I have a question regarding OpenVPN and a DNS leak.
There are a few parts to this question. I am using an OpenVPN server and a router together, so I’ll talk about the OpenVPN setup first.
I have an OpenVPN Access Server running on AWS. This is the exact instance:
https://aws.amazon.com/marketplace/pp/B00MI40CAE?qid=1487535544926&sr=0-1&ref_=srh_res_product_title
I configured the instance according to this guide:
I used all of the default configuration options except one. That option was: “Should client Internet traffic be routed through the VPN?”
I chose yes instead of the default no, because I do want all client traffic to route through the VPN instead of my home ISP.
Other than that, the configuration is default.
The VPN works perfectly through the OpenVPN client on Windows and through the OpenVPN network configuration in Ubuntu. When I connect to the VPN all of my client traffic routes through the VPN, my IP address shows the IP of the VPN, and my DNS leak test shows the DNS requests coming from IP addresses at AWS.
So all of my traffic and DNS requests are routed through the VPN, but I have a few questions.
1.) Are DNS requests actually encrypted and then sent to the VPN to be resolved or is my computer simply retrieving the DNS from my OpenVPN server via DHCP and then using them like it would any other DNS address through my ISP. Basically, does my home ISP see my DNS requests going out to AWS or are they all encrypted and sent over the VPN to AWS and then resolved?
Next, the router.
I have this exact router, it is a GL-AR150 from GLI:
https://www.gl-inet.com/ar150/
I have the router connected to my home internet via ethernet cable into the WAN port of the router and it pulls in it’s IP address and DNS via DHCP from my ISP’s modem. My computer connects to the router via Wi-Fi and functions normally, getting its IP and DNS via DHCP from the router. The router gets its IP from the ISP’s modem, my computer gets its private IP address from the router, and everything works as expected. My IP and DNS leak test both show my home ISP’s information unless I enable the VPN via the OpenVPN client on my computer and then the IP and DNS display the information for AWS.
So the router works fine and the VPN software client works fine on my computer with the VPN at AWS. The OpenVPN Access Server I’m running seems to be configured correctly to allow the client to send its DNS through the VPN.
However, I encounter a few problems when I try to configure the router to use the VPN for all traffic via its OpenVPN option instead of having my computer’s OpenVPN client make the connection.
I disconnect my computer from the VPN and exit the OpenVPN software to make sure the computer is connecting to the router via normal DHCP and not using the VPN.
Then I upload the exact same .ovpn configuration file to my GL-AR150 router via the web-based administration interface. I provide the username and password for the VPN and click the “enable” checkbox. The router then connects to the VPN as AWS and shows me the following in the status section of the OpenVPN administration area in the router:
OpenVpn is connected
IP Address: 172.27.232.14
The 172.27.232.14 IP address is a private address assigned to the router from the OpenVPN server.
When I use the web browser on my computer I am able to access the internet and my IP address test correctly shows the IP of the VPN at AWS, but the DNS test shows the information for my home ISP, not the VPN at AWS as it should.
If I SSH into the router and check /etc/resolv.conf.auto I see:
Interface wan
nameserver 68.0.0.1
nameserver 68.0.0.2
So I still see the nameservers for my home ISP, not the VPN.
If I SSH into the VPN at AWS and check the etc/resolv.conf file I see:
nameserver 172.31.0.2
This IP address is a private IP address accessible only to the VPN, not to my home computer. This is the IP address the VPN server uses to resolve its DNS. This IP points to the internal IP of DNS servers at AWS.
If I go to the router’s web admin and click the DHCP settings area I have an option for custom DNS. If I set both custom DNS servers to 172.31.0.2 and then enable the VPN through OpenVPN on the router I see correct behavior.
My internet works and the IP address test correctly show the IP address of the VPN at AWS. The DNS test also shows the IP address information for AWS.
So, setting custom DNS to a private IP seems to make my IP and DNS both work through the VPN.
