search

OpenVPN / openvpn3

OpenVPN 3 is a C++ class library that implements the functionality of an OpenVPN client, and is protocol-compatible with the OpenVPN 2.x branch.
https://openvpn.net
Other
1k stars 403 forks source link

dns leak (windows) #253

Open Vai3soh opened 1 year ago

Vai3soh commented 1 year ago

Hello.

I test on windows 7. There is a dns leak. In the code I see there is a protection against this, but it does not work.

schwabe commented 1 year ago

Please explain how you are testing this.

Vai3soh commented 1 year ago

Please explain how you are testing this.

Sites with test - https://dnsleaktest.com/, https://dnsleak.com/

This was tested on several clients (different software):

  1. build ovpncli.exe
  2. build client with this lib https://github.com/Vai3soh/ovpncli
  3. openvpn connect v3 https://openvpn.net/client-connect-vpn-for-windows/

DNS leak everywhere

schwabe commented 1 year ago

If that lines are active depends on a number of factors like Split dns etc. I would be good if you can include logs and configuration to make the issue reproducible. For Connect v3 please use https://support.openvpn.net as the Connect team does not want to participate in Github issues.

Vai3soh commented 1 year ago

If that lines are active depends on a number of factors like Split dns etc. I would be good if you can include logs and configuration to make the issue reproducible.

You don't reproduce this issue?

For Connect v3 please use https://support.openvpn.net as the Connect team does not want to participate in Github issues.

I mean that this software uses the same lib, or does it have its own patches?

step by step,

  1. download config: https://www.freeopenvpn.org/pservers/Japan/Japan_219.100.37.31_tcp.ovpn

use ovpncli.exe log:

ovpncli.exe -Q -j Japan_219.100.37.31_tcp.ovpn
CONNECTING...
Thread starting...
Wed Dec 28 05:53:03 2022 OpenVPN core 3.8_git:master win x86_64 64-bit OVPN-DCO
Wed Dec 28 05:53:03 2022 Frame=512/2112/512 mssfix-ctrl=1250
Wed Dec 28 05:53:03 2022 NOTE: This configuration contains options that were not
 used:
Wed Dec 28 05:53:03 2022 Unsupported option (ignored)
Wed Dec 28 05:53:03 2022 5 [resolv-retry] [infinite]
Wed Dec 28 05:53:03 2022 7 [persist-key]
Wed Dec 28 05:53:03 2022 8 [persist-tun]
Wed Dec 28 05:53:03 2022 EVENT: RESOLVE
Wed Dec 28 05:53:03 2022 Contacting 219.100.37.31:443 via TCPv4
Wed Dec 28 05:53:03 2022 EVENT: WAIT
NOT IMPLEMENTED: *** socket_protect 404 219.100.37.31
Wed Dec 28 05:53:03 2022 Connecting to [219.100.37.31]:443 (219.100.37.31) via T
CPv4
Wed Dec 28 05:53:03 2022 EVENT: CONNECTING
Wed Dec 28 05:53:03 2022 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 15
00,proto TCPv4_CLIENT,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-
client
Wed Dec 28 05:53:03 2022 Peer Info:
IV_VER=3.8_git:master
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-G
CM:CHACHA20-POLY1305
IV_GUI_VER=cli 1.0

Wed Dec 28 05:53:03 2022 VERIFY OK: depth=2, /C=US/O=Internet Security Research
Group/CN=ISRG Root X1, signature: RSA-SHA256
Wed Dec 28 05:53:03 2022 VERIFY OK: depth=1, /C=US/O=Let's Encrypt/CN=R3, signat
ure: RSA-SHA256
Wed Dec 28 05:53:03 2022 VERIFY OK: depth=0, /CN=opengw.net, signature: RSA-SHA2
56
Wed Dec 28 05:53:03 2022 SSL Handshake: peer certificate: CN=opengw.net, 2048 bi
t RSA, cipher: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=A
ESGCM(256)            Mac=AEAD

Wed Dec 28 05:53:03 2022 Session is ACTIVE
Wed Dec 28 05:53:03 2022 EVENT: GET_CONFIG
Wed Dec 28 05:53:03 2022 Sending PUSH_REQUEST to server...
Wed Dec 28 05:53:04 2022 Sending PUSH_REQUEST to server...
Wed Dec 28 05:53:06 2022 Sending PUSH_REQUEST to server...
Wed Dec 28 05:53:08 2022 OPTIONS:
0 [ping] [3]
1 [ping-restart] [10]
2 [ifconfig] [10.234.9.5] [10.234.9.6]
3 [dhcp-option] [DNS] [10.234.254.254]
4 [dhcp-option] [DNS] [8.8.8.8]
5 [route-gateway] [10.234.9.6]
6 [redirect-gateway] [def1]

