Frequently Asked Questions
How to Fix DNS Leak on Linux?
First thing to check is the update-resolve-conf scripts.
In the openvpn conf files from blackVPN there should be 2 entries like this:
They are needed to update the DNS settings in your /etc/resolv.conf file with the settings pushed from the VPN server.
Make sure that you have the script update-resolv-conf.sh installed on your system and that the blackVPN configuration file points to the correct location of the script.
If you don't have update-resolv-conf.sh installed then you can get it here: https://wiki.archlinux.org/index.php/OpenVPN#DNS
Linux users will also need to click on their network applet, (This is applet is different in different Linux versions and in GNOME, XFCE, Unity and KDE) choose Edit Connections, click on “Edit” for your network device, and under the “IPv4 Settings” tab, choose the “Automatic (DHCP) addresses only” profile, and then look for and remove any manually entered DNS servers from the DNS servers textbox. Typically you will find the local router or modem leaking the DNS , in the private IP range ( 10.x.x.x, 192.168.x.x, 172.16.0.0 - 172.31.255.255) or googles DNS which is 22.214.171.124.
Using the OpenVPN GUI for Network Manager also works and should not leak the DNS.
In Ubuntu you can install the GUI with:
sudo apt-get install network-manager-openvpn
In openSUSE with:
sudo zypper install networkmanager-openvpn
After installing this you must restart network manager:
sudo service network-manager restart
Then you have to import the OpenVPN config file using the GUI in your desktop environment. You must manually import the CA certificate and TLS-auth key when using the GUI as it will dismiss the keys in the .ovpn configuration file. You can simply cut out the keys from the .ovpn and make a new text file with appropriate extension to put the key in there then save it and import using the GUI.
The GUI should work great with GNOME, XFCE, and Unity, but there are some known problems with KDE.
If the GUI still doesn't work you may need to install network-manager or network-manager-gnome (even if you are not using gnome)
Use Firewall (ufw)
Another advanced option to prevent DNS leaks is to use a firewall. The bellow method is using the ufw firewall and it also serves as a kill switch to make sure IP leaks can't happen.
Now set all traffic to deny:
sudo ufw default deny outgoing sudo ufw default deny incoming
Now we must permit OpenVPN traffic (Normally the OpenVPN adapter is called tun0, but it can be different on some linux systems)
sudo ufw allow out on tun0 from any to any
For added security you may want to disable all incoming traffic, but if required then allow it using:
sudo ufw allow in on tun0 from any to any
With this rule all non VPN traffic (and subsequently all DNS requests not routed though the VPN) will be blocked. This setup currently requires that you disable the firewall to connect to the VPN and then enable it once connected to the VPN.
The following commands will permit you to establish a connection to the VPN server even when firewall is enabled (replace the above x.x.x.x with the IP of the VPN server you want to connect to):
sudo ufw allow out from any to x.x.x.x
You can also add multiple rules to add all the VPN servers you are using.
Example to allow all our NL servers:
sudo ufw allow out from any to 126.96.36.199
sudo ufw allow out from any to 188.8.131.52
sudo ufw allow out from any to 95 .211.137.134
Then finally to enable ufw, do:
sudo ufw enable
Note that in Ubuntu ufw will be enabled on boot, but in other Linux versions it may not. This means you either always have to enable ufw after each restarting or starting it manually.
If you want more strict rules and better security then only allow desired ports on tun0.
A thread about DNSleaks on ubuntu forums here: http://ubuntuforums.org/showthread.php?t=1496473