Since the custom DNS I used is private that means it will only work once the router connects to the VPN, making the private IP available for DNS request to be sent to.
However, if I disable the VPN on the router the custom DNS is still set to the private IP address at AWS, so the DNS becomes inaccessible. My computer can still access the internet via the router and it shows the IP address of my home ISP, but the DNS requests do not work because the DNS is set to the private server that is no longer accessible since the VPN on the router is disconnected.
So this is question three…
3.) Since I am using the private IP address for DNS when connecting to the VPN, are the DNS requests sent encrypted via the VPN? Once the VPN is connected, does all traffic to private IP addresses on the VPN, such as the 172.31.0.2 for DNS, get encrypted? Is using this private IP for DNS in the router actually making sure my ISP doesn’t see my DNS requests?
Next, the configuration of the OpenVPN server.
I have tried using block-outside-dns in my .ovpn file, but it doesn’t seem to fix anything.
I have seen a number of suggestions for solutions to this problem that indicate it could be on the server side. Many of them suggest modifying the OpenVPN Access Server to allow pushing of the DNS to the client using a variety of options such as:
push “redirect-gateway”
push “dhcp-option DNS x.x.x.x”
I’ve tried to find the server.conf file for my OpenVPN server, but it appears that the OpenVPN Access Server I’m using doesn’t have a server.conf, but rather I think some kind of .json file that it builds the configuration from.
I don’t know how to make changes like adding push “dhcp-option DNS x.x.x.x” to my OpenVPN server becaues I don’t have the .conf file you’re supposed to add it to and I don’t know the openvpnas way of pushing these options.
I’ve also read that Linux doesn’t support the push dhcp-option without an --up script.
But these kind of changes are probably not the solution to the problem because I assume that the server isalready correctly configured because the OpenVPN clients on Windows and Ubuntu use the proper DNS from the VPN when they are connected. It seems like the issue is probably in the way the router connects since the OpenVPN software client on Windows and Ubuntu works as expected but the OpenVPN option on the router does not properly use the DNS pushed by the server.
I’ve also seen suggestions to use:
script-security 2
Although I don’t know I’m supposed to modify the way the router connects to the VPN using the .ovpn file by adding --script-security 2 as a flag when running it or if I’m supposed to put that in some sort of configuration file for the client or for the server as a simple variable.
I probably don’t need to change my OpenVPN Access Server at all, but I’m not sure. Since the software clients work properly that makes me think the server is sending and allowing the proper configuration for both IP and DNS to be routed through it.
I have tried an endless amount of configurations and the only thing that seems to allow the router to connect to the VPN and use the DNS from the VPN at AWS is using the private IP address 172.31.0.2 for the DNS.
This works, but if I disconnect the VPN on the router and want to use my regular ISP internet connect I have to delete the private IP from the DNS servers or else DNS won’t resolve since the private IP is no longer accessible. Then I have to add it back in whenever I enable the VPN again.
I don’t know where the problem actually is, but I think it’s something about the router not pulling the DNS that the VPN is pushing.
I have been looking into using a script like this to use the external hardware switch on the router to enable/disable the VPN:
https://www.gl-inet.com/forums/topic/gl-ar150-using-gpio-8-switch-to-enabledisable-vpn/
I was thinking perhaps I could add something into the script that would set the DNS to the private IP when the VPN connects and then restore it default when not connected to the VPN.
So, my basic goal is to have the VPN installed on the router using the .ovpn file throug the router’s OpenVPN admin area. Then my computer connects to the router and the IP and DNS tests show the IP from the VPN at AWS, not my ISP. I can make this work using the private IP for DNS, but I need a better solution that doesn’t require me to manually set the DNS whenver I connect / disconnect from the VPN. I’m pretty sure the VPN itself is set up correctly since the computer’s OpenVPN client works perfectly, so the problem is most likely something I need to change in the router.
Any suggestions to these issues? Thanks!