DNS leak on Openwrt (OpenVPN, Unbound)

Cabrese · October 29, 2020, 4:33pm

Hello everybody

I've recently installed an autoritative DNS server (Unbound) and OpenVPN server on my VPS and wanted to use them with OpenWrt. After exporting my .ovpn to the router, the VPN tunnel is working fine... my IP changed, but I'm still using my ISP's DNS.

I've made a few research, but I have trouble to determine if the problem come from the server or the router's configuration and how to solve it (the DNS server is working fine)

Here are the different configuration files :

Server.conf (OpenVPN)

local xxx.xxx.xxx
port xxx
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 127.0.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 0
crl-verify crl.pem
explicit-exit-notify

Openvpn client (.ovpn)

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx xxx
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 0

-----BEGIN CERTIFICATE-----
xxxxxxx

Unbound.conf server (partial)

interface: 127.0.0.1
interface: ::1

access-control: 10.0.0.0/8 allow
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
access-control: ::1 allow

private-address: 192.168.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8

And the little tutorial I've followed to setup OpenVPN on Openwrt

What can I do to avoid DNS leak ? If you need more information from me (or running some tests), don't hesitate to ask !

Thanks in advance for you help, and have a nice day

Protopale · October 29, 2020, 5:41pm

Did you find out what the cause for the leak was?

Cabrese · October 29, 2020, 6:12pm

I haven't find yet But since DNS request directly made on the VPS are working fine, I believe that there are probably options in OpenWRT to forward the DNS request through the VPN tunnel...

devnrand · October 29, 2020, 6:18pm

Don't leave it up to to your vpn client to set dns. Just use iptables rules, like:

iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $addr
iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to $addr

ray308 · October 29, 2020, 8:02pm

I'm following this thread, having the same problem. small question;
How do you define $addr ? i'm getting an error that $addr is not defined.

(i'm using a script to change outgoing dns, when vpn is up. But with a dnsleak check the one I use for vpn is on top, but the other is still in the list, so something is leaking)

vgaetera · October 29, 2020, 9:38pm

Disable peer DNS and configure a VPN-routed upstream DNS provider:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

If the issue persists, set up DNS hijacking:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

dyha · October 31, 2020, 5:51pm

Hi,

you should set the IP of DNS servers from your VPN provider for your lan. See attached picture.

EricLuehrsen · January 23, 2021, 9:33pm

If Unbound is performing all of your exit recursion, then you can add a forward-zone: either conf or by UCI. Require that you intranet domain is forwarded to the VPN servers and UCI fallback is disabled or conf forward-first: no (won't try the universe on fail). Rare case, but if your VPN servers are actually authoritative servers (NSD, bind, active directory), then it is a stub-zone:.