1. Overview
Using a VPN is always a good idea to boost online privacy and security. Many users often turn to OpenVPN for that purpose. However, when OpenVPN uses the default DNS server for resolving web addresses, it exposes our browsing activity and even our location.
In this tutorial, we’ll discuss the common cause of OpenVPN DNS leak and provide an effective solution to prevent it.
2. What Causes OpenVPN DNS leak?
The cause of the DNS leak associated with OpenVPN is a debated issue. Some users attribute it to faulty configurations, while others suspect conflicts with systemd-resolved, a service managing DNS resolution on Linux. Regardless of the point of view, the main cause seems to be OpenVPN’s inability to update /etc/resolv.conf, the configuration file controlling DNS resolution in Linux.
We can force our OpenVPN client file to update /etc/resolv.conf using the /etc/openvpn/update-resolv-conf script. However, doing that often fails because the TUN device seems to bypass the configuration.
Also, directly editing /etc/resolv.conf proves ineffective for two reasons. First, any changes we make there will probably just get overwritten. Second, we usually rely on the VPN DNS server only when connected to the VPN, not at all times
The point is, that DNS requests should go through the VPN, but sometimes they don’t. So the first step to take after connecting to a VPN server is to make sure the OpenVPN connection uses the VPN DNS server.
3. Checking OpenVPN DNS Configuration
Besides running website-based DNS leak tests, we may use a native Linux command to verify if OpenVPN is using the correct DNS server. We can simply check the DNS servers the system is using with resolvectl:
$ resolvectl
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp0s3)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 1.1.1.1
DNS Servers: 1.1.1.1 1.0.0.1
DNS Domain: Home
Link 3 (tun0)
Current Scopes: none
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Here, the resolvectl command (or resolvectl status) lists the DNS servers that each network interface is using. In this case, we’re only focusing on the tun0 link, which OpenVPN uses. We can notice that no DNS servers are assigned to tun0. This means it’s relying on the default DNS server (1.1.1.1). In other words, we have a DNS leak.
We should keep in mind that a DNS leak occurs any time our system uses a DNS server outside the VPN tunnel, not just the ISP’s server.
4. Patching the Leak With update-systemd-resolved
Instead of tinkering with*/etc/resolv.conf* or other DNS configuration files, we can directly assign the correct DNS settings to the TUN device itself. Specifically, a script named update-systemd-resolved simplifies this process by integrating OpenVPN with systemd-resolved via DBus. This is the most adopted approach for preventing DNS leaks associated with OpenVPN.
The easiest way to use this helper script is to install the openvpn-systemd-resolved package:
$ sudo apt install openvpn-systemd-resolved
As usual, the apt install command will insist on having superuser permissions to install the package, so adding sudo is a must.
The next step is to tweak the OpenVPN client file (.ovpn) used to connect to the VPN server. Let’s do that by adding the following lines to it:
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
Here, we enabled script-security 2 since we’re using a script to set up DNS settings (update-systemd-resolved). After that, the up option executes the script when the VPN connection is initiated, updating systemd-resolved with the VPN’s DNS information. Conversely, the down option executes it when the VPN connection is terminated, reverting to the default DNS settings.
Now, let’s check what DNS server the tun0 link is using:
$ resolvectl
...
Link 3 (tun0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.0.0.252
DNS Servers: 10.0.0.252
Finally, we notice that our VPN connection successfully resolves DNS queries using the DNS server provided by the VPN (10.0.0.252).
4. Conclusion
In this article, we discovered the common cause of OpenVPN DNS leak and discussed the most effective method to prevent it.
In conclusion, while alternative methods might exist, directly assigning DNS settings with update-systemd-resolved has proven to be highly successful.