DNS Leak

17 respostas [Última entrada]
catfishes

I am a member!

Desconectado
Joined: 07/24/2013

Hi all
I recently got an openvpn service. I'd like to use the DNS provided by the VPN rather than my ISP. The advice on the VPNs forun is to edit /etc/resolv.conf but Trisquel says this file will be overwritten.
Any advice much appreciated.

GNUser
Desconectado
Joined: 07/17/2013

Unfortunately I am not capable of answering your question.
However, your question actually made me think, if Trisquel overwrites files concerning DNS, does that mean that when using Tor in Trisquel I could actually be spied on? (My ISP knowing what websites I visit).
If someone could answer BOTH our questions, I would be very thankful =)

f00bar
Desconectado
Joined: 08/03/2013

Is your DNS leaking? Connect to your VPN then check here http://www.dnsleaktest.com/ , if it shows your ISP's DNS then your in trouble.

catfishes

I am a member!

Desconectado
Joined: 07/24/2013

Yes that is the trouble ;) Any idea how to fix it?

GNUser
Desconectado
Joined: 07/17/2013

That was a good suggestion f00bar. THANKS!

andrew
Desconectado
Joined: 04/19/2012

On 06/08/13 09:37, catfishagain wrote:
> Hi all I recently got an openvpn service. I'd like to use the DNS
> provided by the VPN rather than my ISP. The advice on the VPNs forun
> is to edit /etc/resolv.conf but Trisquel says this file will be
> overwritten. Any advice much appreciated.

I am not really familiar with using a VPN. However, in order to route my
domain queries over Tor for web browsing I use Polipo (a HTTP proxy).

You could try searching the internet for connecting SOCKS to a VPN
(Polipo can easily connect to SOCKS).

Andrew.

G4JC
Desconectado
Joined: 03/11/2012

This site has some good information on how to force and randomize the DNS servers you want -
http://www.ab9il.net/crypto/

I personally prefer OpenNIC servers:
http://wiki.opennicproject.org/ClosestT2Servers

f00bar
Desconectado
Joined: 08/03/2013

If you dont mind me asking who is the VPN provider? also are you connecting through the network manager or command line? I had this problem before but not with Trisquel!

lembas
Desconectado
Joined: 05/13/2010

The comment in /etc/resolv.conf says

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

so the answer might be to uninstall resolvconf? Its manual page was not particularly useful.

catfishes

I am a member!

Desconectado
Joined: 07/24/2013

Hmmm sussed it. IPV4 settings, Method Automatic (DHCP) addresses only, put the DNS servers in then.....

Turn off the connection and turn it on again!
Should have really watched an episode of the IT Crowd for the answer!

Liberty
Desconectado
Joined: 08/05/2013

The most typical setup people want on a PC with OpenVPN is to:

1) Force ALL outgoing traffic to the OpenVPN server
2) Have the firewall block ALL outgoing traffic if the VPN suddenly breaks (prevents leakage of your IP)

You can achieve this and prevent all leaks by installing UFW (and GUFW if you like) and configure the below in /etc/ufw/before.rules.

Note: This is only an EXAMPLE configuration for a PC with internet connection on eth0, so you may have to adjust it to your OpenVPN servers network (the 10.x.y.z one) - and whatever other requirements you may have.

- START -

# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#

# rules for NAT Table of iptables
# required line for ufw
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from OpenVPN through eth0.
-A POSTROUTING -s 10.3.0.0/24 -o eth0 -j MASQUERADE

# tell ufw to process the lines
COMMIT

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines

# Allow OpenVPN
-A ufw-before-input -i tun+ -j ACCEPT
-A ufw-before-output -o tun+ -j ACCEPT

-A ufw-before-forward -s 10.3.0.0/24 -j ACCEPT
-A ufw-before-forward -d 10.3.0.0/24 -j ACCEPT

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed

COMMIT

- END -

After this you start UFW and configure the following in the GUI (or by commandline):

1) Default Deny all incoming and all outgoing traffic.
2) Add a rule that allows outgoing traffic to the IP, port and protocol of you OpenVPN server.

Now you can only access the internet when your OpenVPN is up, and when it is down you can only access the OpenVPN server.

If you want to access the internet without OpenVPN, you can just disable UFW in the GUI.

I hope this solves all your problems :)

catfishes

I am a member!

Desconectado
Joined: 07/24/2013

That sounds like exactly the kind of thing I want Liberty ;)

Just could do with a little help finding my OpenVPN servers network (the 10.x.y.z one)

Thanks for any help.

Liberty
Desconectado
Joined: 08/05/2013

Your provider should be able to tell you the network class they use. Else you can run ifconfig in a terminal when the tunnel is up. Look under tun+/inet addr.

You are welcome.

Dannermax
Desconectado
Joined: 10/27/2013

Can it be this simple?....

I am running openvpn on a system running Debian (squeeze) and connected to my vpn service-provider. I have been looking everywhere to find a solution, that can prevent leakage og my DNS and block all outgoing internet activity if the connection to the VPN provider fails.

If i understand all this correct, would this then be able to run on my system? And is UFW and GUFW linux programs?

I really hope to get a response.. :)

Thanks a bunch! :)

lembas
Desconectado
Joined: 05/13/2010

>And is UFW and GUFW linux programs?
Yes (and in Trisquel repos)

trisq

I am a member!

Desconectado
Joined: 09/03/2013
Dannermax
Desconectado
Joined: 10/27/2013

Thanks for the quick response..

I have been looking at this link here:

https://airvpn.org/topic/5586-prevent-leaks-with-linux-firestarter-also-stop-traffic-when-vpn-drops/#entry5642

and i will try to set it up.. even thou, getting a GUI on a headless server proves challenging for someone who dosent have alot of experience.. its like, if something goes wrong, i have no idea how to fix it or what made it break..

But if i follow these instructions, will i then have a completely safe vpn connection? And How am i able to check wether UFW is working as it should?
I mean, is there a log where i can litteraly see, the outbound connections, and that they are going through the vpn...?
Again, thanks for this link! :)

Dannermax
Desconectado
Joined: 10/27/2013

Nevermind my above post.. i ask too many questions..! :)

But i think i have the wrong version of gufw. My version looks like this:

[IMG]http://imageshack.us/a/img21/9837/g6cl.jpg[/IMG]

my version is:9.10.2
But i cannot deny all outgoing traffic by default, only incomming,

In this thread, he must have a newer version, because he have both the incomming and outgoing button:

https://airvpn.org/topic/5586-prevent-leaks-with-linux-firestarter-also-stop-traffic-when-vpn-drops/#entry5642

Seems like that feature is missing... So does it even matter, or what can i do? If i want a newer version of GUFW i need to install a weezy package, but im using squeeze.. what can i do if i want to set it up, just like in the post?

Thanks alot for your time guys, and sorry for all the text!!