DNS leaks using OpenVPN client tunnel

gschmidt

ipconfig /all

I dont see static dns servers?
Only the express vpn dns servers i have specified in pfsense

strangegopher

my guess is expressvpn dns servers might be the issue, so try using 8.8.8.8 in windows go to Control Panel\Network and Internet\Network Connections right click your interface, select properties, double click "Internet Protocol Version 4", select "Use Following DNS server addresses" and enter 8.8.8.8 and 8.8.4.4

and run dns leak test again

gschmidt

@strangegopher:

try removing the ExpressVPN DNS servers from Static DHCP Mapping and replacing it with 8.8.8.8 and 8.8.4.4

Check!…Still leaking Google and openDNS servers....looks exact the same as with the NAT redirection of port 53
I just did a default pfsense 2.4.2 setup (update to 2.4.3), nothing special

strangegopher

Well I am out of ideas then. I don't know what could be going wrong.

Derelict

What matters is that they are not coming from YOU. You cannot control where the resolvers you query go to get their information. If the resolvers you query don't do what you like, use different resolvers.

gschmidt

@strangegopher:

Well I am out of ideas then. I don't know what could be going wrong.

Look now I have removed the DNS servers at System/General Setup
And in DNS Resolver i set (see picture)
In DHCP Server all DNS Servers are empty
Also Clients have no DNS specified
Your rule (stopped temporarily)

See dnsleaktest pic!


gschmidt

But with this setup, all my network clients use the EXPRESSVPN interface….so if this interface is down...no internet for all

strangegopher

you can try setting the outgoing interface in dns to WAN and try with dhcp settings and firewall rule again and see if that works.

gschmidt

@Derelict:

What matters is that they are not coming from YOU. You cannot control where the resolvers you query go to get their information. If the resolvers you query don't do what you like, use different resolvers.

….my knowledge is not that fancy of pfsense I admit...but i knew that my clients did NOT have static dns servers
On a simple modem with OPENWRT this was a piece of cake....on their forum they helped instead of shouting

gschmidt

@strangegopher:

you can try setting the outgoing interface in dns to WAN and try with dhcp settings and firewall rule again and see if that works.

Thanx man for your help sofar, I will try tomorrow…have to get some sleep now...ciao!

gcu_greyarea

In my opinion handing out DNS Servers via DHCP isn't sufficient to prevent DNS Leaks. There are Clients that will use hard coded DNS Servers. E.g. I had a Roku Player and a Fire TV that bypassed my specified DNS Server with hard coded Google DNS Servers. Perhaps even Apps installed on the FireTV may use their own DNS Server.
The only thing that worked reliably was to port forward (DNAT) DNS Requests (Dest. Port 53) to my DNS Server of Choice, which is my VPN providers own internal DNS Server. If you trust your VPN provider with your Data traffic you might as well trust them with your DNS Traffic.

My VPN Provider also has a public DNS Server which pfSense uses to resolve the VPN Servers. Once the Tunnel is up my LAN clients will send their DNS Queries through the Tunnel to the VPN providers internal DNS Server.

For Clients that do not need tunneling via VPN you can hand out DNS Servers via DHCP (e.g. Google or OpenDNS). You do not need to have a DNS Forwarder or Resolver run on your pfSense box.

@gschmitt:
In your screenshot your Windows IP Config shows a DNS Server of 85.203.37.1. That is a public DNS Server. Use this Server under pfSense General Setup.
Uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN"
Check "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall"

I assume you use the pfSense OpenVPN Client to connect to Express VPN. Express VPN will assign you an RFC1918 Address (an internal IP Address) . E.g.

10.8.0.5 with a Gateway of 10.8.0.1

My VPN Provider (Mullvad) also has a DNS Server listening on 10.8.0.1.

So the DNAT(Port Forward rule) should forward DNS Traffic to 10.8.0.1 and there shouldn't be any leaks anymore.

gschmidt

Thanx for the effort man!

