For this you need to run a VPN + DNS over TLS.
Both are available on the v3 firmware that is coming to the AR150 shortly.
You can run just the VPN on the v2 firmware, but without DNS over TLS the ISP will still see what domains you are trying to access, but not the data sent.
For this you need to run a VPN + DNS over TLS.
Both are available on the v3 firmware that is coming to the AR150 shortly.
You can run just the VPN on the v2 firmware, but without DNS over TLS the ISP will still see what domains you are trying to access, but not the data sent.
So you mean in v2 using VPN like IPVanish, ExpressVPN, etc? I’ve changed the DNS accordingly to my VPN (NordVPN) suggested. ISP can read domains, but is encrypted so it can’t be seen. It seems like using the usual Gl-Inet simple settings right?
Is v3 a new beta firmware from GL-inet? Can I use it on V2 using advanced settings or I must use the v3 version?
dnsleaks only happens if you have implemented split vpn.
If your default route is your VPN provider, all your traffic goes through to the VPN tunnel.
If your dns forwarder is your ISP, they will see the request comes from the VPN provider IP.
Unless you have a unique VPN IP or your are the only one making the dns request from the VPN IP towards your ISP, your ISP cannot correlate the data.
Actually no. We talked about this in a thread a few months back. Unless you specifically tell openvpn to use your VPN’s DNS using scripts or set the DNS manually, the default OpenVPN action is to only tunnel the data.
When you request a URL, say google.com, the domain name is looked up at the DNS to get an IP, and a connection is made via the VPN, hiding the data but, not the request. If you are using the default, which is your ISP’s, then they can see you have gone into google.com, but can’t see what you did there.
So DNS leaking protection happens when you either use the scripts, or set your DNS to either Cloudflare, Google, or DNS over TLS.
Here are the scripts to set the DNS from the VPN provider:
a connection is made via the VPN, hiding the data but, not the request.
So whats the source IP address of the DNS request? Would that be the VPN provider IP as it tunnels through that? So they dont know who made the request other than it come from the VPN provider.
When you run https://www.whatismyip.com/ does it report your ISP IP or VPN Provider IP when all traffic goes through the tunnel?
The issue is that yes, OpenVPN does tunnel dns, but it does not enforce it. It is up to the client to enforce it.
By default the router/pc whatever you are using will use it’s cached DNS as primary.
If you take a look at the scripts i sent you, you will see how they are enforcing the change of DNS on VPN connection.
If i remember correctly, this has been added to the v3 firmware, but not 100% sure. Someone has to test it.
For the v2 firmwares the scripts are required, or it will be using VPN but DNS requests via your ISP, unless you set a DNS server in the UI manually.
If your default route is your VPN provider, all your traffic goes through to the VPN tunnel.
If your dns forwarder is your ISP, they will see the request comes from the VPN provider IP.
and the forced action happens here, these 2 routes short circuits your main default routes
openvpn[2911]: /sbin/ip route add 0.0.0.0/1 via 10.8.8.1
openvpn[2911]: /sbin/ip route add 128.0.0.0/1 via 10.8.8.1
If your default route is your VPN provider, where is your all traffics (udp/tcp/icmp) is going to go?
DNS traffic is IP. There is nothing special about DNS traffic.
When the router turns on and connects to the network, the first thing it does is get the local DNS, either from your ISP or from your upstream router, which will still be the ISP unless you manage your own DNS server. Even if you have a killswitch on the router until the VPN is up, this has already happened in the background in linux. Now, your VPN is up, and you go to google.com. Well guess what, sure, the connection to the DNS is being routered into the tunnel but surprise, you are connecting to your ISP DNS anyway. Depending on their software they can track you in many ways, as they do in Egypt, even send you to sites that look like the ones you are trying to access, injecting malware and other things.
Again, unless you explicitly set the DNS in linux, you are still using the one that it has cached which is the ISP’s. OpenVPN can not change the DNS routes in linux, you have to do that via scripts on connection. Changing routes is not enough!
If you don’t understand this and you check whatsmyip and think everything is fine, that is your problem.
Sure, i never said that VPN is the way to be safe on the net. You are still connecting to a remote server directly, and not making hops like Tor. As PureVPN did, they can tell anyone who is connected to their servers at any time. It offers a “mainstream” level of security. For people that don’t understand how it all works, it offers a false sense of security. The VPN provider can be compromised and you are maybe even reducing your security by connecting to them, vs being just one of the millions of connections at your ISP (unless you are in a country like China, Egypt etc where all ISP’s are monitored).
I would recommend something like Riffle or HORNET for browsing, and something like Tribler for torrenting.
Using a VPN + Tor combined with a large list of anonymous proxies would be best.
Qubes OS with a Whonix as the base of the containers is also secure (uses TOR).
Scripts has a flawed. What if the VPN provider don’t push dns All your $foreign_option_X are emptied and you have an empty file. You need some backup DNS address if they don’t advertised the DNS.