Last updated: November 23, 2017.
I've used OpenVPN for many years, and DNS leaks have been a persistent issue across OpenVPN versions and operating systems - that I've resolved using various methods in each case.
I recently upgraded to Ubuntu 17.10, and I again experienced DNS leaks.
This guide details the process I underwent to prevent such leaks, and is compatible with Ubuntu 16.04, 17.04, 17.10, and similar distributions.
1. Install update-systemd-resolved by jonathanio.
update-systemd-resolved is a helper script that directly updates the system's DNS settings on connection to an OpenVPN server, and resets them on disconnection.
Installation instructions are detailed here, but, for simplicity, I will repeat exactly what I did.
Note that I have forked this repository and added kill switch functionality using UFW. If you're interested in a kill switch, you can use my fork instead.
Clone the respository, and compile.
sudo apt update
sudo apt install git make openvpn
git clone https://github.com/jonathanio/update-systemd-resolved.git
Ensure that systemd-resolved is enabled and running.
sudo systemctl enable systemd-resolved.service
sudo systemctl start systemd-resolved.service
Now, update /etc/nsswitch.conf.
sudo nano /etc/nsswitch.conf
Find the line starting with
hosts: , and alter it as below.
hosts: files resolve dns myhostname
2. Alter your OpenVPN configuration file/s.
An OpenVPN configuration file usually uses the .ovpn file extension, and is used to connect to a specific server.
Locate it, and open it in a text editor.
Add the following lines.
dhcp-option DNSSEC allow-downgrade dhcp-option DOMAIN-ROUTE . script-security 2 setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin up /etc/openvpn/scripts/update-systemd-resolved down /etc/openvpn/scripts/update-systemd-resolved down-pre
dhcp-option DNSSEC allow-downgrade will enable DNSSEC if the server supports it. If you know your server supports DNSSEC (and you don't want to allow downgrades), you can change
dhcp-option DOMAIN-ROUTE . will route all DNS requests through the OpenVPN-specified DNS server.
All other lines are required for running the script.
3. Connect using the terminal.
Do not connect to OpenVPN using the Network Manager (network-manager-openvpn-gnome). This will guarantee DNS leaks.
Instead run OpenVPN from the command line.
sudo openvpn --config example.ovpn
^C) to disconnect.
If you're concerned about not being notified of disconnects, I advise you use my fork of update-systemd-resolved that implements a simple UFW killswitch.
You should no longer be experiencing DNS leaks! Test here.
Note: This guide prevents DNS leaks only. WebRTC and IPv6 leaks are not DNS leaks, and they require separate solutions. I've developed a Chromium extension to prevent WebRTC leaks (alternatively, uBlock Origin can be configured to do this in both Chromium and Firefox). IPv6 leaks can be avoided by tunneling IPv6 through OpenVPN, or disabling IPv6 client-side.