SOLVED --- openvpn install; through nm fails, cli leaks

[BellavGFH]

In Linux Mint Wilma 22 xfce, testing openvpn as installed (default):

• Using the GUI: panel Network icon > VPN Connections> Configure VPN
• Configured VPN by use of "Import a saved VPN connection" and given .ovpn

After install, activating VPN via NetworkManager GUI asks for password, when given, comes back and asks again for password (loops) Using same config .ovpn and creds, connecting to same VPN via cli (sudo openvpn --config YOUR_VPN.ovpn), connection is established. However, upon check, DNS fails/ leaks.

This was found for Wilma 22 xfce specifically. Default install of Virginia 21.3 xfce, above functions as intended, both through GUI and cli, with no leaks.

[BellavGFH]

UPDATE: findings solving the mentioned openvpn DNS leak issues. Since there are multiple issues, here first a VPN connection in cli is established. Subsequently, a VPN connection with the help of network-manager is made and DNS leak solved.

1. To establish a VPN connection from cli, some additional packages need to be installed. However, check first what is already installed/ running:
   • systemctl list-unit-files | grep enabled Are these processes running? -- systemd-resolved.service -- network-manager.service -- openvpn.service
   • Check if openvpn-systemd-resolved is installed (probably not): dpkg -l openvpn-*
   • If not installed: sudo apt install openvpn-systemd-resolved
   • Reboot
   • Add to/ make sure your .ovpn file contains:

setenv opt block-outside-dns
script-security 2
up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre
dhcp-option DOMAIN-ROUTE .

• Start (open)vpn session in cli by navigating to the location of your .ovpn file and sudo openvpn --config <YOUR-OPENVPN-CONFIG-FILE>.ovpn
• In the return messaging of the vpn server, the vpn dns server can be seen as something like: dhcp-option DNS 999.99.999.999

2. VPN via NetworkManager GUI asks for password, when given, comes back and asks again for password (loops)

• This is caused by a network-manager-openvpn and/ or network-manager-openvpn-gnome (wrong) configuration. (Note: this will affect version 1.10.2 but not 1.8.18)
• To solve -- Open Networkmanager GUI (panel) -- VPN Connections > Configure VPN, open the VPN configuration concerned. -- VPN tab > Advanced > Security tab -- Set Cipher to AES-256-GCM

3. After establishing a VPN connection (icon with padlock) check your VPN connection with e.g. https://ipleak.net or https://dnsleaktest.com
   • When leaking DNS (of your default IP most likely), even though your VPN connection initiated in cli is OK... -- Check whether dnsmasq.service is running. If it does, stop this service and/ or deinstall it (sudo apt purge dnsmasq) -- Check the content of /etc/resolv.conf; this should NOT hold the ip of your default name server. -- If it does, comment your default DNS name server out and add nameserver 127.0.0.1 -- Reboot to (re)start all network services, make a VPN connection and check for potential leaks. -- Additionally, check in cli with resolvectl status whether e.g. tun0 (your VPN connection) shows the ip address of your default nameserver or the VPN nameserver.