dns server.
After struggling with the most obvious solutions, I gave up to a simple one: DNS over HTTPS in every applicable software. Instead of dealing with messy system settings, I set up DoH in my browsers and so on to use custom DNS servers. Mullvad has also some promising-looking ones in terms of privacy (https://mullvad.net/pt/help/dns-over-ht … s-over-tls). It's very trivial to do it in most browsers.

By using DNS over HTTPS in your browser, you encrypt your DNS queries, preventing them from leaking outside your VPN tunnel. Surely you may want to turn it off if not using a VPN, and it might make the connection slightly slower. Still it’s a neat, although not ideal, way to bypass the complicated system-wide configuration issues, especially when working with Devuan and SysVinit. It’s a simple fix that doesn’t really require much knowledge and work.

Has someone run into this problem? Would love suggestions :P

Note:  dnsmasq for DNS management could be a viable system-wide solution to handle this but I haven't tried it.


Hey, it's lynchian9.
Feel free to reach out via email.

Offline

#2 2024-08-05 23:18:33

GlennW
Member
From: Brisbane, Australia
Registered: 2019-07-18
Posts: 646  

Re: Fixing DNS Leaks with OpenVPN on Devuan: Workaround

Hi.

I don't know too much about dns leakage, but...
I wanted to try and use an alternative to Alphabet (google) dns servers...
I tried editing resolv.conf, a few different ways without complete success.

I have found a way of setting DNS servers with openvpn.

near the top of the text file...

/etc/openvpn/update-resolv-conf

# Example envs set from openvpn:
#
#     foreign_option_1='dhcp-option DNS 193.43.27.132'
#     foreign_option_2='dhcp-option DNS 193.43.27.133'
#     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#
foreign_option_1='dhcp-option DNS 1.1.1.1'
foreign_option_2='dhcp-option DNS 198.101.242.72'

Theses are for cloudfare servers, the 198.... address is the most local to my physical location although the vpn takes me to another continent.

I'm not promoting cloudfare, just saying you may set dns here and it will survive reboots.

My motivation is privacy, not secrecy.

I hope this helps.


pic from 1993, new guitar day.

Offline

#3 2024-08-06 01:28:06

Micronaut
Member
Registered: 2019-07-04
Posts: 228  

Re: Fixing DNS Leaks with OpenVPN on Devuan: Workaround

The Proton Mail / VPN people suggest you install OpenResolv when you configure a Linux system to use their VPN. Of course, they recommend that you to use their app first. But that requires the Gnome desktop environment, which is now in the death-grip of you-know-what eldritch abomination from the depths of Red Hat. So, if you configure manually, they say you should install both OpenVPN and OpenResolv -- specifically to prevent problems of the sort you are describing.

Offline

#4 2024-08-06 19:36:55

lynch9
Member
Registered: 2024-07-17
Posts: 11  

Re: Fixing DNS Leaks with OpenVPN on Devuan: Workaround

[GlennW]

Great insight! I tried it just now with no success though. It is possible that the VPN client is (somehow) already configured to use a different DNS server or maybe there are conflicts in DNS settings between the VPN and my system's network configuration, so the pushed DNS server might be ignored or something. My suspicion is that either resolv.conf or NetworkManager are overriding my VPN DNS settings.
I tried querying DNS records too and confirmed I was still not using the expected server, so the DNS leakage problem persisted.

And yeah, I'm staying away from Cloudfare. Still looks to me like a major data collection and profiling entity, despite their privacy promises. No relevant evidences though, just pure paranoia aha

[Micronaut]

Never looked into Proton since it's generally not highly regarded and has privacy issues... Not surprised I wasn't aware of that recommendation aha.
Yeah openresolv did it for me. Had some struggles in avoiding conflicts with NetworkManager, but after implementing the package and doing some fixes, DNS settings were (finally) getting updated properly when the network changed (i.e when I connected to the VPN). Which means, no DNS leakage! Thank you for the tip!

Still using DoT and DoH in the majority of my software, but now the VPN makes a more comprehensive protection against leaks at least.

Thank you guys :P

Last edited by lynch9 (2024-08-06 19:38:18)


Hey, it's lynchian9.
Feel free to reach out via email.

Offline

#5 2024-08-07 01:28:43

Micronaut
Member
Registered: 2019-07-04
Posts: 228  

Re: Fixing DNS Leaks with OpenVPN on Devuan: Workaround

Please post what tweaks you made here? I've tried setting up Proton VPN according to their directions, but I'm not sure how 'generically' useful their setup might be.

Offline

#6 2024-08-07 04:13:16

GlennW
Member
From: Brisbane, Australia
Registered: 2019-07-18
Posts: 646  

Re: Fixing DNS Leaks with OpenVPN on Devuan: Workaround

Hi, I must have been using openresolv as well, but I had forgotten. Sorry about that.


pic from 1993, new guitar day.

Offline

#7 2024-08-12 14:31:19

lynch9
Member
Registered: 2024-07-17
Posts: 11  

Re: Fixing DNS Leaks with OpenVPN on Devuan: Workaround

[Micronaut]

I'm not sure what tweaks are you (specifically) referring to, but I'll send some additional options I use on my Client.conf file, plus some justifications ;P

#My default "extra" options
auth-nocache            # Stops saving authentication info, so it’s more secure
auth SHA256             # Uses SHA-256 for checking data integrity
cipher AES-256-GCM      # Applies strong AES-256 encryption for protecting data
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384  # Chooses a solid encryption method for secure connections
proto udp               # Uses UDP, which is usually faster and can be more secure than TCP
persist-key             # Keeps the encryption key around after restarts
persist-tun             # Keeps the VPN tunnel up and running after restarts
dh dh2048.pem           # Uses 2048-bit DH parameters for secure key exchange
# ecdh-curve prime256v1  # (Alternative) Uses Elliptic Curve for faster key exchange
user nobody             # Runs the VPN service with minimal permissions
group nobody            # Ensures the VPN service runs in a low-privilege group

If using Proton with OpenVPN, I would check this guide on hardening: https://openvpn.net/community-resources … -security/

I might have some other configurations done, but that's what I remember now, hope it's useful


Hey, it's lynchian9.
Feel free to reach out via email.

Offline

#8 2024-08-21 12:24:35

Magnus
Member
From: Stockholm, Sweden
Registered: 2020-03-14
Posts: 54  
Website

Re: Fixing DNS Leaks with OpenVPN on Devuan: Workaround

I don't use OpenVPN anymore but in my saved config files I find the lines:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

at the end of all VPN server config files. I think I added them, and installed openresolv, to prevent DNS leak. Like this:

client
dev tun
proto udp
remote sweden.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass filename.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Offline

Board footer