I have a question regarding OpenVPN and a DNS leak

encryptoid · 2017-02-20T06:35:24.000Z

I have a question regarding OpenVPN and a DNS leak.

There are a few parts to this question. I am using an OpenVPN server and a router together, so I’ll talk about the OpenVPN setup first.

I have an OpenVPN Access Server running on AWS. This is the exact instance:

https://aws.amazon.com/marketplace/pp/B00MI40CAE?qid=1487535544926&sr=0-1&ref_=srh_res_product_title

I configured the instance according to this guide:

https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide/

I used all of the default configuration options except one. That option was: “Should client Internet traffic be routed through the VPN?”

I chose yes instead of the default no, because I do want all client traffic to route through the VPN instead of my home ISP.

Other than that, the configuration is default.

The VPN works perfectly through the OpenVPN client on Windows and through the OpenVPN network configuration in Ubuntu. When I connect to the VPN all of my client traffic routes through the VPN, my IP address shows the IP of the VPN, and my DNS leak test shows the DNS requests coming from IP addresses at AWS.

So all of my traffic and DNS requests are routed through the VPN, but I have a few questions.

1.) Are DNS requests actually encrypted and then sent to the VPN to be resolved or is my computer simply retrieving the DNS from my OpenVPN server via DHCP and then using them like it would any other DNS address through my ISP. Basically, does my home ISP see my DNS requests going out to AWS or are they all encrypted and sent over the VPN to AWS and then resolved?

Next, the router.

I have this exact router, it is a GL-AR150 from GLI:

https://www.gl-inet.com/ar150/

I have the router connected to my home internet via ethernet cable into the WAN port of the router and it pulls in it’s IP address and DNS via DHCP from my ISP’s modem. My computer connects to the router via Wi-Fi and functions normally, getting its IP and DNS via DHCP from the router. The router gets its IP from the ISP’s modem, my computer gets its private IP address from the router, and everything works as expected. My IP and DNS leak test both show my home ISP’s information unless I enable the VPN via the OpenVPN client on my computer and then the IP and DNS display the information for AWS.

So the router works fine and the VPN software client works fine on my computer with the VPN at AWS. The OpenVPN Access Server I’m running seems to be configured correctly to allow the client to send its DNS through the VPN.

However, I encounter a few problems when I try to configure the router to use the VPN for all traffic via its OpenVPN option instead of having my computer’s OpenVPN client make the connection.

I disconnect my computer from the VPN and exit the OpenVPN software to make sure the computer is connecting to the router via normal DHCP and not using the VPN.

Then I upload the exact same .ovpn configuration file to my GL-AR150 router via the web-based administration interface. I provide the username and password for the VPN and click the “enable” checkbox. The router then connects to the VPN as AWS and shows me the following in the status section of the OpenVPN administration area in the router:

OpenVpn is connected

IP Address: 172.27.232.14

The 172.27.232.14 IP address is a private address assigned to the router from the OpenVPN server.

When I use the web browser on my computer I am able to access the internet and my IP address test correctly shows the IP of the VPN at AWS, but the DNS test shows the information for my home ISP, not the VPN at AWS as it should.

If I SSH into the router and check /etc/resolv.conf.auto I see:

Interface wan

nameserver 68.0.0.1

nameserver 68.0.0.2

So I still see the nameservers for my home ISP, not the VPN.

If I SSH into the VPN at AWS and check the etc/resolv.conf file I see:

nameserver 172.31.0.2

This IP address is a private IP address accessible only to the VPN, not to my home computer. This is the IP address the VPN server uses to resolve its DNS. This IP points to the internal IP of DNS servers at AWS.

If I go to the router’s web admin and click the DHCP settings area I have an option for custom DNS. If I set both custom DNS servers to 172.31.0.2 and then enable the VPN through OpenVPN on the router I see correct behavior.

My internet works and the IP address test correctly show the IP address of the VPN at AWS. The DNS test also shows the IP address information for AWS.

So, setting custom DNS to a private IP seems to make my IP and DNS both work through the VPN.

Since the custom DNS I used is private that means it will only work once the router connects to the VPN, making the private IP available for DNS request to be sent to.

However, if I disable the VPN on the router the custom DNS is still set to the private IP address at AWS, so the DNS becomes inaccessible. My computer can still access the internet via the router and it shows the IP address of my home ISP, but the DNS requests do not work because the DNS is set to the private server that is no longer accessible since the VPN on the router is disconnected.

So this is question three…

3.) Since I am using the private IP address for DNS when connecting to the VPN, are the DNS requests sent encrypted via the VPN? Once the VPN is connected, does all traffic to private IP addresses on the VPN, such as the 172.31.0.2 for DNS, get encrypted? Is using this private IP for DNS in the router actually making sure my ISP doesn’t see my DNS requests?

Next, the configuration of the OpenVPN server.

I have tried using block-outside-dns in my .ovpn file, but it doesn’t seem to fix anything.

I have seen a number of suggestions for solutions to this problem that indicate it could be on the server side. Many of them suggest modifying the OpenVPN Access Server to allow pushing of the DNS to the client using a variety of options such as:

push “redirect-gateway”

push “dhcp-option DNS x.x.x.x”

I’ve tried to find the server.conf file for my OpenVPN server, but it appears that the OpenVPN Access Server I’m using doesn’t have a server.conf, but rather I think some kind of .json file that it builds the configuration from.

I don’t know how to make changes like adding push “dhcp-option DNS x.x.x.x” to my OpenVPN server becaues I don’t have the .conf file you’re supposed to add it to and I don’t know the openvpnas way of pushing these options.

I’ve also read that Linux doesn’t support the push dhcp-option without an --up script.

