DNS leaks using OpenVPN client tunnel
-
dnsleaktest will show what DNS server is resolving for you. In the case of you using the resolver in PfSense with default settings (not forwarding) it will show your IP address. If you're using an external DNS server (via forwarding or via the VPN tunnel) it will show the IP of the DNS server.
Assuming you're using the settings I suggest and have the PfSense resolver setup not to use forwarding the easiest way to test that your DNS requests are going through the VPN is to run dnsleaktest on a machine that is not a member of your VPN alias. (or temporary remove the one you're using just now). Anything not in the list should show your IP address (assuming UnBound isn't forwarding).
-
dnsleaktest will show what DNS server is resolving for you. In the case of you using the resolver in PfSense with default settings (not forwarding) it will show your IP address. If you're using an external DNS server (via forwarding or via the VPN tunnel) it will show the IP of the DNS server.
Assuming you're using the settings I suggest and have the PfSense resolver setup not to use forwarding the easiest way to test that your DNS requests are going through the VPN is to run dnsleaktest on a machine that is not a member of your VPN alias. (or temporary remove the one you're using just now). Anything not in the list should show your IP address (assuming UnBound isn't forwarding).
I have setup the DNS 53 port forwarding to your suggestion (this actually pretty much the same as "gcu_greyarea" has)
It doesn't matter whether I check or uncheck "Disable DNS Forwarder" in System/General Settings. (Same result in dnsleaktest.com)
It doesn't matter whether I have specified DNS Servers at System/General Settings or not (Same result in dnsleaktest.com)
I don't have DNS servers specified in the the DHCP/LAN serverWith the setup above:
When I perform a dnsleaktest.com on a machine OUTSIDE the "ExpressVPN_Hosts" alias….it returns my ISP ip-address (WAN)....as it should!
When I perform a dnsleaktest.com on a machine INSIDE the "ExpressVPN_Hosts" alias....it returns NOT my ISP ip-address and NOT my ExpressVPN ip-address but a lot of ip-addresses of Google, OpenDNS or Cloudflare DNS servers....When I perform an NSLOOKUP (nslookup whoami.akamai.net) on a machine INSIDE "ExpressVPN_Hosts" alias, The DNS server I specified in the Port forward rule is shown so the Port forward rule seems to work, however it returns NOT my ISP ip-address and NOT my ExpressVPN ip-address but another ip-address, probably one of the addresses shown when I perform a dnsleaktest.com.
So my question is....is this a leak or not?
-
No, it's not a leak, that all sounds correct. The dnsleaktest isn't supposed to show you where your dns requests are coming FROM, it shows you what server is actually resolving them. Your non VPN clients will be using UnBound to resolve hence why your ISP IP shows up. Your VPN clients will be bypassing UnBound and going out through the tunnel directly to whatever DNS addresses you have set in your alias, hence it is these addresses that show.
If you take unbound out of resolver mode (Services/DNS Resolver and tick "Enable Forwarding Mode") you should see that your non VPN clients will also start showing Google/CloudFlare or whatever you have set up under general.
The surefire way to check is to do a packet capture on port 53 on your VPN interface with level of detail set on high. Load up a webpage on a VPN client. Stop the packet capture and you should be able to confirm by matching the website that your client did indeed send it's DNS request over the tunnel.
-
The surefire way to check is to do a packet capture on port 53 on your VPN interface with level of detail set on high. Load up a webpage on a VPN client. Stop the packet capture and you should be able to confirm by matching the website that your client did indeed send it's DNS request over the tunnel.
Diagnostics/Packet Capture seems not to work…the view capture is empty...I have the settings attached.
The host address field is one of the machines going through the EXPRESSVPN interface
Do I have to turn on something else in system or so?
 -
That's not going to work because NAT has already taken place by that point. Leave everything as default except the interface set to your VPN gateway, the port set to 53 and detail set to high. That's why I said to use a specific web page and then you can match that page in the packet capture.
-
I would test the following:
Packet Capture on WAN IF , Proto Any , Port 53
Start Capture
Run DNS Leak Test
Stop Capture
What do you see ? Any DNS Servers other than what you have specified in pfense General/DNS Port Forward Rule (used for the tunnel)
No. Then that"s great, no leaks.
Yes. There's a client using DNS Servers other than what you have specified.Packet Capture on LAN IF , Proto Any , Port 53 , Source: IP of your tunnel client
Start Capture
Run DNS Leak Test
Stop Capture
Which Server does your client contact ?
Only the one you have specified via DHCP. Good.
Other DNS Servers ? Strange, but check if the requests are forwarded through the tunnel (Test 3)Packet Capture on Express VPN IF, Proto Any , Port 53, , Source: ANY
Start Capture
Run DNS Leak Test
Stop Capture
Which Destination Servers do you see ?
Only the one you specified in the forwarding rule. Good. No DNS Leak.
Others. Block them via Floating outgoing Rules.What does this test show you ?
https://www.expressvpn.com/dns-leak-testBottom of this page explains various types of leaks:
https://www.expressvpn.com/internet-privacy/expressvpn-leak-testing-tools/
-
I already figured out….I did 2 tests...on the LAN and the EXPRESSVPN interfaces.
During both tests I started a website in the browser with a machine from the ExpressVPN_Hosts alias.
For the Packet Capture on the LAN I typed the ip-address of the machineThe results are attached...I wiped the local ip-address of the machine and virtual ip-address of the ExpressVPN connection. To me it looks OK...
