DNS leaks using OpenVPN client tunnel
-
to fix dns leaks, i didn't do anything fancy, just set the dns servers under dhcp settings to be google dns. simple and it works.
I am also blocking any access to dns server on the firewall
https://www.dnsleaktest.com/
I made the port forward NAT rule…this does not leak my IPS provider, but all Google and OpenDNS servers...and I didn't even specify OpenDNS in pfsense
So if you perform a dnsleaktest, you only see the dns server of your VPN provider?
-
to fix dns leaks, i didn't do anything fancy, just set the dns servers under dhcp settings to be google dns. simple and it works.
I am also blocking any access to dns server on the firewall
https://www.dnsleaktest.com/
This is all you need to do. DNS queries will be policy routed out the VPN just like all the other traffic.
-
to fix dns leaks, i didn't do anything fancy, just set the dns servers under dhcp settings to be google dns. simple and it works.
I am also blocking any access to dns server on the firewall
https://www.dnsleaktest.com/
I made the port forward NAT rule…this does not leak my IPS provider, but all Google and OpenDNS servers...and I didn't even specify OpenDNS in pfsense
So if you perform a dnsleaktest, you only see the dns server of your VPN provider?
Purpose of dns leak test is to find out your real ip address even if your are behind a vpn. If there is no dns leak then you should see ip address of your vpn provider instead of your real ip address.
-
Thanx for helping, this a struggle for me for 2 weeks now.
I understand the leak testing. I already used the test site you linked me, this is why i noticed the leaks.
The problem is with my current settings the dnsleaktest site returns all Google and OpenDNS servers.
Not my ISP ip-address and also not my VPN provider DNS server.There are many threads and tutorials about "route network clients policy based through a OpenVPN Client tunnel"
For my current setup I used (a combination of) the tutorials:
https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/
https://www.infotechwerx.com/blog/Creating-pfSense-Connection-VPNBookNow the first tutorial describes DNS leak prevention at "Step 11", which are 2 methods.
Method 1 (my current setup), but this leaks what I describe at the beginning of this reply
Method 2 is working correctly, however all other network clients (which are not meant to go through the openvpn client gateway), also use the DNS server of my VPN provider because in the DNS resolver only the EXPRESSVPN gateway is selected for outgoing interfaces. As soon as i multi select EXPRESSVPN, LAN or WAN my ISP ip-address is leaking.Now your answer looks so simple:
I have specified the Google servers at System/General Setup/DNS Server Settings
I have made static DHCP mappings for the network clients that need to go through the OpenVPN Gateway i have created.
I have made a firewall alias for those static mappings
I get the idea of Derelict to fill the vpn provider DNS servers on the static DHCP mappingsNow this one "I am also blocking any access to dns server on the firewall", the picture you attached shows that (selected) rule I guess?
A firewall rule on the LAN i guess?
what I see is an alias of all RFC 1918 ipv4 private networks, but I can't see the Destination port and gateway…is this any?Besides that...I have a firewall rule on the LAN, which sends the static DHCP mappings (as an alias) through the VPN Client Gateway (EXPRESSVPN)
The other one is the NAT redirection to the DNS servers of my VPN provider (DNS leak prevention method 1)
The rest of the rules are default from pfSense 2.4.2 installationabove or under which rule should your "I am also blocking any access to dns server on the firewall" rule be located?
 -
That second rule will never match because the traffic will be matched by the any rule above it and policy routed out the VPN.
Note the 0/0 counters there.
-
Right!…I changed the order...but still...leaking Google and OpenDNS (which i did not specify anywhere in pfsense)
NAT-02.jpg = NAT Redirection of ExpressVPN DNS servers
Result= dnsleaktest.jpg
-
WHAT DNS SERVERS ARE YOUR CLIENTS SET TO USE?
DNS is NOT this hard, people.
With your rules like that, the express_vpn_dns servers will be queried using the default gateway, NOT the VPN, unless you have redirect gateway for the VPN itself.
-
I have specified the Google servers at System/General Setup/DNS Server Settings
No need to do this as unbound by default uses root servers for dns, so no need for dns forwarding.
If you want you can remove all the dns servers from this section and dns will still work.above or under which rule should your "I am also blocking any access to dns server on the firewall" rule be located?
Sorry I posted the wrong image.
This is what the dns rule should look like:
(above all other rules in your case [except anti-lockout])
Action: Block
Protocol: IPv4 TCP/UDP
Source: ExpressVPN_Hosts
Src Port: Any
Destination: This Firewall
Dst Port: 53 (DNS)That will block access to firewall's dns server.
Now you will have to to do to is go to:
Services/DHCP Server/LAN
and Under DNS Servers add dns server of your choice (like google dns).Also like Derelict mentioned you can remove the 2nd rule of NAT redirection to expressvpn.
And any other port forwarding rules u created under Firewall -> Nat. -
On the static DHCP mappings in pfSense (which is my main router): Empty
On client 1 (Window 10 PC): automatically (which is the gateway 192.168.1.1)
On client 2 (linux device): 192.168.1.1 -
Do you not see this under Services/DHCP Server/LAN?
-
That DOES NOT MEAN that you do not have static DNS servers on the client you are testing, bro.
This really is. not. that. hard.
-
Ok….I have created the rule =Block rule.jpg
Added the google dns servers = "DHCP Server DNS Server.jpg"
and the ExpressVPN DNS servers = Static DHCP Mapping.jpg"dnsleaktest result= dnsleaktest.jpg
:o
-
I did an nslookup at the client W10 PC
Which shows the DNS server of ExpressVPN
Which I entered in the Static Mapping DNS servers in pfSense
-
try removing the ExpressVPN DNS servers from Static DHCP Mapping and replacing it with 8.8.8.8 and 8.8.4.4
-
It doesn't matter where anything is configured. What are the DNS servers configured on the client. Use ipconfig /all
Hell, if you're having this much trouble, configure them statically.
-
ipconfig /all
I dont see static dns servers?
Only the express vpn dns servers i have specified in pfsense
-
my guess is expressvpn dns servers might be the issue, so try using 8.8.8.8 in windows go to Control Panel\Network and Internet\Network Connections right click your interface, select properties, double click "Internet Protocol Version 4", select "Use Following DNS server addresses" and enter 8.8.8.8 and 8.8.4.4
and run dns leak test again
-
try removing the ExpressVPN DNS servers from Static DHCP Mapping and replacing it with 8.8.8.8 and 8.8.4.4
Check!…Still leaking Google and openDNS servers....looks exact the same as with the NAT redirection of port 53
I just did a default pfsense 2.4.2 setup (update to 2.4.3), nothing special -
Well I am out of ideas then. I don't know what could be going wrong.
-
What matters is that they are not coming from YOU. You cannot control where the resolvers you query go to get their information. If the resolvers you query don't do what you like, use different resolvers.
