Ubuntu
network-manager-openvpn package

networkmanager openVPN connection causes DNS leak

Bug #1520771 reported by zebul666
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
network-manager-openvpn (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I am using Ubuntu 15.10 with
 - network-manager 1.0.4-0ubuntu5.1
 - network-manager-openvpn 0.9.10.0-1ubuntu2

And I configured my ethernet connexion to automatically use my openvpn vpn connexion when connecting.

If I go to dnsleaktest.com, I found out that networkamanager leaks the dns of my FAI provider and don't use the DNS of the VPN.

However if I close and reopen manually the VPN conenction from networkmanager applet, the DNS leak does not occur anymore.

So the bug occurs only when the VPN connection is set-up automatically when login or coming from sleep state. The DNS are not updated to the ones of the VPN and stays the one previously defined.

I have opened an upstrem bug but I don't know if it's an ubuntu package bug or not.
https://bugzilla.gnome.org/show_bug.cgi?id=758772

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: network-manager-openvpn 0.9.10.0-1ubuntu2
ProcVersionSignature: Ubuntu 4.2.0-18.22-generic 4.2.3
Uname: Linux 4.2.0-18-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.19.1-0ubuntu5
Architecture: amd64
CurrentDesktop: Unity
Date: Sat Nov 28 13:33:18 2015
InstallationDate: Installed on 2015-04-01 (240 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Beta amd64 (20150326)
SourcePackage: network-manager-openvpn
UpgradeStatus: Upgraded to wily on 2015-10-28 (30 days ago)

Revision history for this message
zebul666 (zebul666) wrote :
Revision history for this message
zebul666 (zebul666) wrote :

no. I was wrong to assume it's because of the automatic connection

DNS could be ok but 5 five mniutes later they could leak. It's even sometimes the 2 are used: the ones from the VPN and the ones from the FAI at the same time.

so wtf !?

Revision history for this message
zebul666 (zebul666) wrote :
Revision history for this message
zebul666 (zebul666) wrote :

to make things clear, connection uses the LAN DHCP DNS instead of DNS of the VPN tunnel connection setup by network manager

but it seems heratic

Revision history for this message
zebul666 (zebul666) wrote :
Download full text (4.1 KiB)

It's dnsmasq that keep on using the LAN DNS instead 2 others DNS have already been defined for the VPN tunnel

nov. 28 15:32:14 callisto dnsmasq[1432]: configuration des serveurs amonts à partir de DBus
nov. 28 15:32:14 callisto dnsmasq[1432]: utilise le serveur de nom 192.168.0.254#53
nov. 28 15:32:14 callisto NetworkManager[12918]: <info> Writing DNS information to /sbin/resolvconf
nov. 28 15:32:14 callisto dnsmasq[1432]: configuration des serveurs amonts à partir de DBus
nov. 28 15:32:14 callisto NetworkManager[12918]: <info> (eth0): device state change: secondaries -> activated (reason 'none') [90 100 0]
nov. 28 15:32:14 callisto NetworkManager[12918]: <info> NetworkManager state is now CONNECTED_GLOBAL
nov. 28 15:32:14 callisto NetworkManager[12918]: <info> NetworkManager state is now CONNECTED_SITE
nov. 28 15:32:14 callisto NetworkManager[12918]: <info> NetworkManager state is now CONNECTED_GLOBAL
nov. 28 15:32:14 callisto NetworkManager[12918]: <info> Writing DNS information to /sbin/resolvconf
nov. 28 15:32:14 callisto dnsmasq[1432]: configuration des serveurs amonts à partir de DBus
nov. 28 15:32:14 callisto dnsmasq[1432]: utilise le serveur de nom 192.168.0.254#53
nov. 28 15:32:14 callisto NetworkManager[12918]: <info> (eth0): Activation: successful, device activated.
nov. 28 15:32:15 callisto NetworkManager[12918]: <info> NetworkManager state is now CONNECTED_LOCAL
nov. 28 15:32:15 callisto NetworkManager[12918]: <info> NetworkManager state is now CONNECTED_GLOBAL
nov. 28 15:32:15 callisto NetworkManager[12918]: <info> Writing DNS information to /sbin/resolvconf
nov. 28 15:32:15 callisto dnsmasq[1432]: configuration des serveurs amonts à partir de DBus
nov. 28 15:32:15 callisto dnsmasq[1432]: utilise le serveur de nom 209.222.18.222#53
nov. 28 15:32:15 callisto dnsmasq[1432]: utilise le serveur de nom 209.222.18.218#53
nov. 28 15:32:15 callisto NetworkManager[12918]: <info> keyfile: add connection in-memory (xcvwcvwcvwcvwcvwcvwcv")
nov. 28 15:32:15 callisto NetworkManager[12918]: <info> (tun0): device state change: unmanaged -> unavailable (reason 'connection-assumed') [10
nov. 28 15:32:15 callisto NetworkManager[12918]: <info> (tun0): device state change: unavailable -> disconnected (reason 'connection-assumed') [
nov. 28 15:32:15 callisto NetworkManager[12918]: <info> Device 'tun0' has no connection; scheduling activate_check in 0 seconds.
nov. 28 15:32:15 callisto NetworkManager[12918]: <info> (tun0): Activation: starting connection 'tun0' (bfghfghdghdfhdfghdfghdfhdfh)
nov. 28 15:32:15 callisto NetworkManager[12918]: <info> (tun0): device state change: disconnected -> prepare (reason 'none') [30 40 0]
nov. 28 15:32:15 callisto NetworkManager[12918]: <info> (tun0): device state change: prepare -> config (reason 'none') [40 50 0]
nov. 28 15:32:15 callisto NetworkManager[12918]: <info> (tun0): device state change: config -> ip-config (reason 'none') [50 70 0]
nov. 28 15:32:15 callisto NetworkManager[12918]: <info> (tun0): device state change: ip-config -> ip-check (reason 'none') [70 80 0]
nov. 28 15:32:15 callisto NetworkManager[12918]: <info> (tun0): device state change: ip-check -> secondaries (reason 'none...

