DNS leaks using OpenVPN client tunnel



  • Hi,

    On my pfsense router (default WAN LAN installation, with google DNS servers and DNS server list to be overridden by DHCP/PPP on WAN option checked),
    I setup an Openvpn client (expressvpn).
    Since i wanted only to tunnel 2 specific devices of my network (it has only one subnet 192.168.0.0/24),
    I did the following steps:

    1. Setup the openvpn client (followed the expressvpn tutorial)–>status is UP
    2. Assigned an interface (OPT1 renamed it to EXPRESSVPN) to the connection and select DHCP at the IPv4 Configuration Type box.
    3. Add a gateway for the EXPRESSVPN interface in System-->Routing-->Gateways
    4. Firewall-->NAT-->Outbound I set the NAT Mode from Automatic NAT to Manual Outbound NAT
    5. Under mappings I copied the "Auto created rule - LAN to WAN" rule and changed the interface to EXPRESSVPN.
    6. Under Firewall-->Aliases I created an Alias IP of the hosts I want to route through the vpn tunnel.
    7. Under Firewall-->Rules-->LAN I created a rule:
    Action:Pass
    Interface:LAN
    Protocol:Any
    Source: Single source or Alias
    Destination: Any

    Advaned Options:
    Tag: NO_WAN_EGRESS
    Gateway: Interface EXPRESSVPN Gateway

    8. Under Firewall-->Rules-->Floating I created a rule:
    Action:Reject
    Interface:LAN
    Apply the action immediately on match...checked
    Interface: WAN
    Direction: Out.
    Protocol:Any
    Source: Any
    Destination: Any

    Advaned Options:
    Tagged : NO_WAN_EGRESS
    Gateway: Default

    With these settings the VPN is running:
    Only the devices in the Firewall Alias run through the VPN tunnel, the other through the normal WAN.
    When the Tunnel is down the Firewall Alias devices cannot connect to the internet (which is the behavior I wanted)

    Yessss I thought....However when I performed a DNS leaktest at https://ipleak.net/
    It appears that 1 DNS Server is leaking...Showing my ISP WAN ip address...:-(

    Anybody an idea what I did wrong or missed here?



  • Go to status/ DNS resolver/ General settings.  Make sure your DNS resolver is functioning properly first. Then go to General system setup and input the 2 DNS media streamer provided with Expressvpn. on drop down use "ExressVPN_DHCP-Opt1".


  • Netgate

    It doesn't matter what the DNS settings are on the firewall.

    What matters is what the CLIENT is configured to use for DNS servers.

    If the client is configured to use DNS servers out on the internet (google, level 3, OpenDNS, quad9, etc), all those queries will be policy routed out the VPN and blocked by the tag/tagged mechanism if the VPN is down just like all of the other traffic from that client.

    If the client is configured to use pfSense as its DNS server, then THAT is what is actually going out to the internet to resolve the names. That is not policy routed so it will happily use WAN like it does for everyone else's queries.

    Set the client to use outside DNS servers either statically or with a DHCP static mapping and test again.



  • I'm a learning newbie, what do you mean with:

    @Derelict:

    Set the client to use outside DNS servers either statically or with a DHCP static mapping and test again.

    Where do I set this?



  • I also notice that in the "Gateways" status on the dashboard the VPN gateway shows Offline (with a virtual IP address 10.XXX.X.9)
    But in the OpenVPN status on the dashboard the IP is 10.XXX.X.10 with a green arrow UP

    Why is the Gateway status showing Offline and has a different virtual IP address?



  • @lovan6:

    Go to status/ DNS resolver/ General settings.  Make sure your DNS resolver is functioning properly first. Then go to General system setup and input the 2 DNS media streamer provided with Expressvpn. on drop down use "ExressVPN_DHCP-Opt1".

    What do you mean by "functioning properly"? I have default DNS resolver settings.
    I have added both the expressvpn dns servers and select the "ExressVPN_DHCP" gateway, but still a dns leak
    Should the ExpressVPN dns servers be the only DNS servers (I have also the google servers)?


  • Netgate

    @gschmidt:

    I'm a learning newbie, what do you mean with:

    @Derelict:

    Set the client to use outside DNS servers either statically or with a DHCP static mapping and test again.

    Where do I set this?

    Either statically on the client itself or using a DHCP static mapping.



