Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

How to fix DNS leak on linux ?

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!

Topic Author
nullstrike

How to fix DNS leak on linux ?

Postby nullstrike » Mon Aug 07, 2017 8:16 pm

I got the OpenVPN config from GitHub and I fallowed the indications to disable IPv6 and to add those 3 lines in the .ovpn config file.
After a visit to https://ipleak.net I saw that I still have a DNS leak with the IP from my ISP.

How to fix this major issue ?

I'm using Linux mint 18.1 Serena, and I tried it through NetworkManager and directly from terminal, in both cases I have the same issue.

Thanks!

User avatar

parityboy
Site Admin
Posts: 1084
Joined: Wed Feb 05, 2014 3:47 am

Re: How to fix DNS leak on linux ?

Postby parityboy » Mon Aug 07, 2017 8:52 pm

@OP

Try this.

Code: Select all

sudo apt-get install iptables-persistent


Then edit /etc/iptables/rules.v6 to look like this:

Code: Select all

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT


Now edit /etc/iptables/rules.v4. The idea is to permit traffic over eth0 to the exit nodes, but everything else goes over the tunnel.

Code: Select all

*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]

# Permit/accept traffic from localhost
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT -s 127.0.1.1/32 -d 127.0.1.1/32 -j ACCEPT
-A OUTPUT -s 127.0.1.1/32 -d 127.0.1.1/32 -j ACCEPT

# Permit/accept traffic to NL exit node
-A INPUT -i eth0 -s 213.163.64.209/32 -p udp --sport 443 -j ACCEPT
-A OUTPUT -o eth0 -d 213.163.64.209/32 -p udp --dport 443 -j ACCEPT
-A INPUT -i eth0 -s 185.107.80.85/32 -p udp --sport 443 -j ACCEPT
-A OUTPUT -o eth0 -d 185.107.80.85/32 -p udp --dport 443 -j ACCEPT

# Only permit/accept other traffic if it's going/coming over the VPN tunnel
-A INPUT -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
COMMIT


Now do "sudo iptables-restore /etc/iptables/rules.v4" and the firewall will be active. This method means that you'll need to make sure that the IP addresses of all current nodes are in your firewall rules.


Topic Author
LazyAss

Re: How to fix DNS leak on linux ?

Postby LazyAss » Wed Aug 30, 2017 5:42 am

Nice information. Compared to messing around with up/down scripts and openvpn settings, this is a more bulletproof method.

Would it be possible to add a "Rules.v4" to the Linux section on Github populated (and updated) with all the current CS exit node IP's? Maybe add a small readme with the basics of this thread as well. Job done.

User avatar

parityboy
Site Admin
Posts: 1084
Joined: Wed Feb 05, 2014 3:47 am

Re: How to fix DNS leak on linux ?

Postby parityboy » Fri Sep 01, 2017 8:50 pm

LazyAss wrote:Nice information. Compared to messing around with up/down scripts and openvpn settings, this is a more bulletproof method.

Would it be possible to add a "Rules.v4" to the Linux section on Github populated (and updated) with all the current CS exit node IP's? Maybe add a small readme with the basics of this thread as well. Job done.


That sounds like a good idea. :)


Return to “cryptostorm in-depth: announcements, how it works, what it is”

Who is online

Users browsing this forum: No registered users and 6 guests

Login