Preventing DNS leaks with OpenVPN in Ubuntu 17.10.


Last updated: November 23, 2017.

I've used OpenVPN for many years, and DNS leaks have been a persistent issue across OpenVPN versions and operating systems - that I've resolved using various methods in each case.

I recently upgraded to Ubuntu 17.10, and I again experienced DNS leaks.

This guide details the process I underwent to prevent such leaks, and is compatible with Ubuntu 16.04, 17.04, 17.10, and similar distributions.



1. Install update-systemd-resolved by jonathanio.

update-systemd-resolved is a helper script that directly updates the system's DNS settings on connection to an OpenVPN server, and resets them on disconnection.

Installation instructions are detailed here, but, for simplicity, I will repeat exactly what I did.

Note that I have forked this repository and added kill switch functionality using UFW. If you're interested in a kill switch, you can use my fork instead.

Clone the respository, and compile.

sudo apt update

sudo apt install git make openvpn

git clone https://github.com/jonathanio/update-systemd-resolved.git

cd update-systemd-resolved

sudo make

Ensure that systemd-resolved is enabled and running.

sudo systemctl enable systemd-resolved.service

sudo systemctl start systemd-resolved.service

Now, update /etc/nsswitch.conf.

sudo nano /etc/nsswitch.conf

Find the line starting with hosts: , and alter it as below.

hosts: files resolve dns myhostname


2. Alter your OpenVPN configuration file/s.

An OpenVPN configuration file usually uses the .ovpn file extension, and is used to connect to a specific server.

Locate it, and open it in a text editor.

nano example.ovpn

Add the following lines.

dhcp-option DNSSEC allow-downgrade
dhcp-option DOMAIN-ROUTE .

script-security 2
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved
down-pre

dhcp-option DNSSEC allow-downgrade will enable DNSSEC if the server supports it. If you know your server supports DNSSEC (and you don't want to allow downgrades), you can change allow-downgrade to yes.

dhcp-option DOMAIN-ROUTE . will route all DNS requests through the OpenVPN-specified DNS server.

All other lines are required for running the script.


3. Connect using the terminal.

Do not connect to OpenVPN using the Network Manager (network-manager-openvpn-gnome). This will guarantee DNS leaks.

Instead run OpenVPN from the command line.

sudo openvpn --config example.ovpn

Use Ctrl-C (^C) to disconnect.

If you're concerned about not being notified of disconnects, I advise you use my fork of update-systemd-resolved that implements a simple UFW killswitch.

You should no longer be experiencing DNS leaks! Test here.

Note: This guide prevents DNS leaks only. WebRTC and IPv6 leaks are not DNS leaks, and they require separate solutions. I've developed a Chromium extension to prevent WebRTC leaks (alternatively, uBlock Origin can be configured to do this in both Chromium and Firefox). IPv6 leaks can be avoided by tunneling IPv6 through OpenVPN, or disabling IPv6 client-side.



Comments are provided by Disqus. To respect user privacy, Disqus is only loaded on user prompt.

I recommend uBlock Origin to protect against Disqus tracking and advertising.