NetworkManager + OpenVPN + PIA DNS Leaking

SirMyztiq · 2015-04-11 07:34:19

Hello,

I've configured PIA and OpenVPN and I'm able to connect to my VPN clients. However, it keeps the IPs DNS even though the update-resolv-conf.sh DOES change the etc/resolv.conf file. It adds PIA's DNS server names. I've disabled dhcpd from running so it doesn't clash with NetworkManager as well.

One detail is that although the update-resolv-conf.sh script DOES change my resolv.conf file, it still leaves my IP provider's DNS address in there at the bottom of the list.

I'm at a loss here, I've searched Google and multiple past posts extensively but have not found a solution.

jal · 2015-04-23 14:15:34

Hi
I got my dns leak fixed (I also use pia) with this link:

https://wiki.archlinux.org/index.php/OpenVPN#DNS

in update-resolv-conf.sh I use
foreign_option_1='dhcp-option DNS 4.2.2.1'
foreign_option_2='dhcp-option DNS 4.2.2.2'

(you can try with 8.8.8.8 & 8.8.4.4 to see if it's faster)

Now the extended test on https://www.dnsleaktest.com/ does not return my ISP IP.

SirMyztiq · 2015-05-17 07:49:11

jal wrote:

Hi
I got my dns leak fixed (I also use pia) with this link:
https://wiki.archlinux.org/index.php/OpenVPN#DNS
in update-resolv-conf.sh I use
foreign_option_1='dhcp-option DNS 4.2.2.1'
foreign_option_2='dhcp-option DNS 4.2.2.2'
(you can try with 8.8.8.8 & 8.8.4.4 to see if it's faster)
Now the extended test on https://www.dnsleaktest.com/ does not return my ISP IP.

I tried this and it did not work.

After spending some time figuring out what is happening, I see that PIA's DNS IPs ARE being added to the resolv.conf:

This is before connecting to VPN:

search fios-home.router
nameserver [myip]

and after

search fios-home.router
nameserver [PIA's DNS IP]
nameserver [PIA's DNS IP]
nameserver [myip]

So basically it keeps these "search fios-home.router" as the initial option which causes a dns leak. Any ideas as to why this could be happening?

ncar8923 · 2015-05-20 10:54:30

This exact thing is happening to me too.

My initial thought was that the 'update-resolv-conf' script PIA provides has a bug in it. I'm new to linux scripting and am not the best person to check for bugs though.

Here is the modified update-resolv-conf script that PIA provide:

#!/bin/bash
# 
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL. 
# 
# Example envs set from openvpn:
#
     foreign_option_1='dhcp-option DNS 209.222.18.218'
     foreign_option_2='dhcp-option DNS 209.222.18.222'
#     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#

[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0

split_into_parts()
{
	part1="$1"
	part2="$2"
	part3="$3"
}

case "$script_type" in
  up)
	NMSRVRS=""
	SRCHS=""
	for optionvarname in ${!foreign_option_*} ; do
		option="${!optionvarname}"
		echo "$option"
		split_into_parts $option
		if [ "$part1" = "dhcp-option" ] ; then
			if [ "$part2" = "DNS" ] ; then
				NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
			elif [ "$part2" = "DOMAIN" ] ; then
				SRCHS="${SRCHS:+$SRCHS }$part3"
			fi
		fi
	done
	R=""
	[ "$SRCHS" ] && R="search $SRCHS
"
	for NS in $NMSRVRS ; do
        	R="${R}nameserver $NS
"
	done
	echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
	;;
  down)
	/sbin/resolvconf -d "${dev}.openvpn"
	;;
esac

SirMyztiq · 2015-05-20 13:37:15

ncar8923 wrote:

This exact thing is happening to me too.

My initial thought was that the 'update-resolv-conf' script PIA provides has a bug in it. I'm new to linux scripting and am not the best person to check for bugs though.

