how to configure openvpn client to stop dns leak

Peter Colton home.colton at gmail.com
Wed Aug 24 11:50:59 UTC 2022 

Hello All,

The desktop machine I am running as Ubuntu 22.04.
I have installed the packages below on the desktop machine to use the
openvpn client:

sudo apt install network-manager-openvpn-gnome
sudo apt install openvpn-systemd-resolved
sudo apt install resolvconf

On the end of the openvpn client config file *.ovpn I have added the lines:
---
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
#
dhcp-option DOMAIN-ROUTE .
---
I have been trying to configure the ubuntu openvpn client to stop
leaking dns info and up to now I have had no luck.

So any help is welcomed: Regards: peter

Below there is some copy and paste info to help:

The remote machine that runs the openvpn server, Debian 11 - Freedombox - VPS.
I have edited the file:
nano /etc/sysctl.conf
---
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
---
Below is the read out from starting openvpn client from the command line:
---
$ sudo openvpn --verb 1 --config Desktop-openvpn.ovpn
2022-08-24 11:49:46 DEPRECATED OPTION: --cipher set to 'AES-256-CBC'
but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future
OpenVPN version will ignore --cipher for cipher negotiations. Add
'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to
--data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-08-24 11:49:46 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)]
[LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-08-24 11:49:46 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-08-24 11:49:46 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2022-08-24 11:49:46 TCP/UDP: Preserving recently used remote address:
[AF_INET]216.238.71.62:1194
2022-08-24 11:49:46 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-08-24 11:49:46 UDP link local: (not bound)
2022-08-24 11:49:46 UDP link remote: [AF_INET]216.238.71.62:1194
2022-08-24 11:49:47 TLS: Initial packet from
[AF_INET]216.238.71.62:1194, sid=dad9c9d1 dcb0db86
2022-08-24 11:49:47 VERIFY OK: depth=1, CN=ChangeMe
2022-08-24 11:49:47 VERIFY KU OK
2022-08-24 11:49:47 Validating certificate extended key usage
2022-08-24 11:49:47 ++ Certificate has EKU (str) TLS Web Server
Authentication, expects TLS Web Server Authentication
2022-08-24 11:49:47 VERIFY EKU OK
2022-08-24 11:49:47 VERIFY OK: depth=0, CN=ChangeMe
2022-08-24 11:49:47 Control Channel: TLSv1.3, cipher TLSv1.3
TLS_AES_256_GCM_SHA384, peer certificate: 384 bit EC, curve secp384r1,
signature: ecdsa-with-SHA512
2022-08-24 11:49:47 [ChangeMe] Peer Connection Initiated with
[AF_INET]216.238.71.62:1194
2022-08-24 11:49:47 PUSH: Received control message: 'PUSH_REPLY,route
10.91.0.0 255.255.255.0,topology net30,ping 10,ping-restart
120,ifconfig 10.91.0.6 10.91.0.5,peer-id 0,cipher AES-256-GCM'
2022-08-24 11:49:47 OPTIONS IMPORT: timers and/or timeouts modified
2022-08-24 11:49:47 OPTIONS IMPORT: --ifconfig/up options modified
2022-08-24 11:49:47 OPTIONS IMPORT: route options modified
2022-08-24 11:49:47 OPTIONS IMPORT: peer-id set
2022-08-24 11:49:47 OPTIONS IMPORT: adjusting link_mtu to 1624
2022-08-24 11:49:47 OPTIONS IMPORT: data channel crypto options modified
2022-08-24 11:49:47 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-08-24 11:49:47 Outgoing Data Channel: Cipher 'AES-256-GCM'
initialized with 256 bit key
2022-08-24 11:49:47 Incoming Data Channel: Cipher 'AES-256-GCM'
initialized with 256 bit key
2022-08-24 11:49:47 net_route_v4_best_gw query: dst 0.0.0.0
2022-08-24 11:49:47 net_route_v4_best_gw result: via 192.168.1.1 dev wlp2s0
2022-08-24 11:49:47 ROUTE_GATEWAY 192.168.1.1/255.255.255.0
IFACE=wlp2s0 HWADDR=00:24:d2:ff:e6:98
2022-08-24 11:49:47 TUN/TAP device tun0 opened
2022-08-24 11:49:47 net_iface_mtu_set: mtu 1500 for tun0
2022-08-24 11:49:47 net_iface_up: set tun0 up
2022-08-24 11:49:47 net_addr_ptp_v4_add: 10.91.0.6 peer 10.91.0.5 dev tun0
2022-08-24 11:49:47 /etc/openvpn/update-systemd-resolved tun0 1500
1552 10.91.0.6 10.91.0.5 init
<14>Aug 24 11:49:47 update-systemd-resolved: Link 'tun0' coming up
<14>Aug 24 11:49:47 update-systemd-resolved: Adding DNS Routed Domain .
<14>Aug 24 11:49:47 update-systemd-resolved: SetLinkDomains(35 1 . true)
2022-08-24 11:49:47 net_route_v4_add: 216.238.71.62/32 via 192.168.1.1
dev [NULL] table 0 metric -1
2022-08-24 11:49:47 net_route_v4_del: 0.0.0.0/0 via 192.168.1.1 dev
[NULL] table 0 metric -1
2022-08-24 11:49:47 net_route_v4_add: 0.0.0.0/0 via 10.91.0.5 dev
[NULL] table 0 metric -1
2022-08-24 11:49:47 net_route_v4_add: 10.91.0.0/24 via 10.91.0.5 dev
[NULL] table 0 metric -1
2022-08-24 11:49:47 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
2022-08-24 11:49:47 Initialization Sequence Completed
----------------
Below is the output from the command:

$ resolvectl
Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
      DNS Domain: lan

Link 2 (enp4s0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 3 (wlp2s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.1.1
       DNS Servers: 192.168.1.1
        DNS Domain: lan

Link 35 (tun0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
    DNS Domain: ~.
---
cat /etc/resolv.conf
nameserver 127.0.0.53
search lan
---
$ nmcli device show tun0
GENERAL.DEVICE:                         tun0
GENERAL.TYPE:                           tun
GENERAL.HWADDR:                         (unknown)
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     tun0
GENERAL.CON-PATH:
/org/freedesktop/NetworkManager/ActiveConnection/45
IP4.ADDRESS[1]:                         10.91.0.6/32
IP4.GATEWAY:                            10.91.0.5
IP4.ROUTE[1]:                           dst = 10.91.0.5/32, nh = 0.0.0.0, mt = 0
IP4.ROUTE[2]:                           dst = 0.0.0.0/0, nh = 10.91.0.5, mt = 0
IP4.ROUTE[3]:                           dst = 10.91.0.0/24, nh =
10.91.0.5, mt = 0
IP6.ADDRESS[1]:                         fe80::56d9:efe:ad8e:77bd/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 256
---

More information about the ubuntu-users mailing list