How (I think?) I solved DNS leakage on my CentOS 7 PC
I have tired of playing with this issue so I decided to apply my normal BFH technique :D
openvpn is SUPPOSED to support an option "block-outside-dns" in the .ovpn configuration file from my reading. It does not seem to work. Debian and Debian based distros ('buntus etc.) have a package resolvconf which provides scripts to manage this mischief. No such thing in CentOS. I found reference to openresolv which works in Arch but I have not gotten it to work in CentOS. Using an Ubuntu 16.04 VM I did some testing and observing. It seems that by adding these lines to the bottom of the .ovpn configuration file Code:
script-security 2 In observing what happened on Ubuntu during this process I determined that the net result (sorry for the pun) was that the file /etc/resolv.conf was modified to stuff the VPN provider's DNS address at he top of the file. Based on my observations and confirmed by correspondence with my VPN providers I determined that their DNS addresses were: usenetserver.com VPN 10.18.0.1 and 10.0.18.2 protonmail.ch VPN (beta) 10.8.8.1 I created these files in /etc/ Code:
# resolv.conf.usenetserver Code:
proton_on.sh Code:
security-scripts 2 I will be setting this up on my "router" PC which resides between my Netgear "real" router and my LAN. I am using the Netgear simply because the router PC has only one wired NIC and I must connect to the Internet with the WiFi card. The PC also runs DHCP for my LAN. The PC is run headless and I would not expect to do anything on it to cause, for example, Network Manager to overwrite the resolv.conf file which I wish to have in place. I await your slings and arrows (torpedoes, broadsides or rotten tomatoes)... What have I screwed up with my simplistic approach? TIA, Ken |
To take a pot shot at my own "solution"...
The openvpn command e.g. Code:
sudo openvpn --config ~/bin/us-04.protonvpn.com.udp1194.ovpn --auth-user-pass ~/bin/propw I can su in the bash terminal and then run the openvpn command. This leaves a root terminal running (although hidden by screen). If I run the command with sudo and supply a password I do not have this rouge root terminal floating around. However, by the time I cancel openvpn my escalated permissions will probably have timed out. This will cause the second script - restoring /etc/resolv.conf to fail due to file permissions. I prefer the second scenario. I would rather not have connectivity rather than having connectivity outside of the VPN. Ken p.s. As I am using the "router" PC as a DHCP server for my LAN I had a DNS address (for openvpn.com) hard coded in /etc/dhcp/dhcpd.conf. This caused a DNS leakage which it too a little time to track down. I replaced this address with the address of the "router" PC. Problem solved. |
All times are GMT -5. The time now is 10:00 AM. |