n6eqp5$dm6$
2...@dont-email.me
> The 192.168.1.1 probably came from the dhcp server when you connected to
> your wifi. The 10.211.254.254 probably came from the vpn software. I
> have no idea where the 8.8.8.8 came from.
Thanks for postulating where the 3 resolv.conf entries came from:
nameserver 10.211.254.254
nameserver 8.8.8.8
nameserver 192.168.1.1
I don't know where they come from, but, the fact that I didn't set them,
probably means, as you noted, that the first two came from the VPN site.
Looking at the openvpn log messages for clues, I see three related
messages, which seem to indicate that you are correct where those
dns servers eminate from:
$ sudo openvpn --config "russia_vpngate_87.245.167.54_udp_64434.ovpn"
...
Mon Jan 4 13:48:35 2016
PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,
ifconfig 10.211.1.1 10.211.1.2,
dhcp-option DNS 10.211.254.254,
dhcp-option DNS 8.8.8.8,
route-gateway 10.211.1.2,
redirect-gateway def1'
...
Mon Jan 4 13:48:35 2016
ROUTE_GATEWAY
192.168.1.1/255.255.255.0 IFACE=wlan0 HWADDR=00:14:7a:34:af:94
...
Mon Jan 4 13:48:35 2016
/etc/openvpn/update-resolv-conf tun0 1500 1557 10.211.1.1 10.211.1.2 init
dhcp-option DNS 10.211.254.254
dhcp-option DNS 8.8.8.8
...
Mon Jan 4 15:18:16 2016 Initialization Sequence Completed
Notice a few things:
1. The VPN server seems to have 1st set "dhcp-option DNS 10.211.254.254".
2. The VPN server then seems to have 2nd set "dhcp-option DNS 8.8.8.8".
3. Only later, did the "ROUTE_GATEWAY" command set the 3rd line to 192.168.1.1.
Note: The MAC address reported is that of my laptop WiFi wlan0 NIC.
To find out more, I'll increase the 'verbose' option, to search for more clues:
$ grep ^verb "russia_vpngate_87.245.167.54_udp_64434.ovpn"
verb 3
> tcpdump -i wlan0
Since I had never even *thought* about testing VPN before I noticed the
dns leak, my problem isn't tactics, it's strategy, so the tcpdump manpage
is not as helpful as you might think it would be.
All those options are fine - but - I have to first have an idea of
*what* and *where* I'm looking for "things".
I'm so new at sniffing ports that I don't have a stable sense of what
it is that I'm looking for, and where I might sniff to find it.
Do you think I should sniff the specific port used by the tunnel?
$ grep ^remote russia_vpngate_87.245.167.54_udp_64434.ovpn
remote 87.245.167.54 64434
I don't know why VPN even needs a port, but I will look at port "64434"
to see if sniffing "it" tells me something useful:
$ sudo tcpdump -A port 64434 -i any -w /tmp/tcpdump_port64434.pcap
> Well, but that does not put the interfaces into promiscuous mode
> so not everything would be captured.
I looked up this promiscuous mode stuff and it seems to be extremely
important, and, some cards "can" be put in promiscuous mode, while
others can't.
Being totally new to this, I'm still trying to figure out what my
"strategy" should be to test the vpn tunnel.
Having never thought about testing VPN leaks before, I only belatedly
realized that I might not have to prove that *all* the packets go
thru the tunnel, because maybe I could just concentrate on trying
to find any packets that do NOT go through the tunnel?
Does that sound like a reasonable VPN-testing strategy?
(How do people test VPNs for leaks anyway?)
[I can't be the first person to want to test a VPN for leaks.]