[SOLVED] Trouble configuring OpenVPN to prevent DNS leak

Sbunz · 2023-11-12 21:50:56

Hello, I have been daily driving my Arch computer for a few weeks now. I installed it myself according to the wiki so that I could learn more about how Linux works as this is my first distro.

These past few days I have been trying to setup openvpn. I am running networkmanager-openvpn so I downloaded my providers .opvn files and imported them using nmcli
I am able to connect without issue but my ISP's DNS still appears on various DNS leak testing sites.

I have been pouring over the DNS section of the OpenVPN page on the archwiki for sollutions.
Since I am Running openresolv, I appended the following to the .opvn file I am using

script-security 2
up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
down /usr/share/openvpn/contrib/pull-resolv-conf/client.down

This doesn't seem to make a difference though since my resolv.conf is changing in the same way whether I have these lines appended or not.
With or without /etc/resolv.conf reads:
While connected

# Generated by NetworkManager
search Home
nameserver 10.2.10.1
nameserver 192.168.0.1

While not connected

# Generated by NetworkManager
search Home
nameserver 192.168.0.1

I saw on the wiki that openresolv doesn't work out of the box since a client.up only create private connections so I read the resolvconf manual and added
the -p flag to where the command is called in client.up

if type resolvconf >/dev/null 2>&1; then
  printf "%s\n" "${out}" | resolvconf -a -p "${dev}"
else

But the result is the same as before.

Journal for networkmanager.service:

 Nov 12 14:27:47 SCRUNGUSxOMEGA nm-openvpn[11607]: OpenVPN 2.6.7 [git:makepkg/53c9033317b3b8fd+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Nov  9 2023
Nov 12 14:27:47 SCRUNGUSxOMEGA nm-openvpn[11607]: library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
Nov 12 14:27:47 SCRUNGUSxOMEGA nm-openvpn[11607]: DCO version: N/A
Nov 12 14:27:47 SCRUNGUSxOMEGA nm-openvpn[11607]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 12 14:27:48 SCRUNGUSxOMEGA nm-openvpn[11607]: TCP/UDP: Preserving recently used remote address: [AF_INET]128.90.34.21:443
Nov 12 14:27:48 SCRUNGUSxOMEGA nm-openvpn[11607]: UDPv4 link local: (not bound)
Nov 12 14:27:48 SCRUNGUSxOMEGA nm-openvpn[11607]: UDPv4 link remote: [AF_INET]128.90.34.21:443
Nov 12 14:27:48 SCRUNGUSxOMEGA nm-openvpn[11607]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Nov 12 14:27:48 SCRUNGUSxOMEGA nm-openvpn[11607]: [us6.vyprvpn.com] Peer Connection Initiated with [AF_INET]128.90.34.21:443
Nov 12 14:27:49 SCRUNGUSxOMEGA nm-openvpn[11607]: TUN/TAP device tun0 opened
Nov 12 14:27:49 SCRUNGUSxOMEGA nm-openvpn[11607]: /usr/lib/nm-openvpn-service-openvpn-helper --debug 0 11597 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_5 --tun -- tun0 1500 0 10.2.26.195 255.255.255.0 init
Nov 12 14:27:49 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824469.7143] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/6)
Nov 12 14:27:49 SCRUNGUSxOMEGA nm-openvpn[11607]: UID set to nm-openvpn
Nov 12 14:27:49 SCRUNGUSxOMEGA nm-openvpn[11607]: GID set to nm-openvpn
Nov 12 14:27:49 SCRUNGUSxOMEGA nm-openvpn[11607]: Capabilities retained: CAP_NET_ADMIN
Nov 12 14:27:49 SCRUNGUSxOMEGA nm-openvpn[11607]: Initialization Sequence Completed
Nov 12 14:27:49 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824469.7232] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
Nov 12 14:27:49 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824469.7241] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external')
Nov 12 14:27:49 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824469.7244] device (tun0): Activation: starting connection 'tun0' (d3509038-20ad-4c30-b2a0-ccbeae447e58)
Nov 12 14:27:49 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824469.7249] device (tun0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'external')
Nov 12 14:27:49 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824469.7251] device (tun0): state change: prepare -> config (reason 'none', sys-iface-state: 'external')
Nov 12 14:27:49 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824469.7251] device (tun0): state change: config -> ip-config (reason 'none', sys-iface-state: 'external')
Nov 12 14:27:49 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824469.7252] device (tun0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'external')
Nov 12 14:27:49 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824469.7883] policy: set 'USA - Chicago' (tun0) as default for IPv4 routing and DNS
Nov 12 14:27:49 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824469.7987] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')
Nov 12 14:27:49 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824469.7990] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')
Nov 12 14:27:49 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824469.8000] device (tun0): Activation: successful, device activated.
Nov 12 14:28:55 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824535.5257] vpn[0x55d0ea93cde0,4bd0c443-a10c-4df1-982f-1ba2200ea1ed,"USA - Austin"]: starting openvpn
Nov 12 14:28:55 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824535.5259] audit: op="connection-activate" uuid="4bd0c443-a10c-4df1-982f-1ba2200ea1ed" name="USA - Austin" pid=734 uid=1000 result="success"
Nov 12 14:28:55 SCRUNGUSxOMEGA NetworkManager[11656]: 2023-11-12 14:28:55 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Nov 12 14:28:55 SCRUNGUSxOMEGA nm-openvpn[11656]: OpenVPN 2.6.7 [git:makepkg/53c9033317b3b8fd+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Nov  9 2023
Nov 12 14:28:55 SCRUNGUSxOMEGA nm-openvpn[11656]: library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
Nov 12 14:28:55 SCRUNGUSxOMEGA nm-openvpn[11656]: DCO version: N/A
Nov 12 14:28:55 SCRUNGUSxOMEGA nm-openvpn[11656]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 12 14:28:55 SCRUNGUSxOMEGA nm-openvpn[11656]: TCP/UDP: Preserving recently used remote address: [AF_INET]128.90.34.27:443
Nov 12 14:28:55 SCRUNGUSxOMEGA nm-openvpn[11656]: UDPv4 link local: (not bound)
Nov 12 14:28:55 SCRUNGUSxOMEGA nm-openvpn[11656]: UDPv4 link remote: [AF_INET]128.90.34.27:443
Nov 12 14:28:55 SCRUNGUSxOMEGA nm-openvpn[11656]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Nov 12 14:29:16 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824556.9593] manager: NetworkManager state is now CONNECTING
Nov 12 14:29:16 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824556.9610] audit: op="connection-deactivate" uuid="6faf38c2-1607-4851-a473-8c857940c4d8" name="USA - Chicago" pid=734 uid=1000 result="success"
Nov 12 14:29:17 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824557.0150] manager: NetworkManager state is now CONNECTED_GLOBAL
Nov 12 14:29:17 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824557.0151] policy: set 'Noosphere' (wlp0s20f3) as default for IPv4 routing and DNS
Nov 12 14:29:17 SCRUNGUSxOMEGA nm-openvpn[11607]: event_wait : Interrupted system call (fd=-1,code=4)
Nov 12 14:29:17 SCRUNGUSxOMEGA nm-openvpn[11607]: SIGTERM received, sending exit notification to peer
