Stopping DNS Leaks
tel
appVM's that connect to it are correctly routing all traffic through the VPN, but I can't seem to solve the DNS leak problem. It appears that the appVM's are still using the local DNS servers, rather than the DNS servers provided by the VPN (and yes, the openvpn server is correctly configured to push the DNS addresses to the client).
I've tried manually setting /etc/resolv.conf to use the DNS server's addresses, but it seems not to make any difference. Any other place I should set the addresses, or is there some other trick I'm overlooking to get my VM to use the correct DNS servers?
Thanks.
Todd
Marek Marczykowski-Górecki
/usr/lib/qubes/qubes-setup-dnat-to-ns after editing that file (as root).
Perhaps it can be added to OpenVPN configuration as some post-connect hook.
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Todd Lasman
On 05/31/14 14:54, Marek Marczykowski-Górecki wrote:
> On 31.05.2014 23:03, tel wrote:
>> Finally got a vpnVM running as a proxyVM. It's using openvpn to connect to
>> my private VPN.
>>
>> appVM's that connect to it are correctly routing all traffic through the
>> VPN, but I can't seem to solve the DNS leak problem. It appears that the
>> appVM's are still using the local DNS servers, rather than the DNS servers
>> provided by the VPN (and yes, the openvpn server is correctly configured to
>> push the DNS addresses to the client).
>>
>> I've tried manually setting /etc/resolv.conf to use the DNS server's
>> addresses, but it seems not to make any difference. Any other place I
>> should set the addresses, or is there some other trick I'm overlooking to
>> get my VM to use the correct DNS servers?
> This is the right place, but you need to call
> /usr/lib/qubes/qubes-setup-dnat-to-ns after editing that file (as root).
> Perhaps it can be added to OpenVPN configuration as some post-connect hook.
>
Frank Schäckermann
I have been looking for that one quite a while myself until I realized, that Qubes uses a little trick to avoid having to run its own DNS server. DNS traffic is re-routed by some IPTABLES rules!
I don't remember what exactly was going on, but I think some forwarding or pre-routing rules are sending all DNS traffic to the DNS server known through the netvm's connection to the internet.
Frank
Manuel Amador (Rudd-O)
for the list, such that we can replicate the same work independently,
and perhaps incorporate it into the source code? Thanks in advance.
Rudd-O
http://rudd-o.com/
tel
Using OpenVPN in Qubes
I wanted to set up a proxy VM to use OpenVPN so that I could connect
some of my VM's to the VPN server. My VPN of choice is
PrivateInternetAccess, so my instructions focus around using their
stuff. I think the principles could still be applied to any OpenVPN
service. Here's how I did it.
1. Make a new VM (I used the GUI). The new VM is a proxyVM, and I used
the default firewallVM as its NetVM. I called it cal-vpn, because this
particular proxyVM is used to connect to PrivateInternetAccess'
California server.
2. I downloaded a few free files from the PIA site, including the
configuration file, and some certificates (ca.crt and crl.pem).
Here's the raw configuration file (called "US California.ovpn") that's
straight from the PIA website:
#---------------------------------------------------
client
dev tun
proto udp
remote us-california.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem
#---------------------------------------------------
3. I copies all of the above files into /rw/config in preparation for
using these files when the VM starts up.
4. I made a couple of modifications to the configuration file to reflect
the absolute location of the certificate files. Also, I added a line to
reference a credentials file so that the username and password gets
added automatically:
#-----------------------------------------------------
client
dev tun
proto udp
remote us-california.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /rw/config/ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify /rw/config/crl.pem
auth-user-pass /rw/config/.vpncredentials
#-----------------------------------------------------
5. I then made the actual .vpncredentials file (which contains the
username and password). Contents of .vpncredentials (which I also put
in /rw/config):
#---------------------------------
myusername
mypassword
#---------------------------------
For what it's worth, I changed the permissions on this file to 600:
$ sudo chmod 600 .vpncredentials
6. I made one more file in /rw/config which holds the addresses of PIA's
nameservers. I'll use the contents of this file to replace those in
/etc/resolv.conf so that when I connect to the VPN, there is no DNS
leak. Contents of /rw/config/vpn-resolv.conf:
#---------------------------------
nameserver 209.222.18.222
nameserver 209.222.18.218
#---------------------------------
7. I added these lines to rc.local (making sure that rc.local is
executable):
#---------------------------------
openvpn /rw/config/US\ California.ovpn &
sleep 2
cp /rw/config/vpn-resolv.conf /etc/resolv.conf
/usr/lib/qubes/qubes-setup-dnat-to-ns
#---------------------------------
8. I made another appVM which uses my new cal-vpn as its proxyVM. Now,
when I start this new appVM, it will connect automatically to the VPN
server and alter the DNS addresses. Open firefox and go to dnsleak.com
to prove that not only am I using the VPN IP addresses, but also that
I'm not leaking DNS information.
If anyone notes that I'm doing something insecure or ineffecient here,
please let me know!
Rainier Wolfcastle
The script (update-resolv-conf) I use to do this is:
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /rw/config/openvpn/update-resolv-conf
# down /rw/config/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# Example envs set from openvpn:
#
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
## OpenVPN "up" and "down" conditions
case "$script_type" in
up)
## 1. Backup original resolv.conf
cp /etc/resolv.conf /rw/config/openvpn/resolv.conf.bak
## 2. Create new /etc/resolv.conf from openvpn options
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS"
done
echo -n "$R" > /etc/resolv.conf
## 3. Update qubes DNAT rules
/usr/lib/qubes/qubes-setup-dnat-to-ns
;;
down)
## Remove OpenVPN DNS settings
cp /rw/config/openvpn/resolv.conf.bak /etc/resolv.conf
/usr/lib/qubes/qubes-setup-dnat-to-ns
rm /rw/config/openvpn/resolv.conf
;;
esac