Here is the modified update-resolv-conf script that PIA provide:

#!/bin/bash
# 
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL. 
# 
# Example envs set from openvpn:
#
     foreign_option_1='dhcp-option DNS 209.222.18.218'
     foreign_option_2='dhcp-option DNS 209.222.18.222'
#     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#

[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0

split_into_parts()
{
	part1="$1"
	part2="$2"
	part3="$3"
}

case "$script_type" in
  up)
	NMSRVRS=""
	SRCHS=""
	for optionvarname in ${!foreign_option_*} ; do
		option="${!optionvarname}"
		echo "$option"
		split_into_parts $option
		if [ "$part1" = "dhcp-option" ] ; then
			if [ "$part2" = "DNS" ] ; then
				NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
			elif [ "$part2" = "DOMAIN" ] ; then
				SRCHS="${SRCHS:+$SRCHS }$part3"
			fi
		fi
	done
	R=""
	[ "$SRCHS" ] && R="search $SRCHS
"
	for NS in $NMSRVRS ; do
        	R="${R}nameserver $NS
"
	done
	echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
	;;
  down)
	/sbin/resolvconf -d "${dev}.openvpn"
	;;
esac

Interesting. I don't remember whether I got the script for PIA or the the one linked to in the wiki. I'll diff them in a bit to see what's different.

ncar8923 · 2015-05-20 13:45:14

PIA provides the script in the openvpn.zip that has all the configs and certs.

I was just looking at the script because I had a hunch about a bug - looking at what gets output in the $R variable I noticed an extra newline character at the end.
I tried removing this to see if it was the problem but it didn't change anything in resolv.conf - still got one default IP at the bottom.

firecat53 · 2015-05-20 15:17:59

If I missed something in your posts, forgive me and ignore this...am I hearing you all say that you are trying to use the PIA VPN with NetworkManager? I'm using that right now without jumping through all the hoops you linked in your posts and have zero DNS leaks and a correctly updated /etc/resolv.conf. FYI, my /etc/openvpn/pia_us_west.conf looks like:

client
dev tun
proto udp
remote us-west.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca pia.crt
tls-client
remote-cert-tls server
auth-user-pass pia.cred
comp-lzo
verb 1
reneg-sec 0
redirect-gateway def1

/etc/resolv.conf (auto-generated by NetworkManager, didn't use the update-resolv-conf.sh script):

# Generated by NetworkManager
nameserver 209.222.18.222
nameserver 209.222.18.218
nameserver 8.8.8.8
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 8.8.4.4

/etc/NetworkManager/system-connections/pia_us_west:

[connection]
id=pia_us_west
uuid=<uid>
type=vpn

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=password
password-flags=0
remote=us-west.privateinternetaccess.com
comp-lzo=yes
reneg-seconds=0
username=<vpn username>
remote-cert-tls=server
ca=/etc/openvpn/pia.crt

[vpn-secrets]
password=<vpn secret password>

[ipv4]
method=auto

After making sure the openvpn configuration file was correct, I just setup my VPN connection using the NetworkManager gui, making sure to add the Google DNS servers to the connections I use the VPN with. Now the VPN auto-starts on certain networks, or I can manually toggle it...no DNS leaks when it's running. One server found on the DNS extended leak test and it belonged to PIA.

Hope that helps...if I'm understanding the question correctly

Scott

Last edited by firecat53 (2015-05-20 15:20:43)

brebs · 2015-05-20 15:36:35

firecat53 wrote:

have zero DNS leaks

Wrong - you just did one little test, I bet. And glibc happened to use the right DNS nameserver by *luck* rather than skill.

Your /etc/resolv.conf is set up for failure, because glibc works very simply.

See Unbound for an example of a local DNS server that *sensibly* knows the difference between the Internet, and your VPN IP range & name.

Edit: Also please note that, to confuse us, browsers perform their own DNS caching.

Last edited by brebs (2015-05-20 15:51:35)

firecat53 · 2015-05-20 16:39:13

brebs wrote:

Wrong - you just did one little test, I bet. And glibc happened to use the right DNS nameserver by *luck* rather than skill.

Thanks for the info...I'm certainly no network guru!! I'm not paranoid enough to worry about passing more than the linked DNS leak checker, but I would be interested how to check more fully.

I would assume (incorrectly?) that NetworkManager won't use a DNS nameserver that's not in resolv.conf, so is the main issue the browser DNS caching or that NetworkManager could potentially use a nameserver that's _not_ in resolv.conf?

