Bug: Possible airvpn/wireguard dns leak

absolution1 commented 9 months ago

Is this urgent?

Yes

Host OS

Ubuntu server LTS 20.04

CPU arch

x86_64

VPN service provider

AirVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2023-10-07T13:26:08.155Z (commit 1c43a1d)

What's the problem 🤔

As described in the title, I am periodically seeing a DNS leak when connected to AIRVPN. 99 times out of 100 I see the same DNS server as the VPN server but, very occasionally, I get a separate DNS server in a different country.

I am using the bash script here within a container attached to the gluetun container network to test for DNS leaks: https://github.com/macvk/dnsleaktest

Sometimes I see the output I expect

Your IP: REMOVED [Switzerland, Swiss Confederation AS51430 AltusHost B.V.] You use 1 DNS server: REMOVED [Switzerland, Swiss Confederation AS51430 AltusHost B.V.] Conclusion: DNS is not leaking.

Sometimes I see this Your IP: REMOVED [Switzerland, Swiss Confederation AS51430 AltusHost B.V.] You use 2 DNS servers: REMOVED [Switzerland, Swiss Confederation AS51430 AltusHost B.V.] REMOVED [Germany AS28753 LeaseWeb Deutschland GmbH] Conclusion: DNS may be leaking.

I have seen other DNS servers appear to e.g. in the US and the Netherlands (the Netherlands addresses were cloudflare addresses if that helps)

I am -almost- following the standard docker-compose setup. The only change I have made is to include DNS_ADDRESS as otherwise the DNS server is ubound and then points to cloudflare for DNS.

Share your logs (at least 10 lines)

