search

jotyGill / openpyn-nordvpn

Easily connect to and switch between, OpenVPN servers hosted by NordVPN on Linux (+patch leakes)
GNU General Public License v3.0
628 stars 114 forks source link

DNS leaks on Fedora 29 #215

Closed hummelth closed 5 years ago

hummelth commented 5 years ago

I'm experiencing DNS leaks on my Fedora 29 machine. If I can provide anything else in order to solve this issue, let me know.

Here are the logs:

$ openpyn de
Mon Nov 12 22:30:52 2018 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Mon Nov 12 22:30:52 2018 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  6 2018
Mon Nov 12 22:30:52 2018 library versions: OpenSSL 1.1.1 FIPS  11 Sep 2018, LZO 2.08
Mon Nov 12 22:30:52 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7015
Mon Nov 12 22:30:52 2018 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Mon Nov 12 22:30:52 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Nov 12 22:30:52 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 12 22:30:52 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 12 22:30:52 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]185.216.33.18:1194
Mon Nov 12 22:30:52 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Nov 12 22:30:52 2018 UDP link local: (not bound)
Mon Nov 12 22:30:52 2018 UDP link remote: [AF_INET]185.216.33.18:1194
Mon Nov 12 22:30:52 2018 TLS: Initial packet from [AF_INET]185.216.33.18:1194, sid=90436fc7 f7612dc6
Mon Nov 12 22:30:52 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Nov 12 22:30:52 2018 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Mon Nov 12 22:30:52 2018 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA2
Mon Nov 12 22:30:52 2018 VERIFY KU OK
Mon Nov 12 22:30:52 2018 Validating certificate extended key usage
Mon Nov 12 22:30:52 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Nov 12 22:30:52 2018 VERIFY EKU OK
Mon Nov 12 22:30:52 2018 VERIFY OK: depth=0, CN=de347.nordvpn.com
Mon Nov 12 22:30:52 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Nov 12 22:30:52 2018 [de347.nordvpn.com] Peer Connection Initiated with [AF_INET]185.216.33.18:1194
Mon Nov 12 22:30:53 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:7015
Mon Nov 12 22:30:53 2018 SENT CONTROL [de347.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Mon Nov 12 22:30:53 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,comp-lzo no,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.20 255.255.255.0,peer-id 3,cipher AES-256-GCM'
Mon Nov 12 22:30:53 2018 OPTIONS IMPORT: timers and/or timeouts modified
Mon Nov 12 22:30:53 2018 OPTIONS IMPORT: compression parms modified
Mon Nov 12 22:30:53 2018 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Mon Nov 12 22:30:53 2018 Socket Buffers: R=[212992->425984] S=[212992->425984]
Mon Nov 12 22:30:53 2018 OPTIONS IMPORT: --ifconfig/up options modified
Mon Nov 12 22:30:53 2018 OPTIONS IMPORT: route options modified
Mon Nov 12 22:30:53 2018 OPTIONS IMPORT: route-related options modified
Mon Nov 12 22:30:53 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Nov 12 22:30:53 2018 OPTIONS IMPORT: peer-id set
Mon Nov 12 22:30:53 2018 OPTIONS IMPORT: adjusting link_mtu to 1657
Mon Nov 12 22:30:53 2018 OPTIONS IMPORT: data channel crypto options modified
Mon Nov 12 22:30:53 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Nov 12 22:30:53 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Nov 12 22:30:53 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Nov 12 22:30:53 2018 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlp4s0 HWADDR=88:b1:11:61:af:8a
Mon Nov 12 22:30:53 2018 TUN/TAP device tun0 opened
Mon Nov 12 22:30:53 2018 TUN/TAP TX queue length set to 100
Mon Nov 12 22:30:53 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Nov 12 22:30:53 2018 /sbin/ip link set dev tun0 up mtu 1500
Mon Nov 12 22:30:53 2018 /sbin/ip addr add dev tun0 10.8.8.20/24 broadcast 10.8.8.255
Mon Nov 12 22:30:53 2018 /usr/local/lib/python3.7/site-packages/openpyn/scripts/update-resolv-conf.sh tun0 1500 1585 10.8.8.20 255.255.255.0 init
dhcp-option DNS 103.86.99.100
dhcp-option DNS 103.86.96.100
dhcp-option DNS 208.67.222.220
Mon Nov 12 22:30:53 2018 /sbin/ip route add 185.216.33.18/32 via 192.168.1.1
Mon Nov 12 22:30:53 2018 /sbin/ip route add 0.0.0.0/1 via 10.8.8.1
Mon Nov 12 22:30:53 2018 /sbin/ip route add 128.0.0.0/1 via 10.8.8.1