Thanks,
Scott

SirMyztiq · 2015-05-20 16:53:58

firecat53 wrote:

brebs wrote:
Wrong - you just did one little test, I bet. And glibc happened to use the right DNS nameserver by *luck* rather than skill.
Thanks for the info...I'm certainly no network guru!! I'm not paranoid enough to worry about passing more than the linked DNS leak checker, but I would be interested how to check more fully.
I would assume (incorrectly?) that NetworkManager won't use a DNS nameserver that's not in resolv.conf, so is the main issue the browser DNS caching or that NetworkManager could potentially use a nameserver that's _not_ in resolv.conf?
Thanks,
Scott

I'm with you. This is totally out of my scope. I used two separate tests:

https://www.dnsleaktest.com/

This guy would tell me everything is a-ok. The extended test showed only one DNS server servicing and it was the PIA one. However, my resolv.conf still showed my "fios_network" or whatever as the top of the list with the VPN activated. Even when I added Google's DNS IPs to the NM settings, they were like fourth and fifth on the list.

http://dnsleak.com/

This guy is the DNS test that PIA user's use and shows me all of the Verizon's FiOS DNS servers which I feel is more accurate just based on what is in my resolv.conf.

I'm not at my PC right now, but when I do I will take a closer look at those scripts because something is definitely not getting set right. I know it's usually not a big deal but I do enjoy eating popcorn every once in a while...from the internet...if you know what I mean? I also like pirates, I like their eye patches. And their ships.

brebs · 2015-05-20 17:43:37

DNS starts with glibc which uses e.g. /etc/resolv.conf

Forget NetworkManager - look in /etc/resolv.conf instead, to see the reality.

A browser-based test is a really bad test of DNS, because the major browsers *cache* DNS themselves, which is not what you want when you're trying to test the system DNS
To make the test a bit less bad, completely close the browser (to flush its DNS cache), before opening the browser again and going straight to the test website.

Look at /etc/resolv.conf - it lists nameservers, which glibc treats as *equals* - there is *no distinction* of which nameserver is to be used solely for in-VPN DNS. Hence you rely on luck rather than skill.

To specify the distinction, use a local nameserver - Unbound is currently one of the best, and its configuration file allows you to "categorize" (just using a vague term here, to aid understanding) the DNS servers appropriately.

To summarize - use Unbound, then you get proper DNS resolution and caching.

firecat53 · 2015-05-20 19:06:15

Ah, I see now, thanks! I was randomly failing the checks on the second link (dnsleak.com) after that was posted. I guess at least it's failing with the Google DNS servers rather than my ISP's...although maybe that's a completely different conversation

It looks like Unbound can be run alongside NetworkManager by setting dns=none in /etc/NetworkManager/NetworkManager.conf so that the 'nameserver=127.0.0.1' line in /etc/resolv.conf will remain undisturbed. Cool! I'll have to give this a try when I get a chance. There's a good Arch Wiki article on Unbound.

Scott

Edit: One more question -- can Unbound easily/automatically switch DNS providers (back to Google DNS or ISP DNS) when OpenVPN connections are stopped?

Last edited by firecat53 (2015-05-20 19:08:01)

brebs · 2015-05-20 19:56:17

firecat53 wrote:

can Unbound easily/automatically switch DNS providers (back to Google DNS or ISP DNS) when OpenVPN connections are stopped?

"Back"? Google isn't going to be of any use for DNS *within* your VPN anyway.

Unbound works sensibly, don't worry.

Unbound's default DNS provider is the Internet DNS, rather than relying on Google or your ISP specifically - this was all designed with reliability through redundancy in mind

You can configure Unbound to specifically use your ISP's DNS (and/or Google's) if you really want to - but that would be a strange step backwards.

firecat53 · 2015-05-20 22:01:12

Ah...so Unbound replaces both my 'normal' non-VPN Google nameservers and the PIA nameservers (209.22.18.xx from my resolv.conf above) that are used while the VPN is active, right? <sigh> I always feel like networking is half black magic It's slowly starting to sink in...thanks for your patience! OP, hopefully this discussion is helping/relevant to your original issue!

Scott

brebs · 2015-05-20 22:23:19

Basically yeah, Unbound does it all:

1. Normal Internet DNS.
2. VPN-specific DNS for the VPN IP addresses & domain - see sample config in which you tell Unbound the domain, IP range and nameserver IP address.

Then, for VPN-specific DNS lookups, Unbound will forward the request to the VPN nameserver you specified.

Which is exactly what you need.

ncar8923 · 2015-05-21 10:07:53

I'll try this out too.