Nov 12 14:29:19 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824559.0295] device (tun0): state change: activated -> unmanaged (reason 'unmanaged', sys-iface-state: 'removed')
Nov 12 14:29:20 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824560.3999] audit: op="connection-deactivate" uuid="4bd0c443-a10c-4df1-982f-1ba2200ea1ed" name="USA - Austin" pid=734 uid=1000 result="success"
Nov 12 14:29:21 SCRUNGUSxOMEGA nm-openvpn[11656]: SIGTERM received, sending exit notification to peer
Nov 12 14:29:22 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824562.7596] vpn[0x55d0ea8f9a40,4bd0c443-a10c-4df1-982f-1ba2200ea1ed,"USA - Austin"]: starting openvpn
Nov 12 14:29:22 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824562.7598] audit: op="connection-activate" uuid="4bd0c443-a10c-4df1-982f-1ba2200ea1ed" name="USA - Austin" pid=734 uid=1000 result="success"
Nov 12 14:29:22 SCRUNGUSxOMEGA NetworkManager[11689]: 2023-11-12 14:29:22 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Nov 12 14:29:22 SCRUNGUSxOMEGA nm-openvpn[11689]: OpenVPN 2.6.7 [git:makepkg/53c9033317b3b8fd+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Nov  9 2023
Nov 12 14:29:22 SCRUNGUSxOMEGA nm-openvpn[11689]: library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
Nov 12 14:29:22 SCRUNGUSxOMEGA nm-openvpn[11689]: DCO version: N/A
Nov 12 14:29:23 SCRUNGUSxOMEGA nm-openvpn[11689]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 12 14:29:23 SCRUNGUSxOMEGA nm-openvpn[11689]: TCP/UDP: Preserving recently used remote address: [AF_INET]128.90.34.27:443
Nov 12 14:29:23 SCRUNGUSxOMEGA nm-openvpn[11689]: UDPv4 link local: (not bound)
Nov 12 14:29:23 SCRUNGUSxOMEGA nm-openvpn[11689]: UDPv4 link remote: [AF_INET]128.90.34.27:443
Nov 12 14:29:23 SCRUNGUSxOMEGA nm-openvpn[11689]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Nov 12 14:29:24 SCRUNGUSxOMEGA nm-openvpn[11689]: [us3.vyprvpn.com] Peer Connection Initiated with [AF_INET]128.90.34.27:443
Nov 12 14:29:31 SCRUNGUSxOMEGA nm-openvpn[11689]: TUN/TAP device tun0 opened
Nov 12 14:29:31 SCRUNGUSxOMEGA nm-openvpn[11689]: /usr/lib/nm-openvpn-service-openvpn-helper --debug 0 11679 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_8 --tun -- tun0 1500 0 10.2.18.248 255.255.255.0 init
Nov 12 14:29:31 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824571.9311] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/7)
Nov 12 14:29:31 SCRUNGUSxOMEGA nm-openvpn[11689]: UID set to nm-openvpn
Nov 12 14:29:31 SCRUNGUSxOMEGA nm-openvpn[11689]: GID set to nm-openvpn
Nov 12 14:29:31 SCRUNGUSxOMEGA nm-openvpn[11689]: Capabilities retained: CAP_NET_ADMIN
Nov 12 14:29:31 SCRUNGUSxOMEGA nm-openvpn[11689]: Initialization Sequence Completed
Nov 12 14:29:31 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824571.9405] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
Nov 12 14:29:31 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824571.9415] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external')
Nov 12 14:29:31 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824571.9419] device (tun0): Activation: starting connection 'tun0' (73511146-9965-4e54-9f20-c6bac0d9c8b0)
Nov 12 14:29:31 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824571.9425] device (tun0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'external')
Nov 12 14:29:31 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824571.9426] device (tun0): state change: prepare -> config (reason 'none', sys-iface-state: 'external')
Nov 12 14:29:31 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824571.9427] device (tun0): state change: config -> ip-config (reason 'none', sys-iface-state: 'external')
Nov 12 14:29:31 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824571.9429] device (tun0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'external')
Nov 12 14:29:31 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824571.9791] policy: set 'USA - Austin' (tun0) as default for IPv4 routing and DNS
Nov 12 14:29:31 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824571.9879] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')
Nov 12 14:29:31 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824571.9880] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')
Nov 12 14:29:31 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824571.9885] device (tun0): Activation: successful, device activated.
Nov 12 14:29:48 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824588.2717] audit: op="connection-deactivate" uuid="4bd0c443-a10c-4df1-982f-1ba2200ea1ed" name="USA - Austin" pid=734 uid=1000 result="success"
Nov 12 14:29:48 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824588.3036] policy: set 'Noosphere' (wlp0s20f3) as default for IPv4 routing and DNS
Nov 12 14:29:48 SCRUNGUSxOMEGA nm-openvpn[11689]: SIGTERM received, sending exit notification to peer
Nov 12 14:29:50 SCRUNGUSxOMEGA NetworkManager[10997]: <info>  [1699824590.3180] device (tun0): state change: activated -> unmanaged (reason 'unmanaged', sys-iface-state: 'removed')

I have scoured the wiki, the openvpn github, and the arch forums for sollutions, but I am at a loss.

As a side note, this is my first forum post so if there is anything I missed in documenting the situation, or perhaps a troubleshooting tip, or perharps a manual I have missed, please let me know.

Last edited by Sbunz (2023-11-15 19:18:08)

Sbunz · 2023-11-15 19:17:16

Solved with apologies, my understanding of how DNS works needed improvement.
Fixed by adding alternative DNS resolvers to openvpn.

Arch Linux

#1 2023-11-12 21:50:56

[SOLVED] Trouble configuring OpenVPN to prevent DNS leak

#2 2023-11-15 19:17:16

Re: [SOLVED] Trouble configuring OpenVPN to prevent DNS leak

Board footer