updated to 18.04 and realized that now you’re using systemd-resolved instead of the old dnsmasq. DNS requests are going through the main link rather than the vpn link. I am currently using separate name-space for the vpn tunnel, and this script [1] in order to have main connection and vpn connection simultaneously.
I have not upgraded to 18.04 yet. I am familiar with the 16.04 DNS leak challenges and needing to comment out the “dns=dnsmasq” in the /etc/NetworkManager/NetworkManager.conf to fix its last leak.
So if I understand correctly, 18.04 has a DNS leak when using OpenVPN and there is no simple configuration fix without running a script?
systemd-resolved in 18.04 - I believe dnsmasq is no longer included by
default,
---- you’re upgrading you will still have on your system, but,
systemd-resolved is probably configured as you default – i deleted
dnsmasq . probably delete it (I don’t have dnsmasq on my system anymore) -
in 18.04 * networkmanager* service is configured to not overwrite
/etc/resolve.conf – instead that’s statically set to 127.0.0.53 (which is
a socket that systemd-resolved opens) OR symlinked to
/lib/systemd/resolv.conf – which is controlled by systemd-resolved.
the challenge I’m facing is that if you want to have some applications go
through VPN whilst others go through your regular network interface. you
used to be able to do this with a new namespace – (i can give you
instructions if you like) – and you can still do this EXCEPT that the dns
leaks.
I am simply looking for a method to plug the DNS leak in 18.04 for when I upgrade. So if I understand correctly, worse case I can edit /lib/systemd/resolv.conf to contain the servers of my choice.
No, don’t edit anything in /lib .
Edit /etc/system/resolved.conf You’ll see the structure is very
different. You setup your primary and fallback from there.
No guarantee that there is no leaks, but that’s how you set the DNS server
to use.
You can also set a static file in /etc/resolv.conf and make sure it’s
immutable (sudo chattr) or network manager will overwrite it.
Again, no guarantee of no leaks
Thanks. I need to do the upgrade first. After that I will report back my results.
Hey gents, any progress here? I’m wrestling with an OpenVPN DNS leak as well. Any pointers would be grand.
One thing you can try.
In the vpn file in
/etc/NetworkManager/system-connections
try adding a line in the section
[ipv4]
to say
dns-priority=-42
See this long bug report, especially from comment #103 onwards: https://bugs.launchpad.net/network-manager/+bug/1624317
For what it might be worth I went through this battle a while back. ProtonVPN provided detailed instructions for Ubuntu 16.04 which did NOT prevent DNS leakage. I applied my typical BIG HAMMER approach and ended up with the solution I documented here. Perhaps some of this might be useful in 18.04. I have not tried it yet. I am currently running Ubuntu 1604 on a Raspberry Pi 3B as my firewall, router, dns, vpn etc. box.
Ken