HowTo: Route part of your LAN via TorGuard or PIA.
-
The key might be in section (above) - "Add a rule to block vpnclients from making DNS queries to the LAN IP. This prevents vpnclients from using the DNS Resolver and prevents DNS leaks if you forget to override DNS settings when adding static DHCP mappings for vpnclients."
Has this rule been set up?
-
Yes, I set up that rule.
-
Is your client Windows 8 or up?
Then it could be this:
https://forum.pfsense.org/index.php?topic=110910.msg617899#msg617899 -
I just tried that, but got the following in my OpenVPN log:
May 6 20:54:13 openvpn 84233 SIGTERM[hard,] received, process exiting May 6 20:54:13 openvpn 30195 Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/client2.conf:31: block-outside-dns (2.3.9) May 6 20:54:13 openvpn 30195 Use --help for more information.This seems weird to me because the documentation for OpenVPN 2.3.9 seems to indicate that the –block-outside-dns option is available.
-
I just tried that, but got the following in my OpenVPN log:
May 6 20:54:13 openvpn 84233 SIGTERM[hard,] received, process exiting May 6 20:54:13 openvpn 30195 Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/client2.conf:31: block-outside-dns (2.3.9) May 6 20:54:13 openvpn 30195 Use --help for more information.This seems weird to me because the documentation for OpenVPN 2.3.9 seems to indicate that the –block-outside-dns option is available.
I had to use "push block-outside-dns" which someone recommended. not sure if that is actually working or not. don't see anything in the log.
I am still having the issue where any of the leaktest sites are showing my DNS server as my IP from the ISP (not my ISPs DNS servers)
I have done all the different rules for blocking DNS and forcing certain servers. It just seems like it was working at first and now it always displays the ISP IP even when connected to VPN
I am using DNS Resolver (no forwarding and no DNS servers configured on general setup…using 127.0.0.1)
-
The "push block-outside-dns" seems to allow the client to start at least, but it didn't change anything in terms of the leak tests. You're right - they are showing my IP, not my ISP's DNS server. Strange and pretty much the opposite of what I'm looking for out of a VPN.
-
@chebyshev On the host you are performing DNS leak tests what are the configured name servers? Precisely what firewall rules did you create (screen shot would be best).
-
The host doing the leak tests gets a static IP assigned via DHCP from the pfSense box - it is assigned the Google DNS servers (8.8.8.8 and 8.8.4.4). Those are the ones that show up if I do 'ipconfig /all'. It is running Windows 10.
Screenshots of my firewall rules are attached.
-
Do you have name servers set up in System > General Setup?? What are they?
-
I just tried that, but got the following in my OpenVPN log:
May 6 20:54:13 openvpn 84233 SIGTERM[hard,] received, process exiting May 6 20:54:13 openvpn 30195 Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn/client2.conf:31: block-outside-dns (2.3.9) May 6 20:54:13 openvpn 30195 Use --help for more information.This seems weird to me because the documentation for OpenVPN 2.3.9 seems to indicate that the –block-outside-dns option is available.
I had to use "push block-outside-dns" which someone recommended. not sure if that is actually working or not. don't see anything in the log.
I am still having the issue where any of the leaktest sites are showing my DNS server as my IP from the ISP (not my ISPs DNS servers)
I have done all the different rules for blocking DNS and forcing certain servers. It just seems like it was working at first and now it always displays the ISP IP even when connected to VPN
I am using DNS Resolver (no forwarding and no DNS servers configured on general setup…using 127.0.0.1)
Here is my config at the moment…I have the DNS related rules disabled until I figure out the situation
-
Don't know why you have all those rules duplicated. Only the first match is going to have any effect.
-
Don't know why you have all those rules duplicated. Only the first match is going to have any effect.
some of those are due to it being 2 separate images that i should have done a better job of editing before posting :)
the others are due to being autocreated and manually created. duplicates remain disabled and were left in place only for testing -
Do you have name servers set up in System > General Setup?? What are they?
I have the Google DNS servers in there: 8.8.8.8 and 8.8.4.4.
-
I think that might be the problem. Manually set your DNS server on that host to just 4.2.2.2 and run your DNS leak test again.
-
Tried that - same result.
-
And what result is that?
-
Sorry - my IP is showing up in the DNS leak test results.
-
Hmm. When I set mine to use google for DNS all dnsleaktest.com sees is google.
You positive you're working from a host that has all traffic forwarded to the VPN?
You sure that host has google and only google set as its DNS servers?
-
I'm pretty sure on all counts. Is there a DNS leak test site I can use that doesn't require a browser? Like how I can just wget ipecho.net/plain. That way I could test it on my headless clients that are supposedly behind the VPN.
The only thing I wonder about is if IPV6 is somehow leaking my IPV4 info, but I don't know enough about IPV6 to know if that is possible.
-
Update!
It was in fact IPV6 somehow leaking IPV4 information. I turned off IPV6 in Interfaces/WAN and now all that shows up is Google's DNS information in the leak tests.
So on to the next question: am I losing anything by not having IPV6 enabled and if so, how can I prevent the leak with it enabled?
