How to manage the DNS Leak in openvpn?

fstarter · 15 December 2020 10:25

Hi,
what is the possibility to stop openvpn from leaking the DNS outside of the ipfire?
Where should i bring the “block-outside-dns”? The server.conf overwrites by each restarting in the WUI.

So is it the solution and if so, where could the “block-outside-dns” be written?

Regards
fstarter

pmueller · 15 December 2020 13:39

Hi,

OpenVPN has nothing to do with DNS resolution here, as the latter are handled by a different software and are usually not transmitted through an OpenVPN tunnel.

In case you are trying to do something like connecting a branch office to a company’s headquarter, and want internal DNS namespace to be resolved by an internal nameserver, please refer to the documentation on how to do so.

In case you are trying connect IPFire to a VPN provider, please do not do so for reasons mentioned here.

Thanks, and best regards,
Peter Müller

fstarter · 16 December 2020 13:14

hmm… but what is about the “block-outside-dns” option? Where can i set it on the server?

I’m just connecting with the roadwarrior to the openVPN on my ipfire and have the dns leak with the DNS-IP of my mobile provider.

krasnal · 16 December 2020 18:14

Just to clarify, are you using a phone?

fstarter · 16 December 2020 19:05

yes, so called “smart” phone

krasnal · 16 December 2020 20:00

First of all, have you established whether the DNS queries are bypassing the VPN tunnel?

You can add additional configuration options in /var/ipfire/ovpn/scripts/server.conf.local.

I don’t have any experience of using OpenVPN on a phone but, generally, the (IPFire) server can “push” a number of configuration options to the client, which might include DNS (eg push "dhcp-option DNS 11.22.33.44"). The client, in this case your phone, should then act on those instructions.

So, you need to find out if the server is pushing a DNS address and, if so, whether the smartphone is doing anything with the instruction.

fstarter · 16 December 2020 21:23

thanks!
i found the setting in the client config on the server, there you can set the DNS. So i can set there the internal network dns and it works. Very fine!
The push possibility can be find via WUI in the further server settings, i think it could be another workaround.

ummeegge · 17 December 2020 18:38

Hi f starter,
i would suggest then to also use redirect-gateway .

Best,

Erik

fstarter · 17 December 2020 21:00

Redirect-Gateway def1 in the server conf?
Why that?

ummeegge · 17 December 2020 21:19

Good evening,
yes --> to redirect all traffic through the tunnel.

Have a nice evening.

Best,

Erik

fstarter · 17 December 2020 21:32

there is redirect gateway in the client confs on the server and in the server confs. Should i activate both of them?

ummeegge · 17 December 2020 22:03

Please also check the documentation but you can configure it also for specific clients via CCD.

Best,

Eik

fstarter · 17 December 2020 22:05

ok, thanks!

pmueller · 19 December 2020 11:07

Hi Erik,

thanks for mentioning this.

It should be a more straightforward solution to @fstarter’s problem, but slipped my mind as I was assuming redirect-gateway def1 to be set already.

Thanks, and best regards,
Peter Müller