"I assume you use the pfSense OpenVPN Client to connect to Express VPN"

Yes

In your screenshot your Windows IP Config shows a DNS Server of 85.203.37.1. That is a public DNS Server.

Aha…I used the "public DNS Server: 85.203.37.1" for port forwarding the DNS server 53
85.203.37.1 and 85.203.37.2 are the DNS servers ExpressVPN is showing on their site.
In my pfsense dashboard I also see at the EXPRESSVPN Gateway a internal ip-address 10.111.0.21 and a remote/virtual ip-adress of 10.111.0.22
Which one should I use to DNAT port forward?

Use this (85.203.37.1) Server under pfSense General Setup

Both 85.203.37.1 and 85.203.37.2? With or without selected EPRESSVPN gateway?
Any other DNS Servers here?

Should I set DNS Servers at my DHCP Server/LAN? (for clients not going trough the VPN tunnel)
I have made static mappings for the client(s) that I want to go through EXPRESSVPN gateway.
And a firewall alias of those clients

Any special settings for System/AdvancedFirewall & NAT/Network Address Translation?
I currently have "Pure NAT"and the rest is unchecked

Greetzzz


strangegopher

@gcu_greyarea:

In my opinion handing out DNS Servers via DHCP isn't sufficient to prevent DNS Leaks. There are Clients that will use hard coded DNS Servers. E.g. I had a Roku Player and a Fire TV that bypassed my specified DNS Server with hard coded Google DNS Servers. Perhaps even Apps installed on the FireTV may use their own DNS Server.

I have a chromecast that uses hardcoded google dns servers primarily for geo blocking netflix, hulu, etc.

I am not sure how it works but technically even if client is using its own dns server, it shouldn't leak the real IP address.

edit: I use a vpn server in the same city as me, for speed and reliability, so geo blocking is not a concern for me.

gschmidt

Express VPN will assign you an RFC1918 Address (an internal IP Address) . E.g. 10.8.0.5 with a Gateway of 10.8.0.1

My VPN Provider (Mullvad) also has a DNS Server listening on 10.8.0.1.

So the DNAT(Port Forward rule) should forward DNS Traffic to 10.8.0.1 and there shouldn't be any leaks anymore.

I have difficulties finding the RFC1918 Address of the expressvpn gateway…
When i use the internal ip-adress I thought was the gateway (see previous attachment), the clients that have to go through the expressvpn tunnel have no internet connection.

Besides that, every time I reboot pfsense or restart the OpenVPN (ExpressVPN) service I get different RFC1918 Addresses.
Is this pfsense or expressvpn responible for the change?

gcu_greyarea

I have difficulties finding the RFC1918 Address of the expressvpn gateway…
When i use the internal ip-adress I thought was the gateway (see previous attachment), the clients that have to go through the expressvpn tunnel have no internet connection

The Express VPN Servers may not listen for DNS Requests on the Gateway (10.111.0.21).

Besides that, every time I reboot pfsense or restart the OpenVPN (ExpressVPN) service I get different RFC1918 Addresses.
Is this pfsense or expressvpn responible for the change?

The VPN Server will assign you another IP Address each time you reconnect, similar to a DHCP Server on your LAN.
I hope I wasn't confusing you. The example I provided works with Mullvad VPN.
Mullvad hand to the same Gateway IP Each time.. which Express VPN may not do…

gcu_greyarea

Here's an Example of my Config.

• I use 4 VPN Tunnels concurrently.

• Therefore I have 4 Tunnel Gateways, In this example I will use Tunnel Mullvad_AU

• Port Forwarding Rules are used to 'HiJack' DNS Traffic. Here you could use your Own Destination  (85.203.37.1 )
  Once the DNS traffic traverses the VPN Tunnel your VPN Provider will use its own DNS Server (85.203.37.1)

• Manual Outbound NAT is required so your LAN Clients (or Alias) can send Traffic via the Tunnel

• The Firewall Rules "policy route" traffic through the Tunnel Gateway and set the "No Wan Egress" Flag
  The Relevant rules are highlighted in green. For both Rules the Advanced Settings are identical.

