DNS leaks using OpenVPN client tunnel

gschmidt

@strangegopher:

you can try setting the outgoing interface in dns to WAN and try with dhcp settings and firewall rule again and see if that works.

Thanx man for your help sofar, I will try tomorrow…have to get some sleep now...ciao!

gcu_greyarea

In my opinion handing out DNS Servers via DHCP isn't sufficient to prevent DNS Leaks. There are Clients that will use hard coded DNS Servers. E.g. I had a Roku Player and a Fire TV that bypassed my specified DNS Server with hard coded Google DNS Servers. Perhaps even Apps installed on the FireTV may use their own DNS Server.
The only thing that worked reliably was to port forward (DNAT) DNS Requests (Dest. Port 53) to my DNS Server of Choice, which is my VPN providers own internal DNS Server. If you trust your VPN provider with your Data traffic you might as well trust them with your DNS Traffic.

My VPN Provider also has a public DNS Server which pfSense uses to resolve the VPN Servers. Once the Tunnel is up my LAN clients will send their DNS Queries through the Tunnel to the VPN providers internal DNS Server.

For Clients that do not need tunneling via VPN you can hand out DNS Servers via DHCP (e.g. Google or OpenDNS). You do not need to have a DNS Forwarder or Resolver run on your pfSense box.

@gschmitt:
In your screenshot your Windows IP Config shows a DNS Server of 85.203.37.1. That is a public DNS Server. Use this Server under pfSense General Setup.
Uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN"
Check "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall"

I assume you use the pfSense OpenVPN Client to connect to Express VPN. Express VPN will assign you an RFC1918 Address (an internal IP Address) . E.g.

10.8.0.5 with a Gateway of 10.8.0.1

My VPN Provider (Mullvad) also has a DNS Server listening on 10.8.0.1.

So the DNAT(Port Forward rule) should forward DNS Traffic to 10.8.0.1 and there shouldn't be any leaks anymore.

gschmidt

Thanx for the effort man!

"I assume you use the pfSense OpenVPN Client to connect to Express VPN"

Yes

In your screenshot your Windows IP Config shows a DNS Server of 85.203.37.1. That is a public DNS Server.

Aha…I used the "public DNS Server: 85.203.37.1" for port forwarding the DNS server 53
85.203.37.1 and 85.203.37.2 are the DNS servers ExpressVPN is showing on their site.
In my pfsense dashboard I also see at the EXPRESSVPN Gateway a internal ip-address 10.111.0.21 and a remote/virtual ip-adress of 10.111.0.22
Which one should I use to DNAT port forward?

Use this (85.203.37.1) Server under pfSense General Setup

Both 85.203.37.1 and 85.203.37.2? With or without selected EPRESSVPN gateway?
Any other DNS Servers here?

Should I set DNS Servers at my DHCP Server/LAN? (for clients not going trough the VPN tunnel)
I have made static mappings for the client(s) that I want to go through EXPRESSVPN gateway.
And a firewall alias of those clients

Any special settings for System/AdvancedFirewall & NAT/Network Address Translation?
I currently have "Pure NAT"and the rest is unchecked

Greetzzz


strangegopher

@gcu_greyarea:

In my opinion handing out DNS Servers via DHCP isn't sufficient to prevent DNS Leaks. There are Clients that will use hard coded DNS Servers. E.g. I had a Roku Player and a Fire TV that bypassed my specified DNS Server with hard coded Google DNS Servers. Perhaps even Apps installed on the FireTV may use their own DNS Server.

I have a chromecast that uses hardcoded google dns servers primarily for geo blocking netflix, hulu, etc.

I am not sure how it works but technically even if client is using its own dns server, it shouldn't leak the real IP address.

edit: I use a vpn server in the same city as me, for speed and reliability, so geo blocking is not a concern for me.

gschmidt

Express VPN will assign you an RFC1918 Address (an internal IP Address) . E.g. 10.8.0.5 with a Gateway of 10.8.0.1

My VPN Provider (Mullvad) also has a DNS Server listening on 10.8.0.1.

So the DNAT(Port Forward rule) should forward DNS Traffic to 10.8.0.1 and there shouldn't be any leaks anymore.

