OpenVPN Connected but No Internet

FFS. In my revision, I specifically put the block-outside-dns in a section of it's own under Clients \ Prevent DNS Windows Leaks for Windows Clients because the block-outside-dns option can only be used for Windows clients.

I even put in the todo:

(maybe) update the script to create two .ovpn files - one for non-Windows clients, and one for Windows to ensure VPN DNS is used and NOT client's local/LAN DNS (simply create non-Windows .ovpc, then copy and add block-outside-dns into the .ovpn file in first section)

Is it possible to, oh, I don't know, not make changes to scripts on public wiki pages without testing them thoroughly on multiple platforms?

Sorry for being a douche. I'm being a douche.

Right, but block_outside_dns is not the recommended solution for the DNS leak issue on Windows, as it will result with connection lag on systems with multiple network interfaces.

  • Recommend Solution:
    • Modify the Windows TAP Adapter's IPv4 Settings -> Advanced...
      • Automatic Metric: Uncheck
      • Interface Metric: 1

Simply because an option exists in the OpenVPN man page doesn't mean it should be utilized:

  • The Man Page should always be consulted first, followed by search engine utilization to research the option.
    • This ensures the option is being used in the correct manner, as well as to verify it's the recommended solution for the issue being faced, prior to adding it to a wiki.
      • Had this been done, the above solution would have been found.

I don't see setting the metric as a viable or user friendly solution to the issue of DNS leaking, which the block-outside-dns options is trying to stop. When using the DNS metric method, if the primary DNS server (in this instance, the DNS address provided by the OpenDNS server) becomes unavailable, the Windows OpenVPN client will start using the next metric - the local DNS server - meaning that it will be leaking DNS likely without the user knowing.

That's why I don't use the recommended solution you mentioned, and that's why I wouldn't recommend it for anyone else. It's just plain not secure.

Whether or not you personally find it "user friendly" or not, it is the recommended solution for the DNS leak issue.

  • As I previously mentioned, perhaps a google search is in order.

I'm not sure how changing a network interface's properties is not "user friendly", considering the whole point of a wiki is to walk a user through the steps for completion.

  • By your definition, the entire OpenWrt Wiki site is "not a user friendly solution".

It should be kept in mind wikis are not intended to serve the purposes of a single user or a single user's custom environment, but meant to serve 90% of users 90% of the time.

I'm vague on that, but I believe @stueh added a separate paragraph on the block_outside_dns and it was me who has integrated that option into the main instructions.

I don't have a Windows computer, so I personally don't have this option and I have not tested its impact on the non-Windows clients.

Probably the correct way forward would be to remove this option as a default and restore @stueh's paragraph on preventing DNS leaks on Windows indicating that this is one of the options with the link to the comprehensive guide for more options?

1 Like

Has anyone actually verified a DNS leak occurs in clients over version 2.4.2, as this was patched in 2.4.2... 16 months ago in #605.

  • This is also stated in the Changelog for 2.4.3

Again, a simple google search would have shown this....

  • Perhaps I could suggest:
    1. Ensure one is utilizing the most current stable version of software both server and client side
    2. Review applicable Man Page
      1. Perform a web search to:
        1. Verify the arbitrary config option is the correct option for the issue faced
        2. Verify it's the recommended solution.
          • One should have come across Bug #605, however if they hadn't, numerous articles, including #605 (prior to patch issued in 2.4.2), recommended changing the TAP interface's metric, and not to specify the block_outside_dns option in the config due to the issues it will cause on systems having more than one network interface.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.