Ubuntu
openvpn package

DNS leak after upgrade to 16.10

Bug #1634689 reported by James
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Two different openvpn servers I have tried now have a DNS leak with an Ubuntu 16.10 client. This worked fine for both of these servers with Ubuntu 16.04 clients.

I've edited this to reflect better understanding of the bug. I initially believed it was not redirecting the gateway at all. It turns out that it is correctly redirecting the gateway, and is using the pushed DNS ip. But the DNS being pushed is secondary to the ISP's DNS, which results in a DNS leak. This was not the behavior of openvpn with Ubuntu 16.04.

This may be related to the bug described in this comment: (He describes a "fix" applied to 16.10, which might be the source of the problem.)

https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1211110/comments/50

That comment leads to the package below, which may also be the source of the problem:
https://launchpad.net/ubuntu/+source/network-manager/1.2.2-0ubuntu4

edit2: The problem also exists when running openvpn from the command line, so the network manager is not part of the problem.

See original description
Revision history for this message
James (jglossinger) wrote :

It might be redirecting the gateway, but not dns queries. In any case, there is a dns leak which could allow a potential dns redirect.

James (jglossinger)
information type: Private Security → Public Security
information type: Public Security → Public
James (jglossinger)
description: updated
summary: - redirect-gateway not working after upgrade to 16.10
+ DNS leak after upgrade to 16.10
description: updated
James (jglossinger)
description: updated
description: updated
James (jglossinger)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openvpn (Ubuntu):
status: New → Confirmed
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

"There is a DNS leak" doesn't tell us much. Could you please further describe what you're seeing as incorrect behavior, and exactly how the VPN is configured on the client? Is it set up to "Use this connection only for the resources on its network"? Is that the case for both IPv4 and IPv6?

What are the contents of /etc/resolv.conf, and what happens if you try to send requests meant for the VPN (preferably without any browser or other things running that could send DNS requests), and immediately afterwards send a USR1 signal to dnsmasq? (You can use "sudo kill -USR1 `pidof dnsmasq`", or sudo kill -USR1 just the dnsmasq process spawned by NetworkManager).

Changed in openvpn (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Eylul (eylul) wrote :

Also noticed this. when using a couple of example setup files (different servers) that worked without leak in 16.04, in 16.10 there is dns leak. I am not sure how to exactly send requests mean for VPN but would be willing to try if I can figure it out. The rest of the information is below.

How is the VPN configured on the client?

Export of VPN settings as .ovpn:
client
remote <server> <port>
ca <ca cert>
cert <cert>
key <key>
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nm-openvpn
group nm-openvpn

vpn conf at /etc/NetworkManager:

[connection]
id=<id>
uuid=<uuid>
type=vpn
permissions=
secondaries=
timestamp=<timestamp>

[vpn]
connection-type=tls
remote=<IP>:<port>
comp-lzo=yes
cert-pass-flags=0
cert=<cert>
dev=tun
key=<key>
ca=<ca>
service-type=org.freedesktop.NetworkManager.openvpn

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto

Is it set up to "Use this connection only for the resources on its network"? Is that the case for both IPv4 and IPv6?
No, and no.

What are the contents of /etc/resolv.conf?

/etc/resolve.conf while VPN is running:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
search home

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Eylul, please file a separate bug for your particular issue, you configuration may be quite different than James'. When you've done so, please comment back here with the bug number.

Revision history for this message
James (jglossinger) wrote : Re: [Bug 1634689] Re: DNS leak after upgrade to 16.10

My setup is pretty generic. I'm sure Eylul's log files are
representative of the same bug.

On Mon, Dec 19, 2016 at 11:47 AM, Mathieu Trudel-Lapierre
<email address hidden> wrote:
> Eylul, please file a separate bug for your particular issue, you
> configuration may be quite different than James'. When you've done so,
> please comment back here with the bug number.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1634689
>
> Title:
> DNS leak after upgrade to 16.10
>
> Status in openvpn package in Ubuntu:
> Incomplete
>
> Bug description:
> Two different openvpn servers I have tried now have a DNS leak with an
> Ubuntu 16.10 client. This worked fine for both of these servers with
> Ubuntu 16.04 clients.
>
> I've edited this to reflect better understanding of the bug. I
> initially believed it was not redirecting the gateway at all. It turns
> out that it is correctly redirecting the gateway, and is using the
> pushed DNS ip. But the DNS being pushed is secondary to the ISP's DNS,
> which results in a DNS leak. This was not the behavior of openvpn with
> Ubuntu 16.04.
>
> This may be related to the bug described in this comment: (He
> describes a "fix" applied to 16.10, which might be the source of the
> problem.)
>
> https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1211110/comments/50
>
> That comment leads to the package below, which may also be the source of the problem:
> https://launchpad.net/ubuntu/+source/network-manager/1.2.2-0ubuntu4
>
> edit2: The problem also exists when running openvpn from the command
> line, so the network manager is not part of the problem.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1634689/+subscriptions

Revision history for this message
Eylul (eylul) wrote :

Mathieu, sorry for the delay. https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1652525
is the bug ID. Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openvpn (Ubuntu) because there has been no activity for 60 days.]

Changed in openvpn (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.