I have difficulties finding the RFC1918 Address of the expressvpn gateway…
When i use the internal ip-adress I thought was the gateway (see previous attachment), the clients that have to go through the expressvpn tunnel have no internet connection.

Besides that, every time I reboot pfsense or restart the OpenVPN (ExpressVPN) service I get different RFC1918 Addresses.
Is this pfsense or expressvpn responible for the change?

gcu_greyarea

I have difficulties finding the RFC1918 Address of the expressvpn gateway…
When i use the internal ip-adress I thought was the gateway (see previous attachment), the clients that have to go through the expressvpn tunnel have no internet connection

The Express VPN Servers may not listen for DNS Requests on the Gateway (10.111.0.21).

Besides that, every time I reboot pfsense or restart the OpenVPN (ExpressVPN) service I get different RFC1918 Addresses.
Is this pfsense or expressvpn responible for the change?

The VPN Server will assign you another IP Address each time you reconnect, similar to a DHCP Server on your LAN.
I hope I wasn't confusing you. The example I provided works with Mullvad VPN.
Mullvad hand to the same Gateway IP Each time.. which Express VPN may not do…

gcu_greyarea

Here's an Example of my Config.

• I use 4 VPN Tunnels concurrently.

• Therefore I have 4 Tunnel Gateways, In this example I will use Tunnel Mullvad_AU

• Port Forwarding Rules are used to 'HiJack' DNS Traffic. Here you could use your Own Destination  (85.203.37.1 )
  Once the DNS traffic traverses the VPN Tunnel your VPN Provider will use its own DNS Server (85.203.37.1)

• Manual Outbound NAT is required so your LAN Clients (or Alias) can send Traffic via the Tunnel

• The Firewall Rules "policy route" traffic through the Tunnel Gateway and set the "No Wan Egress" Flag
  The Relevant rules are highlighted in green. For both Rules the Advanced Settings are identical.

• The Floating Outbound Rule ensures that Traffic Marked "No WAN Egress" will get Rejected immediately

gschmidt

I have pretty much the same setup…only my LAN firewall rule is over my LAN interface and yours over the VLAN

I notice in the FW_LAN_rules that you also block access to "this firewall" and all Subnets???

What DNS servers have you specified in System/General Setup?
Did you also checked "Disable DNS Forwarder"?
Any DNS Servers specified somewhere else at DHCP Server?


gcu_greyarea

I notice in the FW_LAN_rules that you also block access to "this firewall" and all Subnets???

From this VLAN I do not want anybody to be able to connect to the pfSense Webadmin Interface.Therefore I blocked access to "This Firewall".
This is OK because even DNS Requests to 192.168.80.1 would be Forwarded to the DNS Server I specified.

Block Access to all other subnets stops Clients on this VLAN from accessing other VLANS.

What DNS servers have you specified in System/General Setup?

I specified the public DNS Server of Mullvad VPN (193.138.219.228)

https://mullvad.net/en/guides/dns-leaks/

There's always the possibility that your ISP may HiJAck DNS Traffic, but I do not mind. 193.138.219.228 is only used to resolve the Mullvad VPN Serves in order to establish the Tunnel. Also pfSense uses this DNS Server for Updates etc..

Did you also checked "Disable DNS Forwarder"?

I use neither DNS Forwarder nor Resolver on my pfSsense box.

Any DNS Servers specified somewhere else at DHCP Server?

No. The DHCP Server hands out the Gateway Address as DNS Server. There is no DNS Server Listening on my Gateway (LAN IF Address). Instead the Port Forward Rule will forward the DNS Request to the Server I Specified.
With this setup you can manually override DNS Settings on the Client, but DNS Requests will still be forwarded to the DNS Server I specified.

In your DNS Firewall Rule you should also specify the Gateway (ExpressVPN_VPNV4). Right now you are using the default GW (*) which is most likely your WAN GW.

Also double check your NAT Rules.The should be two Outbound NAT Rules which have your LAN as Source NET.

1. Going to the VPN Tunnel IF
2. Going to the WAN IF

NeoDude

@gschmidt:

@NeoDude:

Setup an alias for Google DNS servers (8.8.8.8 & 8.8.4.4), or your VPN providers DNS servers, or any ones you want.

