VPN internet killswitch leaks

deepwater · February 6, 2021, 1:14pm

Hi, I realized that the internet killswitch in my GL-MT300N-V2 Mango leaks. At least I can clearly diagnose a DNS leak. How? From the logs of my DNS server I can clearly show that DNS requests from the routers LAN are forwarded to WAN so they are not blocked by the killswitch. When does it occure? Everytime the router boots and when you disconnect from the VPN server via the web UI (the GL iNet not luci). I did not perform actual network sniffing to check if there are also further leaks but for me no leak at all is accetable. As soon as you are connected to the VPN server there are no more DNS leaks.
For me it turns out that the killswitch is not working at all. The only purpose of an internet killswitch is to block internet access when there is no VPN tunnel active, right?
I would appreciate it if you could fix that. Thanks!
I am using v3.105

Edit: I can clearly see in the DNS servers log that it forwards the DNS requests from LAN to WAN before it establishes the VPN tunnel because requests for the VPN servers hostname are shown later in the log.

alzhao · February 10, 2021, 4:06am

So the idea is to block all dns when vpn is not enabled?

In that case, all browser will display dns not found

deepwater · February 10, 2021, 7:33am

My idea of the killswitch is that not one bit is forwarded from LAN to WAN as soon as the VPN tunnel is not working. This includes DNS requests, yes. It’s ok if the browser will display DNS not found. When there is not internet access (I think thats what the killswitch is designed for) a DNS access doesn’t have any advantage in my understanding because you won’t be able to reach the IP adress which is servered by the DNS server. I would clearly name it a leak because it means that you are “vunerable” as the DNS server operator can simply tell which hostnames you are requesting.
I didn’t check the actual data traffic of the WAN port for IP communication besides DNS requests with a sniffer. But I don’t even want DNS requests to leak in the internet thats why I didn’t sniff the WAN port yet. If it possible to block DNS requests with the killswitch I will probably check that as well.
Feel free to correct my if my understanding or estimations are wrong regarding the killswitch functionallity.

alzhao · February 10, 2021, 8:18am

OK. I just filed a bug internally.