gluetun        | ========================================
gluetun        | ========================================
gluetun        | =============== gluetun ================
gluetun        | ========================================
gluetun        | =========== Made with ❤️ by ============
gluetun        | ======= https://github.com/qdm12 =======
gluetun        | ========================================
gluetun        | ========================================
gluetun        |
gluetun        | Running version latest built on 2023-10-07T13:26:08.155Z (commit 1c43a1d)
gluetun        |
gluetun        | 🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
gluetun        | 🐛 Bug? https://github.com/qdm12/gluetun/issues/new
gluetun        | ✨ New feature? https://github.com/qdm12/gluetun/issues/new
gluetun        | ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
gluetun        | 💻 Email? quentin.mcgaw@gmail.com
gluetun        | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
gluetun        | 2023-11-14T10:50:02Z WARN DNS_ADDRESS is set to REMOVEDVPNDNS so the DNS over TLS (DoT) server will not be used. The default value changed to 127.0.0.1 so it uses the internal DoT serves.
If the DoT server fails to start, the IPv4 address of the first plaintext DNS server corresponding to the first DoT provider chosen is used.
gluetun        | 2023-11-14T10:50:02Z INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.2 and family v4
gluetun        | 2023-11-14T10:50:02Z INFO [routing] local ethernet link found: eth0
gluetun        | 2023-11-14T10:50:02Z INFO [routing] local ipnet found: 172.20.0.0/16
gluetun        | 2023-11-14T10:50:02Z INFO [firewall] enabling...
gluetun        | 2023-11-14T10:50:02Z INFO [firewall] enabled successfully
gluetun        | 2023-11-14T10:50:03Z INFO [storage] creating /gluetun/servers.json with 17689 hardcoded servers
gluetun        | 2023-11-14T10:50:03Z INFO Alpine version: 3.18.4
gluetun        | 2023-11-14T10:50:03Z INFO OpenVPN 2.5 version: 2.5.8
gluetun        | 2023-11-14T10:50:03Z INFO OpenVPN 2.6 version: 2.6.5
gluetun        | 2023-11-14T10:50:03Z INFO Unbound version: 1.17.1
gluetun        | 2023-11-14T10:50:03Z INFO IPtables version: v1.8.9
gluetun        | 2023-11-14T10:50:03Z INFO Settings summary:
gluetun        | ├── VPN settings:
gluetun        | |   ├── VPN provider settings:
gluetun        | |   |   ├── Name: airvpn                                                                                                                                                                 gluetun        | |   |   └── Server selection settings:
gluetun        | |   |       ├── VPN type: wireguard
gluetun        | |   |       ├── Server names: REMOVED
gluetun        | |   |       └── Wireguard selection settings:
gluetun        | |   └── Wireguard settings:
gluetun        | |       ├── Private key: sA2...Xo=
gluetun        | |       ├── Pre-shared key: UAe...5s=
gluetun        | |       ├── Interface addresses:
gluetun        | |       |   └── REMOVEDVPNIP
gluetun        | |       ├── Allowed IPs:
gluetun        | |       |   ├── 0.0.0.0/0
gluetun        | |       |   └── ::/0
gluetun        | |       └── Network interface: tun0
gluetun        | |           └── MTU: 1400
gluetun        | ├── DNS settings:
gluetun        | |   ├── Keep existing nameserver(s): no
gluetun        | |   ├── DNS server address to use: REMOVEDVPNDNS
gluetun        | |   └── DNS over TLS settings:
gluetun        | |       ├── Enabled: yes
gluetun        | |       ├── Update period: every 24h0m0s
gluetun        | |       ├── Unbound settings:
gluetun        | |       |   ├── Authoritative servers:
gluetun        | |       |   |   └── cloudflare
gluetun        | |       |   ├── Caching: yes
gluetun        | |       |   ├── IPv6: no
gluetun        | |       |   ├── Verbosity level: 1
gluetun        | |       |   ├── Verbosity details level: 0
gluetun        | |       |   ├── Validation log level: 0
gluetun        | |       |   ├── System user: root
gluetun        | |       |   └── Allowed networks:
gluetun        | |       |       ├── 0.0.0.0/0
gluetun        | |       |       └── ::/0
gluetun        | |       └── DNS filtering settings:
gluetun        | |           ├── Block malicious: yes
gluetun        | |           ├── Block ads: no
gluetun        | |           ├── Block surveillance: no
gluetun        | |           └── Blocked IP networks:
gluetun        | |               ├── 127.0.0.1/8
gluetun        | |               ├── 10.0.0.0/8
gluetun        | |               ├── 172.16.0.0/12
gluetun        | |               ├── 192.168.0.0/16
gluetun        | |               ├── 169.254.0.0/16
gluetun        | |               ├── ::1/128
gluetun        | |               ├── fc00::/7
gluetun        | |               ├── fe80::/10
gluetun        | |               ├── ::ffff:127.0.0.1/104
gluetun        | |               ├── ::ffff:10.0.0.0/104
gluetun        | |               ├── ::ffff:169.254.0.0/112
gluetun        | |               ├── ::ffff:172.16.0.0/108
gluetun        | |               └── ::ffff:192.168.0.0/112
gluetun        | ├── Firewall settings:
gluetun        | |   ├── Enabled: yes
gluetun        | |   └── VPN input ports:
gluetun        | |       └── VPNFWDPORT
gluetun        | ├── Log settings:
gluetun        | |   └── Log level: INFO
gluetun        | ├── Health settings:
gluetun        | |   ├── Server listening address: 127.0.0.1:9999
gluetun        | |   ├── Target address: cloudflare.com:443
gluetun        | |   ├── Duration to wait after success: 5s
gluetun        | |   ├── Read header timeout: 100ms
gluetun        | |   ├── Read timeout: 500ms
gluetun        | |   └── VPN wait durations:
gluetun        | |       ├── Initial duration: 6s
gluetun        | |       └── Additional duration: 5s
gluetun        | ├── Shadowsocks server settings:
gluetun        | |   └── Enabled: no
gluetun        | ├── HTTP proxy settings:
gluetun        | |   └── Enabled: no
gluetun        | ├── Control server settings:
gluetun        | |   ├── Listening address: :8000
gluetun        | |   └── Logging: yes
gluetun        | ├── OS Alpine settings:
gluetun        | |   ├── Process UID: 1000
gluetun        | |   ├── Process GID: 1000
gluetun        | |   └── Timezone: europe/london
gluetun        | ├── Public IP settings:
gluetun        | |   ├── Fetching: every 12h0m0s
gluetun        | |   └── IP file path: /tmp/gluetun/ip
gluetun        | └── Version settings:
gluetun        |     └── Enabled: yes
gluetun        | 2023-11-14T10:50:03Z INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.2 and family v4
gluetun        | 2023-11-14T10:50:03Z INFO [routing] adding route for 0.0.0.0/0
gluetun        | 2023-11-14T10:50:03Z INFO [firewall] setting allowed subnets...
gluetun        | 2023-11-14T10:50:03Z INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.2 and family v4
gluetun        | 2023-11-14T10:50:03Z INFO [dns] using plaintext DNS at address REMOVEDVPNDNS
gluetun        | 2023-11-14T10:50:03Z INFO [http server] http server listening on [::]:8000
gluetun        | 2023-11-14T10:50:03Z INFO [firewall] allowing VPN connection...
gluetun        | 2023-11-14T10:50:03Z INFO [healthcheck] listening on 127.0.0.1:9999
gluetun        | 2023-11-14T10:50:03Z INFO [wireguard] Using available kernelspace implementation
gluetun        | 2023-11-14T10:50:03Z INFO [wireguard] Connecting to REMOVEDVPNIP:REMOVEDVPNPORT
gluetun        | 2023-11-14T10:50:03Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeou
t errors indicate the Wireguard connection is not working.
gluetun        | 2023-11-14T10:50:03Z INFO [firewall] setting allowed input port VPNFWDPORT through interface tun0...
gluetun        | 2023-11-14T10:50:03Z INFO [dns] downloading DNS over TLS cryptographic files
gluetun        | 2023-11-14T10:50:04Z INFO [healthcheck] healthy!
gluetun        | 2023-11-14T10:50:05Z INFO [dns] downloading hostnames and IP block lists
gluetun        | 2023-11-14T10:50:06Z INFO [dns] ready
gluetun        | 2023-11-14T10:50:07Z INFO [vpn] You are running 20 commits behind the most recent latest
gluetun        | 2023-11-14T10:50:07Z INFO [ip getter] Public IP address is REMOVEDVPNIP (Switzerland, Zurich, Zürich)
gluetun        | 2023-11-14T10:50:11Z INFO [dns] init module 0: validator
gluetun        | 2023-11-14T10:50:11Z INFO [dns] init module 1: iterator
gluetun        | 2023-11-14T10:50:12Z INFO [dns] start of service (unbound 1.17.1).