Add a port forward on your LAN…

Source Address = Your VPN Hosts Alias
Dest Port = 53 (DNS)
Redirect Target IP = Your DNS Alias created above
Redirect Target Port = DNS

On the corresponding automatically created LAN rule make sure your VPN Gateway is selected in advanced.

Using this method you can add or remove VPN hosts by simply editing your VPN Hosts Alias, without having to mess about with static DNS addresses. Anything in your VPN Hosts alias will use the DNS servers in your alias created above through the VPN tunnel. Everything else will use the DNS resolver or whatever your default is.

And keep the settings in the DNS Resolver (2.4.3) default, or do you have a specific selection of interfaces?

Yep, keep them however you want. It'll only be your non-VPN hosts that'll use the resolver anyways.

I think my way is easier than setting DNS servers via DHCP tbh. My way only involves one step when adding or removing a host from using the VPN. Anything added to the VPNHOSTS alias automatically gets it's DNS requests routed through the tunnel.

gschmidt

When I perform an CMD nslookup on the Windows 10 PC (which is member of my ExpressVPN_hosts)
my Expressvpn DNS server address I used in the portfarward rule is shown, so the redirection is working!

but when I perform a dnsleaktest.com, I get all google, opendns or cloudflare servers returned
Why is that?

NeoDude

dnsleaktest will show what DNS server is resolving for you. In the case of you using the resolver in PfSense with default settings (not forwarding) it will show your IP address. If you're using an external DNS server (via forwarding or via the VPN tunnel) it will show the IP of the DNS server.

Assuming you're using the settings I suggest and have the PfSense resolver setup not to use forwarding the easiest way to test that your DNS requests are going through the VPN is to run dnsleaktest on a machine that is not a member of your VPN alias. (or temporary remove the one you're using just now). Anything not in the list should show your IP address (assuming UnBound isn't forwarding).

gschmidt

@NeoDude:

dnsleaktest will show what DNS server is resolving for you. In the case of you using the resolver in PfSense with default settings (not forwarding) it will show your IP address. If you're using an external DNS server (via forwarding or via the VPN tunnel) it will show the IP of the DNS server.

Assuming you're using the settings I suggest and have the PfSense resolver setup not to use forwarding the easiest way to test that your DNS requests are going through the VPN is to run dnsleaktest on a machine that is not a member of your VPN alias. (or temporary remove the one you're using just now). Anything not in the list should show your IP address (assuming UnBound isn't forwarding).

I have setup the DNS 53 port forwarding to your suggestion (this actually pretty much the same as "gcu_greyarea" has)
It doesn't matter whether I check or uncheck  "Disable DNS Forwarder" in System/General Settings. (Same result in dnsleaktest.com)
It doesn't matter whether I have specified DNS Servers at System/General Settings or not  (Same result in dnsleaktest.com)
I don't have DNS servers specified in the the DHCP/LAN server

With the setup above:
When I perform a dnsleaktest.com on a machine OUTSIDE the "ExpressVPN_Hosts" alias….it returns my ISP ip-address (WAN)....as it should!
When I perform a dnsleaktest.com on a machine INSIDE the "ExpressVPN_Hosts" alias....it returns NOT my ISP ip-address and NOT my ExpressVPN ip-address but a lot of ip-addresses of Google, OpenDNS or Cloudflare DNS servers....

When I perform an NSLOOKUP (nslookup whoami.akamai.net) on a machine INSIDE "ExpressVPN_Hosts" alias, The DNS server I specified in the Port forward rule is shown so the Port forward rule seems to work, however it returns NOT my ISP ip-address and NOT my ExpressVPN ip-address but another ip-address, probably one of the addresses shown when I perform a dnsleaktest.com.

So my question is....is this a leak or not?

NeoDude

No, it's not a leak, that all sounds correct. The dnsleaktest isn't supposed to show you where your dns requests are coming FROM, it shows you what server is actually resolving them. Your non VPN clients will be using UnBound to resolve hence why your ISP IP shows up. Your VPN clients will be bypassing UnBound and going out through the tunnel directly to whatever DNS addresses you have set in your alias, hence it is these addresses that show.

If you take unbound out of resolver mode (Services/DNS Resolver and tick "Enable Forwarding Mode") you should see that your non VPN clients will also start showing Google/CloudFlare or whatever you have set up under general.

