How to fix OpenVPN DNS leak

Sooo the answer is to carefully follow the always-on-point instructions from the ArchLinux wiki:

https://wiki.archlinux.org/index.php/OpenVPN#Update_systemd-resolved_script

and to append the corresponding lines.

So, in two steps:

sudo apt install openvpn-systemd-resolved

and append the following lines to your .ovpn file:

script-security 2
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
dhcp-option DNS 8.26.56.26
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved

If that's not clear, your file should now contain two lines "up" and two lines "down":

# old lines
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
# new lines
script-security 2
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220
dhcp-option DNS 8.26.56.26
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved

[Edit 1: Actually NOPE, this wasn't the reason it worked]

See Edit 1 in my question.

[Edit 2: I think I got it right this time]

This issue of weird systemd-resolved.service behavior is referenced here.

It seems that the option to put in the client config file is the following:

dhcp-option DOMAIN-ROUTE .

which apparently routes all DNS through the selected connection...


I had this DNS leak issue on Ubuntu 17.10 and now 18.04 LTS. It must have started when I updated from 16.10 a while back and I never thought to check until now, by accident. None of the above (and other things I found and tried) helped, until I ran into this URL below, reading all the way through the bug report. The comment on adding a dns-priority line worked for me.

https://bugs.launchpad.net/network-manager/+bug/1624317 look at comment #103.

Look for your installed NetworkManager VPN connections (the '$' is just my system prompt, to show you're at the command line in a terminal window):

$ ls -la /etc/NetworkManager/system-connections/*

Then choose the one you want to fix and run this command on it (or you can just edit the config file manually, as this command just adds a dns-priority entry under section ipv4):

$ sudo nmcli connection modify <vpn-connection-name> ipv4.dns-priority -42

And restart:

$ sudo service network-manager restart

Note that at least for me, putting it in the OpenVPN .ovpn config file that came from my VPN (ProtonVPN) did not work. For some reason it did not make it into the NetworkManager config when it was installed using the GUI dialog. Only by updating the config after it was installed, and then restarting NetworkManager, did it work. And you need to do this for each installed VPN config you want to use.


This seems to be a bug due to Ubuntu switching to systemd-resolve before the network-manager-openvpn package was updated to be aware of systemd-resolve. Ubuntu 18.10 seems to have resolved this with network-manager 1.12.2-0ubuntu5. More information here: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/issues/10.

Until that's released, @Bob Willan's answer worked for me.

Tags:

Dns

Openvpn

Resolv.Conf

Recent Posts