  • you mean like this?




  • I use the 2 ExpressVPn DNS on 1st and 2nd tab and Google DNS on 3rd and 4th = None



  • Also when I switch them I get a DNS leak (which shows the ip address of my ISP)

    I have read your thread also…having the same kind of problem
    Only I am routing not all my network traffic trough the vpn tunnel, but only 2 devices.
    Which works, however I have DNS leaks.

    I cant figure out how to solve this.

    Also tried the DNS Resolver, but if I set the outgoing network interfaces to only EXPRESVPN, i have no internet at all hosts including the 2 running through the vpn tunnel.



  • On Dns resolver I used Network Interface = Lan, Expressvpn, Localhost.

    Outgoing Network = Wan, Lan, Expressvpn, Local host.



  • Hi,

    you could try the following:

    Disable DNS Resolver and Forwarder on pfSense.

    Create an Alias for the two hosts you want to use the VPN Tunnel. (Tunnel_Hosts)

    Create a Port Forward Rule:
    Source: Tunnel_Hosts , Dest Port:53
    Redirect Target IP:  Your VPN Providers DNS Server
    Redirect Port:53

    Create a Firewall Rule on your LAN IF:
    Source: Tunnel_Hosts
    Destination: Any
    Gateway: Tunnel_GW
    Tag: No_WAN_Egress

    Create Floating Rule:
    Interface: WAN
    Source: Tunnel_Hosts
    Quick (Apply immediately on Match)
    Direction: Any
    Tagged: No_WAN_Egress



  • Setup an alias for Google DNS servers (8.8.8.8 & 8.8.4.4), or your VPN providers DNS servers, or any ones you want.

    Add a port forward on your LAN…

    Source Address = Your VPN Hosts Alias
    Dest Port = 53 (DNS)
    Redirect Target IP = Your DNS Alias created above
    Redirect Target Port = DNS

    On the corresponding automatically created LAN rule make sure your VPN Gateway is selected in advanced.

    Using this method you can add or remove VPN hosts by simply editing your VPN Hosts Alias, without having to mess about with static DNS addresses. Anything in your VPN Hosts alias will use the DNS servers in your alias created above through the VPN tunnel. Everything else will use the DNS resolver or whatever your default is.



  • @NeoDude:

    Setup an alias for Google DNS servers (8.8.8.8 & 8.8.4.4), or your VPN providers DNS servers, or any ones you want.

    Add a port forward on your LAN…

    Source Address = Your VPN Hosts Alias
    Dest Port = 53 (DNS)
    Redirect Target IP = Your DNS Alias created above
    Redirect Target Port = DNS

    On the corresponding automatically created LAN rule make sure your VPN Gateway is selected in advanced.

    Using this method you can add or remove VPN hosts by simply editing your VPN Hosts Alias, without having to mess about with static DNS addresses. Anything in your VPN Hosts alias will use the DNS servers in your alias created above through the VPN tunnel. Everything else will use the DNS resolver or whatever your default is.

    And keep the settings in the DNS Resolver (2.4.3) default, or do you have a specific selection of interfaces?



  • to fix dns leaks, i didn't do anything fancy, just set the dns servers under dhcp settings to be google dns. simple and it works.

    I am also blocking any access to dns server on the firewall

    https://www.dnsleaktest.com/



  • @strangegopher:

    to fix dns leaks, i didn't do anything fancy, just set the dns servers under dhcp settings to be google dns. simple and it works.

    I am also blocking any access to dns server on the firewall

    https://www.dnsleaktest.com/

    I made the port forward NAT rule…this does not leak my IPS provider, but all Google and OpenDNS servers...and I didn't even specify OpenDNS in pfsense

    So if you perform a dnsleaktest, you only see the dns server of your VPN provider?


  • Netgate

    @strangegopher:

    to fix dns leaks, i didn't do anything fancy, just set the dns servers under dhcp settings to be google dns. simple and it works.

    I am also blocking any access to dns server on the firewall

    https://www.dnsleaktest.com/

    This is all you need to do. DNS queries will be policy routed out the VPN just like all the other traffic.



  • @gschmidt:

    @strangegopher:

    to fix dns leaks, i didn't do anything fancy, just set the dns servers under dhcp settings to be google dns. simple and it works.