• The Floating Outbound Rule ensures that Traffic Marked "No WAN Egress" will get Rejected immediately

gschmidt

I have pretty much the same setup…only my LAN firewall rule is over my LAN interface and yours over the VLAN

I notice in the FW_LAN_rules that you also block access to "this firewall" and all Subnets???

What DNS servers have you specified in System/General Setup?
Did you also checked "Disable DNS Forwarder"?
Any DNS Servers specified somewhere else at DHCP Server?


gcu_greyarea

I notice in the FW_LAN_rules that you also block access to "this firewall" and all Subnets???

From this VLAN I do not want anybody to be able to connect to the pfSense Webadmin Interface.Therefore I blocked access to "This Firewall".
This is OK because even DNS Requests to 192.168.80.1 would be Forwarded to the DNS Server I specified.

Block Access to all other subnets stops Clients on this VLAN from accessing other VLANS.

What DNS servers have you specified in System/General Setup?

I specified the public DNS Server of Mullvad VPN (193.138.219.228)

https://mullvad.net/en/guides/dns-leaks/

There's always the possibility that your ISP may HiJAck DNS Traffic, but I do not mind. 193.138.219.228 is only used to resolve the Mullvad VPN Serves in order to establish the Tunnel. Also pfSense uses this DNS Server for Updates etc..

Did you also checked "Disable DNS Forwarder"?

I use neither DNS Forwarder nor Resolver on my pfSsense box.

Any DNS Servers specified somewhere else at DHCP Server?

No. The DHCP Server hands out the Gateway Address as DNS Server. There is no DNS Server Listening on my Gateway (LAN IF Address). Instead the Port Forward Rule will forward the DNS Request to the Server I Specified.
With this setup you can manually override DNS Settings on the Client, but DNS Requests will still be forwarded to the DNS Server I specified.

In your DNS Firewall Rule you should also specify the Gateway (ExpressVPN_VPNV4). Right now you are using the default GW (*) which is most likely your WAN GW.

Also double check your NAT Rules.The should be two Outbound NAT Rules which have your LAN as Source NET.

1. Going to the VPN Tunnel IF
2. Going to the WAN IF

NeoDude

@gschmidt:

@NeoDude:

Setup an alias for Google DNS servers (8.8.8.8 & 8.8.4.4), or your VPN providers DNS servers, or any ones you want.

Add a port forward on your LAN…

Source Address = Your VPN Hosts Alias
Dest Port = 53 (DNS)
Redirect Target IP = Your DNS Alias created above
Redirect Target Port = DNS

On the corresponding automatically created LAN rule make sure your VPN Gateway is selected in advanced.

Using this method you can add or remove VPN hosts by simply editing your VPN Hosts Alias, without having to mess about with static DNS addresses. Anything in your VPN Hosts alias will use the DNS servers in your alias created above through the VPN tunnel. Everything else will use the DNS resolver or whatever your default is.

And keep the settings in the DNS Resolver (2.4.3) default, or do you have a specific selection of interfaces?

Yep, keep them however you want. It'll only be your non-VPN hosts that'll use the resolver anyways.

I think my way is easier than setting DNS servers via DHCP tbh. My way only involves one step when adding or removing a host from using the VPN. Anything added to the VPNHOSTS alias automatically gets it's DNS requests routed through the tunnel.

gschmidt

When I perform an CMD nslookup on the Windows 10 PC (which is member of my ExpressVPN_hosts)
my Expressvpn DNS server address I used in the portfarward rule is shown, so the redirection is working!

but when I perform a dnsleaktest.com, I get all google, opendns or cloudflare servers returned
Why is that?