TunSafe Forum

Welcome to the TunSafe Community Forum. This is open for discussions related to TunSafe and the WireGuard protocol.

You are not logged in.

#1 2018-11-16 18:03:12

wg91
Member
Registered: 2018-11-09
Posts: 9

DNS Leaks

I successfully installed TunSafe on my Manjaro Linux machine and was able to connect through a .conf file generated on the Tunsafe website.  www.ipleak.net shows my ip address is now changed to the Tunsafe server but I am leaking DNS which shows my internet service providers DNS address.

Is there a way to prevent DNS leaks on Linux?

Thanks

Offline

#2 2018-11-16 18:36:15

Rainmaker
Member
Registered: 2018-08-05
Posts: 22

Re: DNS Leaks

Technically speaking, unlike Windows, Linux doesn't leak. It does what you tell it. What dns resolver are you using? In Manjaro I imagine it's systemd-resolved? Try installing openresolv/resolvconf:

sudo pacman -S recolvconf

Ensure your .conf file contains DNS for IPv4 and IPv6 if applicable. Then restart the tunnel and check DNS again. If it comes to it, you may need to disable systemd-resolved (sudo systemctl disable --now systemd-resolve) and either run another dns resolver or manually set up /etc/resolv.conf and make it immutable (sudo chattr +i /etc/resolv.conf).

Offline

#3 2018-11-16 21:56:00

wg91
Member
Registered: 2018-11-09
Posts: 9

Re: DNS Leaks

It looks like openresolv is already installed.  I have tried AzireVPN and MullvadVPN wireguard configurations and neither are leaking DNS.
I just connect and it routes through their DNS instead of my ISP. 

Perhaps the issue is with my .conf file as you suggest?  Here is what I'm using with the keys not shown:

[Interface]
PrivateKey =
Address = 10.222.138.69/8
DNS = 8.8.8.8

[Peer]
PublicKey =
Endpoint = us-nyc1-v2.tunsafe.com:51840
AllowedIPs = 0.0.0.0/0

I'm not sure how to run another dns resolver or how to manually set up resolv so I'm hoping there is a simpler solution.

Thanks

Offline

#4 2018-11-16 23:43:50

Rainmaker
Member
Registered: 2018-08-05
Posts: 22

Re: DNS Leaks

When you connect to the (leaking) TunSafe profile, please post the output of:

sudo resolvectl status

and

sudo journalctl -u systemd-resolved -f

Offline

#5 2018-11-17 16:17:27

wg91
Member
Registered: 2018-11-09
Posts: 9

Re: DNS Leaks

Here is the output with some additional information as well:

Loading file: TunSafe-us-ny.conf
Resolved us-nyc1-v2.tunsafe.com to 38.132.98.5
Run: /sbin/ip address add dev tun0 10.195.54.182/8
Run: /sbin/ip link set dev tun0 mtu 1420 up
Run: /sbin/ip route add 10.0.0.0/8 dev tun0
RTNETLINK answers: File exists
Command failed 512!
Run: /sbin/ip route add 38.132.98.5/32 via 192.168.1.1
Run: /sbin/ip route add 0.0.0.0/1 dev tun0
Run: /sbin/ip route add 128.0.0.0/1 dev tun0
Sending handshake...
Switching to daemon mode...

sudo tunsafe show
interface: tun0
  public key: Sazf9oDOgSiV7bnixP2Ho47/xsqjPQpKFnjsPznYvQ8=
  private key: (hidden)
  address: 10.195.54.182/8

peer: PbFGMMys86sfj7sl0VG54DtjY0EjL30um2EIdGIuaDs=
  endpoint: 38.132.98.5:51840
  allowed ips: 0.0.0.0/0
  latest handshake: 28 seconds ago
  transfer: 31.68 KiB received, 60.07 KiB sent

sudo resolvectl status
Failed to get global data: Unit dbus-org.freedesktop.resolve1.service not found.

sudo journalctl -u systemd-resolved -f
-- Logs begin at Sun 2018-08-19 14:45:18 EDT. --

I also wanted to mention that I installed TunSafe from the Arch User Repository through the tunsafe-git package.  Tunsafe fails to build manually on my machine which I posted in the Github issues area.

Last edited by wg91 (2018-11-17 17:07:59)

Offline

#6 2018-11-17 17:55:50

Rainmaker
Member
Registered: 2018-08-05
Posts: 22

Re: DNS Leaks

OK you're not using systemd-resolved. What's the output of

sudo cat /etc/resolv.conf

please?