    I am also blocking any access to dns server on the firewall

    https://www.dnsleaktest.com/

    I made the port forward NAT rule…this does not leak my IPS provider, but all Google and OpenDNS servers...and I didn't even specify OpenDNS in pfsense

    So if you perform a dnsleaktest, you only see the dns server of your VPN provider?

    Purpose of dns leak test is to find out your real ip address even if your are behind a vpn. If there is no dns leak then you should see ip address of your vpn provider instead of your real ip address.



  • Thanx for helping, this a struggle for me for 2 weeks now.

    I understand the leak testing. I already used the test site you linked me, this is why i noticed the leaks.
    The problem is with my current settings the dnsleaktest site returns all Google and OpenDNS servers.
    Not my ISP ip-address and also not my VPN provider DNS server.

    There are many threads and tutorials about "route network clients policy based through a OpenVPN Client tunnel"
    For my current setup I used (a combination of) the tutorials:
    https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/
    https://www.infotechwerx.com/blog/Creating-pfSense-Connection-VPNBook

    Now the first tutorial describes DNS leak prevention at "Step 11", which are 2 methods.
    Method 1 (my current setup), but this leaks what I describe at the beginning of this reply
    Method 2 is working correctly, however all other network clients (which are not meant to go through the openvpn client gateway), also use the DNS server of my VPN provider  because in the DNS resolver only the EXPRESSVPN gateway is selected for outgoing interfaces. As soon as i multi select EXPRESSVPN, LAN or WAN my ISP ip-address is leaking.

    Now your answer looks so simple:

    I have specified the Google servers at System/General Setup/DNS Server Settings
    I have made static DHCP mappings for the network clients that need to go through the OpenVPN Gateway i have created.
    I have made a firewall alias for those static mappings
    I get the idea of Derelict to fill the vpn provider DNS servers on the static DHCP mappings

    Now this one "I am also blocking any access to dns server on the firewall", the picture you attached shows that (selected) rule I guess?
    A firewall rule on the LAN i guess?
    what I see is an alias of all RFC 1918 ipv4 private networks, but I can't see the Destination port and gateway…is this any?

    Besides that...I have a firewall rule on the LAN, which sends the static DHCP mappings (as an alias) through the VPN Client Gateway (EXPRESSVPN)
    The other one is the NAT redirection to the DNS servers of my VPN provider (DNS leak prevention method 1)
    The rest of the rules are default from pfSense 2.4.2 installation

    above or under which rule should your "I am also blocking any access to dns server on the firewall" rule be located?

    ![LAN Firewall Rules .JPG](/public/imported_attachments/1/LAN Firewall Rules .JPG)
    ![LAN Firewall Rules .JPG_thumb](/public/imported_attachments/1/LAN Firewall Rules .JPG_thumb)


  • Netgate

    That second rule will never match because the traffic will be matched by the any rule above it and policy routed out the VPN.

    Note the 0/0 counters there.



  • Right!…I changed the order...but still...leaking Google and OpenDNS (which i did not specify anywhere in pfsense)

    NAT-02.jpg = NAT Redirection of ExpressVPN DNS servers

    Result= dnsleaktest.jpg







  • Netgate

    WHAT DNS SERVERS ARE YOUR CLIENTS SET TO USE?

    DNS is NOT this hard, people.

    With your rules like that, the express_vpn_dns servers will be queried using the default gateway, NOT the VPN, unless you have redirect gateway for the VPN itself.



  • @gschmidt:

    I have specified the Google servers at System/General Setup/DNS Server Settings

    No need to do this as unbound by default uses root servers for dns, so no need for dns forwarding.
    If you want you can remove all the dns servers from this section and dns will still work.

    above or under which rule should your "I am also blocking any access to dns server on the firewall" rule be located?

    Sorry I posted the wrong image.
    This is what the dns rule should look like:
    (above all other rules in your case [except anti-lockout])
    Action: Block
    Protocol: IPv4 TCP/UDP
    Source: ExpressVPN_Hosts
    Src Port: Any
    Destination: This Firewall
    Dst Port: 53 (DNS)

    That will block access to firewall's dns server.

    Now you will have to to do to is go to:
    Services/DHCP Server/LAN
    and Under DNS Servers add dns server of your choice (like google dns).

    Also like Derelict mentioned you can remove the 2nd rule of NAT redirection to expressvpn.
    And any other port forwarding rules u created under Firewall -> Nat.