Wed Dec 28 05:53:08 2022 PROTOCOL OPTIONS:
  cipher: AES-128-CBC
  digest: SHA1
  key-derivation: OpenVPN PRF
  compress: NONE
  peer ID: -1
Wed Dec 28 05:53:08 2022 EVENT: ASSIGN_IP
Wed Dec 28 05:53:08 2022 CAPTURED OPTIONS:
Session Name: 219.100.37.31
Layer: OSI_LAYER_3
Remote Address: 219.100.37.31
Tunnel Addresses:
  10.234.9.5/30 -> 10.234.9.6 [net30]
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
Block IPv4: no
Block IPv6: no
Add Routes:
Exclude Routes:
DNS Servers:
  10.234.254.254
  8.8.8.8
Search Domains:

Wed Dec 28 05:53:08 2022 GetBestGateway: selected gateway 192.168.122.1 on adapt
er 11 for destination 219.100.37.31
Wed Dec 28 05:53:08 2022 proxy_auto_config_url
Wed Dec 28 05:53:09 2022 TAP ADAPTERS:
guid='{B0057AA0-AD9A-458C-9459-15715AF9E2D9}' index=18 name='OpenVPN TAP-Windows
6'

Open TAP device "OpenVPN TAP-Windows6" PATH="\\.\Global\{B0057AA0-AD9A-458C-9459
-15715AF9E2D9}.tap" SUCCEEDED
TAP-Windows Driver Version 9.24
ActionDeleteAllRoutesOnInterface iface_index=18
netsh interface ip set interface 18 metric=1
Ok.

It makes sense to put the log from Connect v3 or is that enough?

If using the old openvpn client with block-outside-dns works fine, no dns leak.

schwabe commented 1 year ago

You don't reproduce this issue?

We get a lot of reports of all random things. So having a good way to reproduce the issue is an important step to look into a report/issue. Also I am not a Windows developer and just doing some initial triaging on this bug.

I mean that this software uses the same lib, or does it have its own patches?

Use the support link to speak with the Connect team. As much as I don't like their stance of not using proper communication, I cannot change that.

You still have not mentioned how you are determining the existance or absence of DNS leaks.

Vai3soh commented 1 year ago

You still have not mentioned how you are determining the existance or absence of DNS leaks.

go to https://bash.ws/dnsleak/ run start test, see log

You use 15 DNS servers:
xx.xx.xx.xx1        See this provider dns
162.158.117.72  Japan   AS13335 CloudFlare Inc.
172.70.121.7        Japan   AS13335 CloudFlare Inc.
172.70.121.34       Japan   AS13335 CloudFlare Inc.
172.70.221.54       Japan   AS13335 CloudFlare Inc.
172.253.6.194       Hong Kong   AS15169 Google LLC
172.253.7.129       United States of America    AS15169 Google LLC
172.253.7.132       United States of America    AS15169 Google LLC
172.253.236.1       Japan   AS15169 Google LLC
172.253.236.2       Japan   AS15169 Google LLC
173.194.168.3       Japan   AS15169 Google LLC
173.194.168.5       Japan   AS15169 Google LLC
173.194.168.129     Japan   AS15169 Google LLC
173.194.168.131     Japan   AS15169 Google LLC
xx.xx.xx.xx2        See this provider dns

xx.xx.xx.xx - ip's address provider dns There is a dns leak, other sites have the same principle

Use the support link to speak with the Connect team.

Does it make sense to write there (Connect team)? If there is a fix, will it be here?

Vai3soh commented 1 year ago

test on win10, no dns leak, with log:

NRPT::ActionCreate names=[.] dns_servers=[10.237.254.254,8.8.8.8]
ActionWFP openvpn_app_path=C:\ovpncli.exe tap_index=9 enable=1
permit IPv4 DNS requests from OpenVPN app
permit IPv6 DNS requests from OpenVPN app
block IPv4 DNS requests from other apps
block IPv6 DNS requests from other apps
allow IPv4 traffic from TAP
allow IPv6 traffic from TAP
ipconfig /flushdns
emoxam commented 1 year ago

Can we disable "block IPv4 DNS requests from other apps" on windows openvpn connect ? P.S. "Use the support link to speak with the Connect team" - What link ?