Page 1 of 1

How to fix DNS leak on linux ?

Posted: Mon Aug 07, 2017 8:16 pm
by nullstrike
I got the OpenVPN config from GitHub and I fallowed the indications to disable IPv6 and to add those 3 lines in the .ovpn config file.
After a visit to https://ipleak.net I saw that I still have a DNS leak with the IP from my ISP.

How to fix this major issue ?

I'm using Linux mint 18.1 Serena, and I tried it through NetworkManager and directly from terminal, in both cases I have the same issue.

Thanks!

Re: How to fix DNS leak on linux ?

Posted: Mon Aug 07, 2017 8:52 pm
by parityboy
@OP

Try this.

Code: Select all

sudo apt-get install iptables-persistent


Then edit /etc/iptables/rules.v6 to look like this:

Code: Select all

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT


Now edit /etc/iptables/rules.v4. The idea is to permit traffic over eth0 to the exit nodes, but everything else goes over the tunnel.

Code: Select all

*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]

# Permit/accept traffic from localhost
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT -s 127.0.1.1/32 -d 127.0.1.1/32 -j ACCEPT
-A OUTPUT -s 127.0.1.1/32 -d 127.0.1.1/32 -j ACCEPT

# Permit/accept traffic to NL exit node
-A INPUT -i eth0 -s 213.163.64.209/32 -p udp --sport 443 -j ACCEPT
-A OUTPUT -o eth0 -d 213.163.64.209/32 -p udp --dport 443 -j ACCEPT
-A INPUT -i eth0 -s 185.107.80.85/32 -p udp --sport 443 -j ACCEPT
-A OUTPUT -o eth0 -d 185.107.80.85/32 -p udp --dport 443 -j ACCEPT

# Only permit/accept other traffic if it's going/coming over the VPN tunnel
-A INPUT -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
COMMIT


Now do "sudo iptables-restore /etc/iptables/rules.v4" and the firewall will be active. This method means that you'll need to make sure that the IP addresses of all current nodes are in your firewall rules.

Re: How to fix DNS leak on linux ?

Posted: Wed Aug 30, 2017 5:42 am
by LazyAss
Nice information. Compared to messing around with up/down scripts and openvpn settings, this is a more bulletproof method.

Would it be possible to add a "Rules.v4" to the Linux section on Github populated (and updated) with all the current CS exit node IP's? Maybe add a small readme with the basics of this thread as well. Job done.

Re: How to fix DNS leak on linux ?

Posted: Fri Sep 01, 2017 8:50 pm
by parityboy
LazyAss wrote:Nice information. Compared to messing around with up/down scripts and openvpn settings, this is a more bulletproof method.

Would it be possible to add a "Rules.v4" to the Linux section on Github populated (and updated) with all the current CS exit node IP's? Maybe add a small readme with the basics of this thread as well. Job done.


That sounds like a good idea. :)