You are not logged in.
- Topics: Active | Unanswered
#1 2016-12-02 19:31:39
- blue_justice
- Member
- Registered: 2013-05-23
- Posts: 18
[SOLVED] DNS Leak with BlackVPN
Hello All,
I recently switched VPN providers to BlackVPN and like many others am experiencing DNS leaks.
The most commonly suggested solution to this appears to be the implementation of the update-resolv-conf script (as described on this wiki page). Unfortunately, however, whilst /etc/resolv.conf states “Generated by resolvconf” I am still experiencing DNS leaks.
I am currently making use of the openvpn-update-resolv-conf AUR package.
Additionally, in some of my server .conf files I attempted using the scripts from /usr/share/openvpn/contrib/pull-resolv-conf/client.{up,down} instead of update-resolv-conf
up /etc/openvpn/client.up
down /etc/openvpn/client.down but, I experience no difference.
At the bottom of this post is a sample of one of the .conf files. As BlackVPN has no IPv6 support at present I disabled IPv6 on my system for the time being using this.
Is there anything that I am missing here, or will I have to go the firewall route as described in this article?
Thank you!
Sample config file
auth-user-pass /etc/openvpn/blackvpnlogin
remote vpn.blackvpn.lu 443 udp
nobind
client
dev tun
fast-io
persist-key
persist-tun
cipher AES-256-CBC
txqueuelen 486
sndbuf size 1655368
rcvbuf size 1655368
auth SHA512
pull
comp-lzo
tls-client
key-method 2
tls-remote lu
ns-cert-type server
ca /etc/openvpn/ssl/ca.crt
tls-auth /etc/openvpn/ssl/ta.key 1
verb 3
mute 10
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-confLast edited by blue_justice (2016-12-09 11:47:26)
Offline
#2 2016-12-05 14:49:53
- Painless
- Member
- Registered: 2006-02-06
- Posts: 233
Re: [SOLVED] DNS Leak with BlackVPN
I imagine you're using a web browser to test for DNS leaks. Have you shut down and restarted your browser to clear it's internal DNS cache?
Offline
#3 2016-12-05 20:58:41
- blue_justice
- Member
- Registered: 2013-05-23
- Posts: 18
Re: [SOLVED] DNS Leak with BlackVPN
I imagine you're using a web browser to test for DNS leaks. Have you shut down and restarted your browser to clear it's internal DNS cache?
Yes, I had. Thanks for the response.
I posted on the arch sub reddit here. Users thoseurban and du5tball helped me solve this problem.
It would seem that the primary issue was with the /etc/resolv.conf file, as even though I had the open-resolv-conf installed the /etc/resolv.conf file was resetting back to my local address soon after connecting. du5tball presented a solution to this problem by noting that the /etc/resolv.conf file is apparently generated by /etc/resolv.conf.head and /etc/resolv.conf.tail, with the former appending its listed nameservers at the top of /etc/resolv.conf and the later at the bottom (these .{head,tail} are not present by default).
We were thus able to solve the problem by first creating the /etc/resolv.conf.head file with the server information
#172.31.0.1 is blackvpn's DNS as a reddit user pointed out
nameserver 172.31.0.1Then with
up /etc/openvpn/update-resolv-conf
down-pre /etc/openvpn/update-resolv-conf at the end of my vpn's .conf file I rebooted and ran my openvpn script again I had no leaks.
Offline
#4 2016-12-06 15:05:35
- blue_justice
- Member
- Registered: 2013-05-23
- Posts: 18
Re: [SOLVED] DNS Leak with BlackVPN
Yesterday I marked this thread solved, but unfortunately it appears as though this configuration leads to a timeout
Tue Dec 6 16:09:16 2016 Initialization Sequence Completed
Tue Dec 6 16:25:31 2016 [lux] Inactivity timeout (--ping-restart), restarting
Tue Dec 6 16:25:31 2016 SIGUSR1[soft,ping-restart] received, process restarting
Tue Dec 6 16:25:31 2016 Restart pause, 2 second(s)
Tue Dec 6 16:25:33 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Dec 6 16:25:33 2016 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Dec 6 16:29:17 2016 RESOLVE: Cannot resolve host address: vpn.blackvpn.lu: Name or service not knownThe main cause for this problem appears to be too large an encryption key size, but I used the values given in the OpenVPN wiki entry as far as I can recall.
Offline
#5 2016-12-06 19:53:00
- Painless
- Member
- Registered: 2006-02-06
- Posts: 233
Re: [SOLVED] DNS Leak with BlackVPN
Since you were forced to use a hard entry in /etc/resolv.conf.head, then perhaps this might be sorted by putting an entry in /etc/hosts for vpn.blackvpn.lu?
Offline
#6 2016-12-07 10:39:36
- blue_justice
- Member
- Registered: 2013-05-23
- Posts: 18
Re: [SOLVED] DNS Leak with BlackVPN
Since you were forced to use a hard entry in /etc/resolv.conf.head, then perhaps this might be sorted by putting an entry in /etc/hosts for vpn.blackvpn.lu?
I added
212.117.188.12 vpn.blackvpn.lu localhostto my /etc/hosts file and my connection seemed to remain uninterrupted for most of the night -- it has been connected for 10 or so hours at this point. When I check the log I do see quite a few
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Authenticate/Decrypt packet error: packet HMAC authentication failedBut, as far as I can tell the connection was more or less stable throughout the night. Is this something to be concerned about?
I believe that this could be due to my resolv.conf.tail file containing two name servers, the Danish server recommended by blackvpn and my local address. I will try again with only my local address in that file and see if that resolves the issue.
Thank you for your help!
Offline
#7 2016-12-07 20:07:03
- Painless
- Member
- Registered: 2006-02-06
- Posts: 233
Re: [SOLVED] DNS Leak with BlackVPN
I don't think I would fully trust a VPN if it gave those error messages.
Offline
#8 2016-12-09 11:46:00
- blue_justice
- Member
- Registered: 2013-05-23
- Posts: 18
Re: [SOLVED] DNS Leak with BlackVPN
I don't think I would fully trust a VPN if it gave those error messages.
Okay, I seem to have found the "winning combination" so to speak.
/etc/hosts has added to the bottom
212.117.188.12 vpn.blackvpn.lu localhost/etc/resolv.conf.head is only
nameserver 173.31.0.1/etc/resolv.conf.tail is only
nameserver 89.233.43.71
nameserver 192.168.1.1With this I am able to get a single DNS (the actual DNS is that of the lux server, but we require the secondary DNS to connect to it for whatever reason). If I use the 173.31.0.1 address on its own in the tail file then when I exit the VPN my connection malfunctions. So this seems to be the working configuration.
Thank you so much for your help!
Last edited by blue_justice (2016-12-09 11:47:02)
Offline