Comment 3 for bug 1685391

Your description of DNS leak is consistent with my own understanding. Specifically, DNS testing sites show my own ISP being used instead of being that of the VPN.

As for my setup, I simply follow the Private Internet Access Linux step-by-step instructions here: https://www.privateinternetaccess.com/forum/discussion/18003/openvpn-step-by-step-setups-for-various-debian-based-linux-oss-with-videos-ubuntu-mint-debian .

In short, the instructions tell you to:
1). Update/install packages like openvpn, network-manager, etc.
2). Download ovpn and crt files from the PIA website
3). Add them to network-manager and make a couple changes before saving.

This procedure has worked for me in the past (as recently as a few weeks ago on 16.10 after the dnsmasq issue was corrected), but they are not working for me on 17.04. I imagine most of the settings you are interested in are located in the ovpn file that I imported, which I include below as an attachment. Since it's short, I'll also append the file info to the bottom of this message.

Does this answer your questions? If not, I'm happy to add whatever other information you might need. I'm a pedestrian user of VPN, so you might need to be explicit in what command line instructions you need me to execute. Thanks!

P.S. While it's of course possible that I'm just doing something stupid since installing 17.04, here is another recent result I found online where someone is experiencing new issues in 17.04: https://www.privateinternetaccess.com/forum/discussion/23756/pia-client-on-ubuntu-17-04-dns-leak, although they are using the official PIA client, whereas I am not.

----- [ovpn file info]
client
dev tun
proto udp
remote us-east.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