The surefire way to check is to do a packet capture on port 53 on your VPN interface with level of detail set on high. Load up a webpage on a VPN client. Stop the packet capture and you should be able to confirm by matching the website that your client did indeed send it's DNS request over the tunnel.

gschmidt

@NeoDude:

The surefire way to check is to do a packet capture on port 53 on your VPN interface with level of detail set on high. Load up a webpage on a VPN client. Stop the packet capture and you should be able to confirm by matching the website that your client did indeed send it's DNS request over the tunnel.

Diagnostics/Packet Capture seems not to work…the view capture is empty...I have the settings attached.
The host address field is one of the machines going through the EXPRESSVPN interface
Do I have to turn on something else in system or so?


NeoDude

That's not going to work because NAT has already taken place by that point. Leave everything as default except the interface set to your VPN gateway, the port set to 53 and detail set to high. That's why I said to use a specific web page and then you can match that page in the packet capture.

gcu_greyarea

I would test the following:

Packet Capture on WAN IF , Proto Any , Port 53
Start Capture
Run DNS Leak Test
Stop Capture
What do you see ? Any DNS Servers other than what you have specified in pfense General/DNS Port Forward Rule (used for the tunnel)
No. Then that"s great, no leaks.
Yes. There's a client using DNS Servers other than what you have specified.

Packet Capture on LAN IF , Proto Any , Port 53 , Source: IP of your tunnel client
Start Capture
Run DNS Leak Test
Stop Capture
Which Server does your client contact ?
Only the one you have specified via DHCP. Good.
Other DNS Servers ? Strange, but check if the requests are forwarded through the tunnel (Test 3)

Packet Capture on Express VPN IF, Proto Any , Port 53,  , Source: ANY
Start Capture
Run DNS Leak Test
Stop Capture
Which Destination Servers do you see ?
Only the one you specified in the forwarding rule. Good. No DNS Leak.
Others. Block them via Floating outgoing Rules.

What does this test show you ?
https://www.expressvpn.com/dns-leak-test

Bottom of this page explains various types of leaks:

https://www.expressvpn.com/internet-privacy/expressvpn-leak-testing-tools/

gschmidt

I already figured out….I did 2 tests...on the LAN and the EXPRESSVPN interfaces.
During both tests I started a website in the browser with a machine from the ExpressVPN_Hosts alias.
For the Packet Capture on the LAN I typed the ip-address of the machine

The results are attached...I wiped the local ip-address of the machine and virtual ip-address of the ExpressVPN connection. To me it looks OK...

But i find it still strange that with the port forwarding 53 rule all those google,opendns and cloudflare ip's are shown during a leaktest.
and when I use the DNS Resolver (only EXPRESSVPN as outgoing interface, and no DNS servers specified anywhere in pfsense) the leaktest only shows my expressvpn ip-address (which is the only config, according to the "ExpressVPN DNS leak check page", whithout any DNS leak = showing the vpn ip-address)


gschmidt

Here the leak test on the ExpressVPN site. (Looks like a Vanilla Leak)

DNS requests go through the VPN tunnel AND go to a third party DNS server
This type of leak is the least severe. The DNS requests will be encrypted all the way to the VPN server, preventing any MitM from eavesdropping and seeing the DNS requests. This makes it effectively impossible to determine which individual sent a given DNS request. However, in a very targeted attack there may be complex methods an attacker could employ to use this to determine information about the sender.

(Note that these descriptions assume that the DNS servers run by the VPN providers are both logless and secure. This is an important aspect of protecting of any VPN provider, but is beyond the scope of this leak case study.)

I also tested on the same PC Windows 10 the WebRTC leak on their site. This gave on this machine a ipv6 leak.
But this machine I only use for testing…The Laptop i am typing on now (when I added it to the VPN_Host alias) did not have this ipv6 WebRTC leak
The PC Window10 has a hidden "Teredo Tunneling Pseudo Interface" which probably is causing the ipv6 WebRTC leak.


gcu_greyarea

One thing I noticed in your packet capture is that there are AAAA DNS Requests. Could this be the problem ?

https://en.wikipedia.org/wiki/Teredo_tunneling

In System -> Advanced -> Firewall ->

Do you have this enabled ?  "IPv6 over IPv4 Tunneling"

What happens when you block all IPv6 traffic?

Honestly - I'm fishing in the dark :)