  • On the static DHCP mappings in pfSense (which is my main router): Empty
    On client 1 (Window 10 PC): automatically (which is the gateway 192.168.1.1)
    On client 2 (linux device): 192.168.1.1



  • Do you not see this under Services/DHCP Server/LAN?



  • Netgate

    That DOES NOT MEAN that you do not have static DNS servers on the client you are testing, bro.

    This really is. not. that. hard.



  • Ok….I have created the rule =Block rule.jpg
    Added the google dns servers = "DHCP Server DNS Server.jpg"
    and the ExpressVPN DNS servers = Static DHCP Mapping.jpg"

    dnsleaktest result= dnsleaktest.jpg

    :o

    ![Block Rule.JPG](/public/imported_attachments/1/Block Rule.JPG)
    ![Block Rule.JPG_thumb](/public/imported_attachments/1/Block Rule.JPG_thumb)
    ![DHCP Server DNS Server.JPG](/public/imported_attachments/1/DHCP Server DNS Server.JPG)
    ![DHCP Server DNS Server.JPG_thumb](/public/imported_attachments/1/DHCP Server DNS Server.JPG_thumb)
    ![Static DHCP Mapping.JPG](/public/imported_attachments/1/Static DHCP Mapping.JPG)
    ![Static DHCP Mapping.JPG_thumb](/public/imported_attachments/1/Static DHCP Mapping.JPG_thumb)



  • I did an nslookup at the client W10 PC
    Which shows the DNS server of ExpressVPN
    Which I entered in the Static Mapping DNS servers in pfSense




  • try removing the ExpressVPN DNS servers from Static DHCP Mapping and replacing it with 8.8.8.8 and 8.8.4.4


  • Netgate

    It doesn't matter where anything is configured. What are the DNS servers configured on the client. Use ipconfig /all

    Hell, if you're having this much trouble, configure them statically.



  • ipconfig /all

    I dont see static dns servers?
    Only the express vpn dns servers i have specified in pfsense




  • my guess is expressvpn dns servers might be the issue, so try using 8.8.8.8 in windows go to Control Panel\Network and Internet\Network Connections right click your interface, select properties, double click "Internet Protocol Version 4", select "Use Following DNS server addresses" and enter 8.8.8.8 and 8.8.4.4

    and run dns leak test again



  • @strangegopher:

    try removing the ExpressVPN DNS servers from Static DHCP Mapping and replacing it with 8.8.8.8 and 8.8.4.4

    Check!…Still leaking Google and openDNS servers....looks exact the same as with the NAT redirection of port 53
    I just did a default pfsense 2.4.2 setup (update to 2.4.3), nothing special



  • Well I am out of ideas then. I don't know what could be going wrong.


  • Netgate

    What matters is that they are not coming from YOU. You cannot control where the resolvers you query go to get their information. If the resolvers you query don't do what you like, use different resolvers.



  • @strangegopher:

    Well I am out of ideas then. I don't know what could be going wrong.

    Look now I have removed the DNS servers at System/General Setup
    And in DNS Resolver i set (see picture)
    In DHCP Server all DNS Servers are empty
    Also Clients have no DNS specified
    Your rule (stopped temporarily)

    See dnsleaktest pic!

    ![DNS Resolver.JPG](/public/imported_attachments/1/DNS Resolver.JPG)
    ![DNS Resolver.JPG_thumb](/public/imported_attachments/1/DNS Resolver.JPG_thumb)



  • But with this setup, all my network clients use the EXPRESSVPN interface….so if this interface is down...no internet for all



  • you can try setting the outgoing interface in dns to WAN and try with dhcp settings and firewall rule again and see if that works.



  • @Derelict:

    What matters is that they are not coming from YOU. You cannot control where the resolvers you query go to get their information. If the resolvers you query don't do what you like, use different resolvers.

    ….my knowledge is not that fancy of pfsense I admit...but i knew that my clients did NOT have static dns servers
    On a simple modem with OPENWRT this was a piece of cake....on their forum they helped instead of shouting



  • @strangegopher:

    you can try setting the outgoing interface in dns to WAN and try with dhcp settings and firewall rule again and see if that works.

    Thanx man for your help sofar, I will try tomorrow…have to get some sleep now...ciao!