Being completely honest you'd save yourself a lot of hassle if you just did

sudo pacman -Rns tunsafe-git

followed by

sudo pacman -S linux-headers wireguard-tools

and used wg-quick instead. You can still connect to the TunSafe servers if you wish. It (the official wireguard-tools) has a DKMS kernel module so will run much faster as it's not in userspace, and can also run across multiple cores - unlike the tunsafe binary, on both counts, for now. I know all too well how pressing the need can be to 'fix' something and get it working, but when a perfectly functional (and faster) alternative is better (again, for now) then...? Just a suggestion.

Offline

#7 2018-11-17 20:17:21

Rainmaker
Member
Registered: 2018-08-05
Posts: 22

Re: DNS Leaks

BTW, if you wish to stick with the tunsafe binary I noticed a glaring omission from your .conf file contents. It was the middle of the night here when I replied to that initially, so it didn't jump out at me then, sorry. Try adding

BlockDNS = true

to the end of the interface section after DNS = 8.8.8.8, and reconnecting. Then re-test for DNS leaks.

Last edited by Rainmaker (2018-11-17 20:18:05)

Offline

#8 2018-11-18 16:37:12

wg91
Member
Registered: 2018-11-09
Posts: 9

Re: DNS Leaks

I really like the idea of uisng wg-quick instead.  I already have wireguard and the kernel modules installed which is what I used for the other two VPN providers and wg-quick up worked great.

I successfully connected with wg-quick up to a New York .conf but DNS is showing Google DNS servers which I don't want.

I tried adding BlockDNS = true to the config file and then used wg-quick up but now it won't connect with this error:

wg-quick up TunSafe-us-ny
[#] ip link add TunSafe-us-ny type wireguard
[#] wg setconf TunSafe-us-ny /dev/fd/63
Line unrecognized: `BlockDNS=true'
Configuration parsing error
[#] ip link delete dev TunSafe-us-ny

The config file has DNS set to 8.8.8.8 which is Google's DNS so it looks like I just need to change that?  I could change it to OpenDNS or use another setting that will use Tunsafe's DNS?

It looks like I'm very close to getting this working so perhaps there is another thing to change on the config file?

Thanks

Last edited by wg91 (2018-11-18 17:02:16)

Offline

#9 2018-11-18 17:44:35

wg91
Member
Registered: 2018-11-09
Posts: 9

Re: DNS Leaks

After doing some more reading on DNS, I now realize that even if I use something like OpenDNS, my ISP can still log my traffic so the DNS must be encrypted.

So I'm looking for a way to use a DNS that is encrypted in the VPN.

Offline

#10 2018-11-18 19:07:27

Rainmaker
Member
Registered: 2018-08-05
Posts: 22

Re: DNS Leaks

Sorry, yes BlockDNS won’t work with wg-quick on Linux. You were using the TunSafe originally. So what exactly is the issue you’re having? In the OP you said your ISP DNS was showing when connected through the VPN, which is definitely unwanted. If it’s only showing the DNS from the conf file that’s working perfectly. Your ISP can’t see anything in that case, as the DNS queries are sent down the encrypted tunnel.

The only time it’s an issue is if your WireGuard tunnel is up but you’re seeing undesirable DNS - like if your conf says 8.8.8.8 but you’re showing your ISP server for example. In that case you need to find out which resolver Manjaro uses and set it up properly. Personally I just run dnscrypt-proxy locally and set my conf files to DNS = 127.0.0.1, ::1 and everything is doubly encrypted whether on VPN or off.

Offline

#11 2018-11-19 14:44:29

wg91
Member
Registered: 2018-11-09
Posts: 9

Re: DNS Leaks

I am no longer seeing my ISP's DNS since switching to wg-quick up so my original issue is now fixed.

My concern with using Google's DNS is that they log information so I'm looking for a DNS that doesn't log or I could do what you suggest using dnscrypt-proxy.

I really appreciate all your help and time through this issue!

Thanks

Offline

#12 2018-11-19 16:35:48

Rainmaker
Member
Registered: 2018-08-05
Posts: 22

Re: DNS Leaks

if you want a no-log DNS then you can (as above) use dnscrypt-proxy and edit the dnscrypt-proxy.toml (config) file to

require_nolog = true

That way it will only pull DNS servers from the master list that promise no logging. Or you can check out the list yourself HERE. Quality CDN/anycast based servers include Quad9 (9.9.9.9) and Cloudflare (1.1.1.1/1.0.0.1). If you're in Europe then SecureDNS is also decent and runs from a Digital Ocean droplet in NL.

wg91 wrote:

I really appreciate all your help and time through this issue!

Thanks

No problems. I'm glad you got it fixed.

Offline

Board footer

Powered by FluxBB