Out of interest, is there a way to check for DNS leaks on a headless GUI-less server? I can't open a browser to check.

brebs · 2015-05-21 10:37:07

ncar8923 wrote:

check for DNS leaks

Run e.g. "tcpdump port 53", then ping xyz.com (just to get a DNS lookup started), and check that the DNS query is going to the appropriate nameserver(s).

SirMyztiq · 2015-05-30 23:20:13

brebs wrote:

ncar8923 wrote:
check for DNS leaks
Run e.g. "tcpdump port 53", then ping xyz.com (just to get a DNS lookup started), and check that the DNS query is going to the appropriate nameserver(s).

Thanks for the guidance. I dumped the script way of doing this and adopted Unbound. I'm green on how to configure the VPN settings to use PIAs 209.222.18.222 and 209.222.18.218.

This is in my unbound.conf

server:
  use-syslog: yes
  username: "unbound"
  directory: "/etc/unbound"
  trust-anchor-file: trusted-key.key
  verbosity: 1
  num-threads: 1
  port: 53

local-zone: "127.in-addr.arpa." nodefault

forward-zone:
    name: "us-texas.privateinternetaccess.com"
    forward-addr: 209.222.18.222 

# Reverse DNS
forward-zone:
    name: "127.in-addr.arpa."
    forward-addr: 127.0.0.1

In the example config, it looks like it takes the name and the forward address. I wasn't positive if doing the local-zone thing was necessary but it sounded like it was. To allow queries to hit the 127.whatever addresses(which is my local server space) on the reverse DNS, I did...well the reverse.

tcpdump isn't giving me any info either. it just sits there. Not sure why.

Edit: Nevermind, I used

tcpdump port 1194

which is the port openvpn uses for PIA and I'm able to see it going on. It's using the same IP for both sets of values. Which I think it's normal since I'm using Unbound.

Last edited by SirMyztiq (2015-05-30 23:23:54)

brebs · 2015-05-31 10:19:45

Hmm, PIA is a bit different to the example I gave, which was for normal Internet connectivity + a VPN.

With PIA, presumably your *default* route is via "tun0" (i.e. the tunnel that openvpn provides)? To have a look, run "ip route".

With tcpdump, there's probably confusion about which interface it should listen on. Try instead:

tcpdump -i any -vv port 53

SirMyztiq, the two "127" entries in your Unbound config are totally wrong (127 is for localhost, rather than a VPN IP range or even an Internet IP range) - just remove those sections.

Smallville · 2015-06-08 15:16:32

brebs wrote:

Hmm, PIA is a bit different to the example I gave, which was for normal Internet connectivity + a VPN.
With PIA, presumably your *default* route is via "tun0" (i.e. the tunnel that openvpn provides)? To have a look, run "ip route".
With tcpdump, there's probably confusion about which interface it should listen on. Try instead:
tcpdump -i any -vv port 53
SirMyztiq, the two "127" entries in your Unbound config are totally wrong (127 is for localhost, rather than a VPN IP range or even an Internet IP range) - just remove those sections.

How i disable the resolvconf and start using the unbound ? I need to uninstall resolvconf ?

Thx

Last edited by Smallville (2015-06-11 14:22:04)

Smallville · 2015-06-12 17:55:13

I finally understand how disable the resolvconf and enable the unbound. Just need edit the /etc/NetworkManager/NetworkManager.conf and put dns=none
And have to reboot and start the unbound.
Now i only dont understand this:

forward-zone:
name: "us-texas.privateinternetaccess.com"
forward-addr: 209.222.18.222

Here i put the vpn server name and the ip of the vpn server ?

Thx

Strike0 · 2015-06-13 17:11:08

Smallville wrote:

forward-zone:
name: "us-texas.privateinternetaccess.com"
forward-addr: 209.222.18.222
Here i put the vpn server name and the ip of the vpn server ?

No, that is the name and IP of one DNS server of the poster's VPN provider (PIA).

Smallville · 2015-06-13 19:34:45

Strike0 wrote:

Smallville wrote:
forward-zone:
name: "us-texas.privateinternetaccess.com"
forward-addr: 209.222.18.222
Here i put the vpn server name and the ip of the vpn server ?
No, that is the name and IP of one DNS server of the poster's VPN provider (PIA).

Ahh ok, but i want to use unbound for my vpn provider (purevpn) what i need to type in my unbound.conf ?