Read more...

Revision history for this message
zebul666 (zebul666) wrote :

my work-around until this is fixed (dnsmasq DNS should be reset before settings VPN tunnel DNS) is to reset the dns of the vpn connection

we can only do that via dbus because dnsmasq do not expose it's configuration; we use a netwrok dispatcher script too, so:

in /etc/NetworkManager/dispatcher.d/99resetvpndns
#!/bin/sh

interface=$1
status=$2

case $status in
    vpn-up)
 # because dnsmasq keep DNS LAN and leak our DNS, reset DNS servers to PIA ones
 dbus-send --system --dest=org.freedesktop.NetworkManager.dnsmasq --type=method_call /uk/org/thekelleys/dnsmasq uk.org.thekelleys.SetServers
 dbus-send --system --dest=org.freedesktop.NetworkManager.dnsmasq --type=method_call /uk/org/thekelleys/dnsmasq uk.org.thekelleys.SetServers uint32:3520991966
 dbus-send --system --dest=org.freedesktop.NetworkManager.dnsmasq --type=method_call /uk/org/thekelleys/dnsmasq uk.org.thekelleys.SetServers uint32:3520991962
    ;;
    vpn-down)
    ;;
esac

and make the script executable

the uint32 are the DNS of your VPN converted to integer, use for example to do that http://www.aboutmyip.com/AboutMyXApp/IP2Integer.jsp

summary: - Using an automatic VPN connection causes DNS leak
+ networkmanager openVPN connection causes DNS leak
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
Revision history for this message
MarkusUlm (markusulm) wrote :

Hi,

after establishing the connection with vpnc there seems to be two problems:
* default route is not set
* DNS not working

The script posted by zebul666 is not working for me :-(

Revision history for this message
zebul666 (zebul666) wrote :

@MarkusUlm the script is meant to reset the DNS to only include the 2 default DNS of your VPN. Onlu that. I have the defautl route set up correctly. But I still have the other default route set for the network LAN so I have updated my script like this

#!/bin/sh

interface=$1
status=$2

case $status in
    vpn-up)
 # because dnsmasq keep DNS LAN and leak our DNS, reset DNS servers to PIA ones
 dbus-send --system --dest=org.freedesktop.NetworkManager.dnsmasq --type=method_call /uk/org/thekelleys/dnsmasq uk.org.thekelleys.SetServers
 dbus-send --system --dest=org.freedesktop.NetworkManager.dnsmasq --type=method_call /uk/org/thekelleys/dnsmasq uk.org.thekelleys.SetServers uint32:3520991966
 dbus-send --system --dest=org.freedesktop.NetworkManager.dnsmasq --type=method_call /uk/org/thekelleys/dnsmasq uk.org.thekelleys.SetServers uint32:3520991962
 ip route del default via 192.168.0.254 dev eth0
    ;;
    vpn-down)
 ip route add default via 192.168.0.254 dev eth0
    ;;
esac

First you need to change the DNS server IP

and second change the default router IP to be deleted and re added when VPN is down.

I delete the default route because I end up with 2 default route even if it does not cause problem.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.