But these kind of changes are probably not the solution to the problem because I assume that the server isalready correctly configured because the OpenVPN clients on Windows and Ubuntu use the proper DNS from the VPN when they are connected. It seems like the issue is probably in the way the router connects since the OpenVPN software client on Windows and Ubuntu works as expected but the OpenVPN option on the router does not properly use the DNS pushed by the server.

I’ve also seen suggestions to use:

script-security 2

Although I don’t know I’m supposed to modify the way the router connects to the VPN using the .ovpn file by adding --script-security 2 as a flag when running it or if I’m supposed to put that in some sort of configuration file for the client or for the server as a simple variable.

I probably don’t need to change my OpenVPN Access Server at all, but I’m not sure. Since the software clients work properly that makes me think the server is sending and allowing the proper configuration for both IP and DNS to be routed through it.

I have tried an endless amount of configurations and the only thing that seems to allow the router to connect to the VPN and use the DNS from the VPN at AWS is using the private IP address 172.31.0.2 for the DNS.

This works, but if I disconnect the VPN on the router and want to use my regular ISP internet connect I have to delete the private IP from the DNS servers or else DNS won’t resolve since the private IP is no longer accessible. Then I have to add it back in whenever I enable the VPN again.

I don’t know where the problem actually is, but I think it’s something about the router not pulling the DNS that the VPN is pushing.

I have been looking into using a script like this to use the external hardware switch on the router to enable/disable the VPN:

https://www.gl-inet.com/forums/topic/gl-ar150-using-gpio-8-switch-to-enabledisable-vpn/

I was thinking perhaps I could add something into the script that would set the DNS to the private IP when the VPN connects and then restore it default when not connected to the VPN.

So, my basic goal is to have the VPN installed on the router using the .ovpn file throug the router’s OpenVPN admin area. Then my computer connects to the router and the IP and DNS tests show the IP from the VPN at AWS, not my ISP. I can make this work using the private IP for DNS, but I need a better solution that doesn’t require me to manually set the DNS whenver I connect / disconnect from the VPN. I’m pretty sure the VPN itself is set up correctly since the computer’s OpenVPN client works perfectly, so the problem is most likely something I need to change in the router.

Any suggestions to these issues? Thanks!

encryptoid · 2017-02-20T06:41:05.000Z

Didn’t mean to post multiple replies, I submitted a new post instead of edit and couldn’t find a way to delete posts.

encryptoid · 2017-02-20T06:41:48.000Z

Didn’t mean to post multiple replies, I submitted a new post instead of edit and couldn’t find a way to delete posts.

alzhao · 2017-02-20T09:44:43.000Z

I think you dns is going via the VPN and is secure as you have tested and there is no dns leak
I do think your dns is secure because you use a private IP address. If not connected using VPN, this IP is not reachable. So it is secure.

I don’t see where is your 2nd question so here is my general comments.

In the router there is no up/down script so it may not works as your PC. So you have to set a DNS server manually. For AWS EC2 you have a public IP address which you can use. You can try to set that IP address as the DNS server rather than your 172.32.0.2, which cannot be reachable. You need also to enable public access of this DHCP server by opening dns port from EC2 console and your EC2 server configuration.

So when VPN is not connected, your Internet is not broken.

encryptoid · 2017-02-20T10:25:48.000Z

Thank you for the response! Yes, I also think it is secure. I just was not sure exactly how it works. I don’t understand if my computer / router just pulls the DNS settings from the OpenVPN server and then uses those IP addresses to send DNS requests over my ISP or if the actual request itself is encrypted and sent to the server to resolve instead of sent through my ISP. Basically, if I have the DNS from my server pushing 8.8.8.8 to the clients and my client connects to the VPN and the DNS test shows servers from 8.8.x.x then I know I am using the DNS from the server, but that doesn’t explain to me if the connection to 8.8.8.8 is made like this:

computer > ISP > 8.8.8.8 > resolve DNS

or like this:

computer > encrypted to VPN > ISP > decrypted by VPN > resolve DNS

In the first scenario the ISP can see that I’m contacting 8.8.8.8, in the second scenario the ISP only sees that I am contact my VPN (which will then contact 8.8.8.8 for me to resolve DNS)

For question 3, you say there is no up script. Can I create one? I put a link to another post in the forums where someone was using the hardware switch to enable/disable the VPN. Would there be a way for me to change the custom DNS settings (or resolv.conf.auto settings) when the VPN is connected and have the settings go back to default if the VPN is not connected?

I don’t want to put the public DNS address of my VPN in the custom DNS because if I am not using the VPN I want the DNS to resolve through whatever DNS the ISP uses, but if I turn on VPN I want the DNS to resolve through my AWS instance.

Which leads to question 2 from earlier that I forgot to put.

2.) If I provide custom DNS servers such as 8.8.8.8 or the public IP of my AWS server to the AR150 through the web administration area and then enable the VPN on the router also, does the router send those DNS requests through the VPN tunnel or does the router just pull down those IP addresses from the VPN and then send DNS over the ISP the router is connected to?

So if the custom DNS is set to 8.8.8.8 and the router connects to the VPN, basically, does it work like this:

Router > ISP > 8.8.8.8

Or like this:

Router > VPN > 8.8.8.8

Does using custom DNS with OpenVPN on the router force DNS requests through the tunnel or does it simply tell the router to talk to 8.8.8.8 to resolve the DNS and do those requests to 8.8.8.8 get tunneled or does the ISP see that I am talking to 8.8.8.8?

Thanks so much! I really appreciate all of the work you do on these routers. This is by far my favorite product line to use for my setups and also to tinker with.

The fact that you put so much help and effort into the OpenVPN stuff is REALLY appreciated. This is one of the main reasons I use GLI.

alzhao · 2017-02-21T10:10:07.000Z

Router > VPN > 8.8.8.8

This should be the case.