Share your configuration

version: '3.5'
services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
     - NET_ADMIN
    devices:
     - /dev/net/tun:/dev/net/tun
    ports:
     - 8100:8000 # Remote Control VPN
     - REMOVED
     - REMOVED
     - REMOVED
    restart: 'unless-stopped'
    environment:
     - VPN_SERVICE_PROVIDER=airvpn
     - VPN_TYPE=wireguard
     - WIREGUARD_PRIVATE_KEY=REMOVEDKEY
     - WIREGUARD_ADDRESSES=REMOVEDVPNADDRESSES
     - WIREGUARD_PRESHARED_KEY=REMOVEDKEY
     - SERVER_NAMES=REMOVEDSERVERNAME
     - DNS_ADDRESS=REMOVEDVPNDNS
     - FIREWALL_VPN_INPUT_PORTS=VPNFWDPORT
     - TZ=Europe/London

absolution1 commented 9 months ago

Hi there. To test this, I've swapped from using AirVPN's DNS to DOT+cloudflare (the Gluetun default). I'm experiencing a similar thing. I'm logging the DNS server used every minute using the command line DNS leak checker. The vast majority of the time I simply see this 162.158.148.72 [Switzerland, Swiss Confederation AS13335 CloudFlare Inc.]

Periodically, I see other DNS servers. Here are a few 80.255.10.194 [Germany AS201011 Core-Backbone GmbH] 194.110.115.34 [Belgium AS9009 M247 Europe SRL] 142.147.89.225 [United States of America AS6233 xTom] 79.142.69.160 [Switzerland, Swiss Confederation AS51430 AltusHost B.V.]

What should I do here?

qdm12 commented 9 months ago

Hi there!

Gluetun doesn't prevent dns leaks within the VPN tunnel. It does set the Gluetun container resolver to 127.0.0.1 (DNS_ADDRESS value) so everything plugged into it by default will use that nameserver (by default Unbound+Cloudflare). But a container plugged through Gluetun could use its nameserver of choice (still, as long as it goes through the VPN). What containers do you have running connected through Gluetun?

If you check the few IP extra addresses you have:

https://ipinfo.io/80.255.10.194 - admin is admin@perfect-privacy.com - perfect privacy is a vpn provider
https://ipinfo.io/194.110.115.34 - provider is m247, which is usually a VPN infrastructure provider
https://ipinfo.io/142.147.89.225 - company is Mullvad VPN AB - mullvad is a vpn provider
https://ipinfo.io/79.142.69.160 - not much on it 🤔

However, I guess I could add an option, disabled by default, to block DNS traffic not going through the DNS_ADDRESS with another firewall rule.

absolution1 commented 8 months ago

Hi @qdm12 Thank you for checking in on this, apologies for the delay responding.

I'm running a QBT container that relies on gluetun for its networking.
I never ended up figuring this situation out. The list of IPs that appear aren't connected to my VPN provider (AirVPN) but you are right that they mostly seem to be other privacy-focused providers (Though I saw google appear once in the list).

What's strange is that I only see this happen when using the mentioned command line script. Under the hood this uses bash.ws for checking dns. Other online DNS checkers only ever report the DNS that I'd expect (cloudflare, but in the same country as my VPN).

Adding in that extra option would be a good test. Do you have any suggestions for what I could dig into to see where these other DNS addresses are coming from?

I don't know if I said this before but it's only rarely that I see these other DNS providers being returned from the command line script. The vast majority of the time I just see cloudflare...

qdm12 / gluetun