I only have this:

# Disable default rejection of 192.168/16 range
local-zone: "168.192.in-addr.arpa." nodefault

forward-zone:
name: "blah.mycompany.com"
forward-addr: 192.168.2.1

# Reverse DNS
forward-zone:
name: "2.168.192.in-addr.arpa"
forward-addr: 192.168.2.1

that's enough ? I donth have dns leak on the websites of dns leak test (ipleak,dnsleak,dnsleaktest) , but i dont have dns servers, only show one dns and its the vpn ip.

And another thing what is the 192.168.2.1 ? My router ip or my computer ip ?

Thx 4 the help

Last edited by Smallville (2015-06-13 19:48:48)

SirMyztiq · 2015-06-18 03:49:53

brebs wrote:

Hmm, PIA is a bit different to the example I gave, which was for normal Internet connectivity + a VPN.
With PIA, presumably your *default* route is via "tun0" (i.e. the tunnel that openvpn provides)? To have a look, run "ip route".
With tcpdump, there's probably confusion about which interface it should listen on. Try instead:
tcpdump -i any -vv port 53
SirMyztiq, the two "127" entries in your Unbound config are totally wrong (127 is for localhost, rather than a VPN IP range or even an Internet IP range) - just remove those sections.

Ok, so I believe i got it configured correctly. I took out the two sections that I had no idea what I was doing in and left my unbound.conf looking like

server:
  use-syslog: yes
  username: "unbound"
  directory: "/etc/unbound"
  trust-anchor-file: trusted-key.key
  verbosity: 1
  num-threads: 1
  port: 53

forward-zone:
    name: "us-texas.privateinternetaccess.com"
    forward-addr: 209.222.18.222 

forward-zone:
    name: "us-west.privateinternetaccess.com"
    forward-addr: 209.222.18.222

So now I see the tcpdump using different values. It doesn't show 209.222.18.222 but they change when I'm connected/disconnected. Using the online tools I can see it using different DNS IPs when I'm connected or disconnected as well. Usually the DNS IP and my IP are the same when connected. When they are not, they use my localserver and dnsleak.com is able to identify it as Verizon ISP.

Am I looking at this correctly? I don't see the forward-addr value being used when i log tcpdump, but the values DO change.

Strike0 · 2015-06-21 11:07:26

It's not surprising you see different IPs. It makes no sense that you have two forward-zone entries to the same IP with different names. Further, the names resolve to different IPs anyway:

$ ping us-texas.privateinternetaccess.com
PING us-texas.privateinternetaccess.com (162.216.46.62) 56(84) bytes of data.
64 bytes from 162.216.46.62: icmp_seq=1 ttl=44 time=204 ms
^C
$ ping us-west.privateinternetaccess.com
PING us-west.privateinternetaccess.com (104.200.151.2) 56(84) bytes of data.
64 bytes from 104.200.151.2: icmp_seq=1 ttl=42 time=306 ms

edit: remove wrong assumption.
Since your localhost unbound is meant to serve the DNS, it makes sense to me that the dns leak tools report the same IP which the machine itself got assigned (just a different IP in both cases: connected to vpn or not).

Last edited by Strike0 (2015-06-21 11:17:12)

Arch Linux

#1 2015-04-11 07:34:19

NetworkManager + OpenVPN + PIA DNS Leaking

#2 2015-04-23 14:15:34

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#3 2015-05-17 07:49:11

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#4 2015-05-20 10:54:30

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#5 2015-05-20 13:37:15

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#6 2015-05-20 13:45:14

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#7 2015-05-20 15:17:59

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#8 2015-05-20 15:36:35

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#9 2015-05-20 16:39:13

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#10 2015-05-20 16:53:58

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#11 2015-05-20 17:43:37

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#12 2015-05-20 19:06:15

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#13 2015-05-20 19:56:17

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#14 2015-05-20 22:01:12

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#15 2015-05-20 22:23:19

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#16 2015-05-21 10:07:53

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#17 2015-05-21 10:37:07

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#18 2015-05-30 23:20:13

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#19 2015-05-31 10:19:45

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#20 2015-06-08 15:16:32

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#21 2015-06-12 17:55:13

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#22 2015-06-13 17:11:08

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#23 2015-06-13 19:34:45

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#24 2015-06-18 03:49:53

Re: NetworkManager + OpenVPN + PIA DNS Leaking

#25 2015-06-21 11:07:26

Re: NetworkManager + OpenVPN + PIA DNS Leaking

Board footer