But i find it still strange that with the port forwarding 53 rule all those google,opendns and cloudflare ip's are shown during a leaktest.
and when I use the DNS Resolver (only EXPRESSVPN as outgoing interface, and no DNS servers specified anywhere in pfsense) the leaktest only shows my expressvpn ip-address (which is the only config, according to the "ExpressVPN DNS leak check page", whithout any DNS leak = showing the vpn ip-address)
 -
Here the leak test on the ExpressVPN site. (Looks like a Vanilla Leak)
DNS requests go through the VPN tunnel AND go to a third party DNS server
This type of leak is the least severe. The DNS requests will be encrypted all the way to the VPN server, preventing any MitM from eavesdropping and seeing the DNS requests. This makes it effectively impossible to determine which individual sent a given DNS request. However, in a very targeted attack there may be complex methods an attacker could employ to use this to determine information about the sender.(Note that these descriptions assume that the DNS servers run by the VPN providers are both logless and secure. This is an important aspect of protecting of any VPN provider, but is beyond the scope of this leak case study.)
I also tested on the same PC Windows 10 the WebRTC leak on their site. This gave on this machine a ipv6 leak.
But this machine I only use for testing…The Laptop i am typing on now (when I added it to the VPN_Host alias) did not have this ipv6 WebRTC leak
The PC Window10 has a hidden "Teredo Tunneling Pseudo Interface" which probably is causing the ipv6 WebRTC leak.
 -
One thing I noticed in your packet capture is that there are AAAA DNS Requests. Could this be the problem ?
https://en.wikipedia.org/wiki/Teredo_tunneling
In System -> Advanced -> Firewall ->
Do you have this enabled ? "IPv6 over IPv4 Tunneling"
What happens when you block all IPv6 traffic?
Honestly - I'm fishing in the dark :)
-
What does AAAA mean then?
You mean in System/Advanced/Networking - IPv6 Options?
Nothing checked there…Maybe the teredo tunneling device is installed because I have setup 2 VPN client software (ExpressVPN and PureVPN) on that machine?
-
AAAA is an IPv6 DNS Request. Perhaps these AAAA Requests are sent through the tunnel or out the WAN Interface…
The way I understand it is that Windows 10 could send IPv6 DNS Requests via the Teredo Tunnel (which tunnels IPv6 over IPv4), hence causing the DNS Leaks.
The firewall rules and port forward rules in pfSense may not catch that traffic and fail to policy route it via the tunnel...
You mentioned ExpressVPN and PureVPN Client Software on your Win10 machine ? Are you trying to tunnel inside the pfSense ovpnclient ? Or is that just a "fallback" option ?
-
This Packet Capture is from my LAPTOP which I temporarily put in the ExpressVPN_Host alias.
This A DNS instead of AAAA DNS
Also in the WebRTC test…OKBut a ExpressVPN DNS leak test also shows ip-addresses from Google, OpenDNS or Cloudflare
-
Well that explains the AAAA DNS request…The teredo tunnel device may be the WebRTC leak problem
You mentioned ExpressVPN and PureVPN Client Software on your Win10 machine ? Are you trying to tunnel inside the pfSense ovpnclient ? Or is that just a "fallback" option ?
No, before I started with pfsense, I was already playing around with VPN.
18 months ago I started with a cheap purevpn account…which I forgot to stop..so I have it till december 2018.
expressvpn I have since december 2017...for testing I installed the vpn client windows software of both providers on the machine I am using now to test pfsense.
This may be the reason why the teredo tunneling device is present (hidden)Oh, by the way...when I perform a Packet Capture on the WAN port 53 with my laptop (temporarily added to the VPN_Host alias), nothing happens
-
But i find it still strange that with the port forwarding 53 rule all those google,opendns and cloudflare ip's are shown during a leaktest.
and when I use the DNS Resolver (only EXPRESSVPN as outgoing interface, and no DNS servers specified anywhere in pfsense) the leaktest only shows my expressvpn ip-address (which is the only config, according to the "ExpressVPN DNS leak check page", whithout any DNS leak = showing the vpn ip-address)What's strange about it? This is exactly what you would expect.
With port forwarding it's the Google, OpenDNS an CloudFlare servers that are resolving your requests.
When using UnBound via your ExpressVPN it's your PfSense box that's resolving DNS requests using your VPN interface.
That's exactly what the leaktest is showing.
People seem to misunderstand what an online leaktest shows. It doesn't show where the DNS requests come from, it shows what server is resolving them.
-
Hmmm I thought that the dnsleaktest pict. I showed in « Reply #35 on: April 03, 2018, 05:12:11 pm » on page 3 was what You would expect…showing only the assigned ip-address of the vpn provider, which also is possible with a certain pfsense setup.
-
Hmmm I thought that the dnsleaktest pict. I showed in « Reply #35 on: April 03, 2018, 05:12:11 pm » on page 3 was what You would expect…showing only the assigned ip-address of the vpn provider, which also is possible with a certain pfsense setup.
That will only happen when you are using PfSense to resolve DNS via the VPN. If you're forwarding DNS it will show whatever servers you're forwarding to, doesn't mean it's not using the VPN though.
-
Ok thanx for the help man, I spend a lot of time getting into this….in the end it worked already 2 weeks ago whitout knowing!
-
Oh, one more thing…what if i want to install pfblocker? Would there be any issues with the current policy based openvpn client routing I have?
-
@gschmidt i stumbled upon this and while youve seem to have had your issue solved, i found two solutions within the several hours i was trying to fix this leak.
one way is to use cmd in windows and using openvpn community edition cmd line interface to use"path to ovpn gui exe, keep quotations" --config "path to ovpn file to use, keep quotations" --block-outside-dns
pauseOR
change all dns to google or cloudflare dns in network connections
you can use this software to do it automatically instead of manually
https://www.sordum.org/9432/dns-lock-v1-5/
