DNS Leaking with OpenVPN

headystick · September 8, 2016, 5:51am

I’ve set up my router with a vpn using OpenVPN, everything connects fine and my IP is that of the VPN’s. Yet I notice on website such as dnsleaktest.com my ISP’s DNS servers are visible. Has anyone else found out how to stop their DNS leaking? I have a MT300N

alzhao · September 8, 2016, 11:36pm

Can you set your custom DNS and have another try? You can set up in WAN section. For example you can set to 8.8.8.8

headystick · September 9, 2016, 4:57am

Yep, so I tried using google as my DNS but that didn’t work, my ISP’s DNS are still being used. Surely OpenVPN should be using my VPN’s DNS?

alzhao · September 13, 2016, 9:36am

Are you using a public VPN service? I tried Astrill and there is no DNS leaks.

headystick · September 15, 2016, 5:19am

I’m using NordVPN To make sure itsn’t Nord, I tried VPNBook and VPN Gate - all of them leaked my DNS. Could there be a problem with my router? I’ve also tried different firmware versions (2.20 and 2.22).

musquetaire · September 17, 2016, 4:25pm

Same problem here. My ar-300m is behind another router. I get the US VPN IP adrass with my local DNS.

https://dnsleaktest.com sees my real local DNS. According to them(DNS leak test), it woul be enough to add the line “block-outside-dns” in my ovpn configuration, for openvpn 2.3.9 or newer.

I addded the line, connection won’t work. No wonder, since your openvpn package is 2.3.6:

“Downloading 404 Page not found - GL.iNet”

To make it short: if you upgrade to openvpn 2.3.9 we should have a fix. Please respond.

alzhao · September 17, 2016, 4:36pm

I am testing in my side right now. I don’t have dns leaks for several vpn services I am using.

I will try more to find out the problem.

https://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/packages/base/

Here you can find openVPN 2.3.11 for OpenWrt. You can just download the ipk to your router, then install using opkg

opkg install openvpn-openssl_2.3.11-1_ar71xx.ipk

After reboot your router it will use t he new version. Please add that line to your ovpn manually and try again.

Thanks.

musquetaire · September 17, 2016, 11:03pm

Thanky, but it stopped working. Now it doesn’t connect any more. Had to reset.

I reinstalled with upgrade, still the same, 2.3.11 won’t work.

Ideas?

wifird · September 19, 2016, 4:58am

[Deleted as solution no longer appears to work]

ghackett · September 20, 2016, 12:05am

I am also running into this issue on a new GL-AR300M connecting to my personal OpenVPN server (vpn’s dns does not get used, and even setting it explicitly in the custom dns section has no effect). I’m unable to connect to other machines on the vpn network via hostname, and can only do so via ip address.

wifird · September 20, 2016, 7:53pm

Has anyone tried the solution method on DNS Leak Test off adding <strong> lock-outside-dns</strong> <code> directly in the .opvn file?

Only works on OpenVPN 2.3.9 onwards and haven’t tried it yet so can’t confirm what GLI is running.

Read more about it here

rangerz · September 20, 2016, 8:53pm

@ghackett, I run an OpenVPN server at home (CC 15.0 RC2) on TAP as opposed to TUN. I do not use the GLi VPN tools.

I have never been able to get connecting thru Windows Explorer working, which is not really the same as “network via hostname” and always had to use IP. I only have a few I need to access so I created shortcuts, but agree it’s frustrating.

I tried unsuccessfully to resolve this a year ago. The first post below covers my findings on the topic beginning at about post 6, but starts off addressing the basic DNS (not leak) configuration which also may be relevant.

Regarding browsing there is discussion of WINS server and use of the domain suffix (OpenWrt default is lan) so you may need something like mypc.lan as the hostname. I also did something with the hosts file (look for other posts with my name on it from the same time frame). I never got this working reliably. It seems like after being connected for a while I might be able to use Explorer to browse, but testing was tedious as I could not be at both ends of the tunnel at the same time. I got to a good enough state. I also lost most of my work during an upgrade, which is why I still run RC2. It works, mostly. Sorry, but not really qualified to help much more.

Regarding DNS, it appears that DNS can be set at 2 places, the network file and dhcp (for dnsmasq). I am setting it at the interface in the network file and in Luci you can see this in the Status page for the network. Setting it in DHCP is once for all the connections, so it’s easier for a device with multiple WANs (ie each interface needs config if it will be connected), but I did not see this values in Status. Maybe you would like (anyone) to test if setting this in the network file for the WWAN helps with leaks. In Luci, Network Interfaces =[Interface] Edit, Advanced Settings Tab, uncheck the “Use DNS Servers Advertised by peer” and then use the new Use Custom DNS Server field.

https://forum.openwrt.org/viewtopic.php?id=60498
https://forum.openwrt.org/viewtopic.php?pid=338427#p338427
If you have a TUN setup working with GLI tools (client end) it would make a nice post for the community on how you configured both the server and client under TUN with file sharing (I think there are some ip table rules you need)

musquetaire · September 21, 2016, 4:51am

Ok here’s the crazy thing:

using it on different clients I get different results in the same wifi net done by the AR router:

Netflix on Apple TV: doesn’t work
Netflix on Amazion Fore: doesn’t work
Netflix on Os X Mac: works without a problem

=> DNS leaks only on the ATV and FireTV

Apple TV showed an IPV6 DNS. So could this be a problem, that the two boxes somehow get the IPV6 DNS of my ISP, and the Mac gets the IPV4?

Sorry, I’m not a pro as you can tell, thought I wil give you my findings.

musquetaire · September 21, 2016, 2:03pm

Checked again: it is a DNS leak that affects only some devices. Different devices show different DNS in the same wifi.

Crazy.

What I have done so far: I have switched off IPv6 with no effect.

unimployed · September 23, 2016, 1:08am

Subscribing to this thread. Would be interested in purchasing and distributing this product if the issue gets resolved with an easy firmware fix. I have seen in other router firmware (DD-WRT) the option to force the router or VPN DNS in place of whatever the end device may be trying to use (Forced DNS Redirection). Not sure if this might be in GLi or OpenWRT at all. Also I wonder if this is an issue with OpenWRT in general. Does flashing a build of OpenWRT resolve the problem?

musquetaire · September 23, 2016, 7:37pm

I tried the solution from paulxx: OpenWrt Forum Archive

Didn’t work for me.

watanabe · October 25, 2016, 7:54am

Anyone got DNS Leak protection working? MT300A (firmware 2.23-6) still using openvpn 2.3.6 so “block-outside-dns” config won’t work.

alzhao · October 25, 2016, 10:57pm

if you setup custom DNS in 2.23-6, that could fix the DNS leak problem. But still there is not “block-outside-dns” in ovpn file. How does that work?

madmad · October 26, 2016, 6:46am

This is a real problem. These modems are advertised as OPEN VPN capable and they dont work as intended. I wasted 6 hours trying to make it work only to find out that its the router to blame mt300a and mt300n both useless. This is unaceptable.

alzhao · October 26, 2016, 9:00am

I don’t know why you saying this because you actually supplies no information. We have the compatible vpn service provider and provided the DNS leak fix by continuously development.

Maybe we can just remove all these functions and let these models work as a mini router as they should be. Other people sell these functions more than 100 dollars.