Mon Nov 12 22:30:53 2018 Initialization Sequence Completed
$ journalctl
Nov 12 22:30:53 thinkpad-x1c5 NetworkManager[4316]: <info>  [1542058253.2230] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/6)
Nov 12 22:30:53 thinkpad-x1c5 systemd-udevd[4532]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Nov 12 22:30:53 thinkpad-x1c5 dbus-daemon[675]: [system] Activating via systemd: service name='org.freedesktop.resolve1' unit='dbus-org.freedesktop.resolve1.service' requested by >
Nov 12 22:30:53 thinkpad-x1c5 systemd[1]: Starting Network Name Resolution...
Nov 12 22:30:53 thinkpad-x1c5 NetworkManager[4316]: <info>  [1542058253.2481] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: >
Nov 12 22:30:53 thinkpad-x1c5 NetworkManager[4316]: <info>  [1542058253.2507] keyfile: add connection in-memory (ef395eeb-228d-4dc6-bc69-c34f7fc5bb72,"tun0")
Nov 12 22:30:53 thinkpad-x1c5 NetworkManager[4316]: <info>  [1542058253.2517] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-stat>
Nov 12 22:30:53 thinkpad-x1c5 NetworkManager[4316]: <info>  [1542058253.2529] device (tun0): Activation: starting connection 'tun0' (ef395eeb-228d-4dc6-bc69-c34f7fc5bb72)
Nov 12 22:30:53 thinkpad-x1c5 NetworkManager[4316]: <info>  [1542058253.2531] device (tun0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'external')
Nov 12 22:30:53 thinkpad-x1c5 NetworkManager[4316]: <info>  [1542058253.2536] device (tun0): state change: prepare -> config (reason 'none', sys-iface-state: 'external')
Nov 12 22:30:53 thinkpad-x1c5 NetworkManager[4316]: <info>  [1542058253.2540] device (tun0): state change: config -> ip-config (reason 'none', sys-iface-state: 'external')
Nov 12 22:30:53 thinkpad-x1c5 NetworkManager[4316]: <info>  [1542058253.2543] device (tun0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'external')
Nov 12 22:30:53 thinkpad-x1c5 NetworkManager[4316]: <info>  [1542058253.2550] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')
Nov 12 22:30:53 thinkpad-x1c5 NetworkManager[4316]: <info>  [1542058253.2553] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')
Nov 12 22:30:53 thinkpad-x1c5 NetworkManager[4316]: <info>  [1542058253.2592] device (tun0): Activation: successful, device activated.
Nov 12 22:30:53 thinkpad-x1c5 dbus-daemon[675]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' req>
Nov 12 22:30:53 thinkpad-x1c5 systemd[1]: Starting Network Manager Script Dispatcher Service...
Nov 12 22:30:53 thinkpad-x1c5 dbus-daemon[675]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Nov 12 22:30:53 thinkpad-x1c5 systemd[1]: Started Network Manager Script Dispatcher Service.
Nov 12 22:30:53 thinkpad-x1c5 nm-dispatcher[4539]: req:1 'up' [tun0]: new request (3 scripts)
Nov 12 22:30:53 thinkpad-x1c5 nm-dispatcher[4539]: req:1 'up' [tun0]: start running ordered scripts...
Nov 12 22:30:53 thinkpad-x1c5 systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive.
Nov 12 22:30:53 thinkpad-x1c5 systemd-resolved[4537]: Positive Trust Anchors:
Nov 12 22:30:53 thinkpad-x1c5 systemd-resolved[4537]: . IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
Nov 12 22:30:53 thinkpad-x1c5 systemd-resolved[4537]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Nov 12 22:30:53 thinkpad-x1c5 systemd-resolved[4537]: Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.17>
Nov 12 22:30:53 thinkpad-x1c5 systemd-resolved[4537]: Using system hostname 'thinkpad-x1c5'.
Nov 12 22:30:53 thinkpad-x1c5 systemd[1]: Started Network Name Resolution.
hummelth commented 5 years ago

Closing this issue. The DNS leaks were caused by misconfiguration of systemd-resolve and NetworkManager, and therefore weren't directly related to openpyn.

For other people experiencing similar issues on Fedora, the following steps result in properly working DNS resolving when using openpyn (and openvpn in general):

1) Symlinking the stub-resolv.conf of systemd-resolve to /etc/resolv.conf, so that /etc/resolv.conf is handled by systemd-resolve (more information see https://wiki.archlinux.org/index.php/Systemd-resolved#DNS)

sudo ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

2) Edit /etc/NetworkManager/NetworkManager.conf

[main]
dns=default

3) Edit /etc/systemd/resolved.conf to change the DNS Server used by systemd-resolve (optional; in case you want to manually define a special local DNS Server when no VPN is used) 

[Resolve]
DNS=192.168.1.1