Prevent DNS Leak with OpenVPN on Linux
How to get rid of DNS Leak while using OpenVPN with any VPN provider on Linux
After I setup OpenVPN with SurfShark which I wrote about in this article, I actually faced an issue. I would not have known that this was an issue had I not checked the comments on the SurfShark AUR package. Since that package is probably using OpenVPN under the hood, it was only possible that my setup might also be facing that issue.
What I am talking about is the DNS Leak issue. That can be tested with a site like dnsleaktest or SurfSharks DNS Test.
NOTE: SurfShark DNS Leak test might show DNS is leaking if your VPN is not from theirs.
Before we dive into what a DNS Leak is, let's understand what DNS is. You can skip to the next section if you know what and how it works!
DNS, in laymens terms, finds out the IP Address of a domain that you're visiting.
Whenever we visit a website, we type in a domain name on the browser. So that domain name has to be mapped to an IP address that serves the content. So DNS is what finds out the IP address of the server that is mapped to the domain we're trying to visit.
However, DNS cannot be just resolved. We need to provide it a nameserver (think of it like a mapping of domain names to IP addresses) so that the IP address can be found.
Now, this nameserver probably has some kind of IP address too or a domain name. So we tell our computer to resolve the DNS by using a nameserver which we provide by passing a nameserver IP address or a domain name.
There are various nameservers, Google's nameserver is 184.108.40.206 and Cloudfare's is 220.127.116.11 . However, most ISP's use their own DNS servers, this helps that, in way, restrict certain region locked content.
DNS Leak is when we use a VPN but we do not change our DNS resolver which ends up with all our DNS requests going through the ISP, instead of the VPN providers nameserver.
A DNS Leak happens when we use a VPN but we do not change the nameserver that's resolving our requests. This automatically means that even though we're using a VPN, all our requests are still going through our ISP and it can be tracked by them.
Basically they can see any request that we're making and they have a whole list of each and every website that we visit.
Since we already have a VPN connected, in theory, all our requests should be resolved by our VPN providers region based IP but when that doesn't happen due to the above reason, it is called a DNS leak.
So when we connect a VPN, the application is also supposed to automatically change the DNS nameserver. However, OpenVPN does not do that automatically. This is why we face the issue of DNS Leak when we connect with OpenVPN.
There is a neat tool that automatically does what OpenVPN should do automatically. It is available on GitHub by the name openvpn-update-systemd-resolved.
It is pretty simple to setup. We just need to install it by one of the mentioned ways. For Arch Linux, we can directly install by using the following command:
yay -S openvpn-update-systemd-resolved
Once it's installed, there will be two scripts installed to a certain directory (depending on the type of installation).
We just need to add the following lines to the
vpn.conf file that I mentioned in my last post.
script-security 2 up /usr/bin/update-systemd-resolved up-restart down /usr/bin/update-systemd-resolved down-pre
Note that in the above, the path's should be changed based on where you've installed the files. Above example is if you install the package from AUR.
The above text tells openvpn to use
update-systemd-resolved in order to automatically change the DNS resolvers when a VPN is connected.
update-systemd-resolved package provides two scripts. One works when the VPN is connected. It updates the
/etc/resolv.conf file to use the VPN nameservers for DNS.
The other one works when the VPN is turned off where it changes the DNS config to the older value so that the ISP provided nameserver is used.
It is a very convinient tool. Consider starring it on GitHub to show the author some love since they don't provide any other way of supporting them.
Don't forget to restart the openvpn service after updating the config.
After updating the config with the above package, you can go back to the DNS Leak sites to check. The DNS Leak issue should be gone. Cheers! Enjoy your new VPN service with privacy so nobody can track you.