dns leak (windows)

[Vai3soh]

Hello.

I test on windows 7. There is a dns leak. In the code I see there is a protection against this, but it does not work.

[](

openvpn3/openvpn/tun/win/wfp.hpp

Line 49 in 4996c38

// defines below are taken from openvpn2 code (https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/block_dns.c)

openvpn3/openvpn/tun/win/client/tunsetup.hpp

Line 677 in 4996c38

// Use WFP for DNS leak protection.

)

[schwabe]

Please explain how you are testing this.

[Vai3soh]

Please explain how you are testing this.

Sites with test - https://dnsleaktest.com/, https://dnsleak.com/

This was tested on several clients (different software):

1. build ovpncli.exe
2. build client with this lib https://github.com/Vai3soh/ovpncli
3. openvpn connect v3 https://openvpn.net/client-connect-vpn-for-windows/

DNS leak everywhere

[schwabe]

If that lines are active depends on a number of factors like Split dns etc. I would be good if you can include logs and configuration to make the issue reproducible. For Connect v3 please use https://support.openvpn.net as the Connect team does not want to participate in Github issues.

[Vai3soh]

If that lines are active depends on a number of factors like Split dns etc. I would be good if you can include logs and configuration to make the issue reproducible.

You don't reproduce this issue?

For Connect v3 please use https://support.openvpn.net as the Connect team does not want to participate in Github issues.

I mean that this software uses the same lib, or does it have its own patches?

step by step,

1. download config:
   https://www.freeopenvpn.org/pservers/Japan/Japan_219.100.37.31_tcp.ovpn

use ovpncli.exe log:

ovpncli.exe -Q -j Japan_219.100.37.31_tcp.ovpn
CONNECTING...
Thread starting...
Wed Dec 28 05:53:03 2022 OpenVPN core 3.8_git:master win x86_64 64-bit OVPN-DCO
Wed Dec 28 05:53:03 2022 Frame=512/2112/512 mssfix-ctrl=1250
Wed Dec 28 05:53:03 2022 NOTE: This configuration contains options that were not
 used:
Wed Dec 28 05:53:03 2022 Unsupported option (ignored)
Wed Dec 28 05:53:03 2022 5 [resolv-retry] [infinite]
Wed Dec 28 05:53:03 2022 7 [persist-key]
Wed Dec 28 05:53:03 2022 8 [persist-tun]
Wed Dec 28 05:53:03 2022 EVENT: RESOLVE
Wed Dec 28 05:53:03 2022 Contacting 219.100.37.31:443 via TCPv4
Wed Dec 28 05:53:03 2022 EVENT: WAIT
NOT IMPLEMENTED: *** socket_protect 404 219.100.37.31
Wed Dec 28 05:53:03 2022 Connecting to [219.100.37.31]:443 (219.100.37.31) via T
CPv4
Wed Dec 28 05:53:03 2022 EVENT: CONNECTING
Wed Dec 28 05:53:03 2022 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 15
00,proto TCPv4_CLIENT,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-
client
Wed Dec 28 05:53:03 2022 Peer Info:
IV_VER=3.8_git:master
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-G
CM:CHACHA20-POLY1305
IV_GUI_VER=cli 1.0

Wed Dec 28 05:53:03 2022 VERIFY OK: depth=2, /C=US/O=Internet Security Research
Group/CN=ISRG Root X1, signature: RSA-SHA256
Wed Dec 28 05:53:03 2022 VERIFY OK: depth=1, /C=US/O=Let's Encrypt/CN=R3, signat
ure: RSA-SHA256
Wed Dec 28 05:53:03 2022 VERIFY OK: depth=0, /CN=opengw.net, signature: RSA-SHA2
56
Wed Dec 28 05:53:03 2022 SSL Handshake: peer certificate: CN=opengw.net, 2048 bi
t RSA, cipher: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=A
ESGCM(256)            Mac=AEAD

Wed Dec 28 05:53:03 2022 Session is ACTIVE
Wed Dec 28 05:53:03 2022 EVENT: GET_CONFIG
Wed Dec 28 05:53:03 2022 Sending PUSH_REQUEST to server...
Wed Dec 28 05:53:04 2022 Sending PUSH_REQUEST to server...
Wed Dec 28 05:53:06 2022 Sending PUSH_REQUEST to server...
Wed Dec 28 05:53:08 2022 OPTIONS:
0 [ping] [3]
1 [ping-restart] [10]
2 [ifconfig] [10.234.9.5] [10.234.9.6]
3 [dhcp-option] [DNS] [10.234.254.254]
4 [dhcp-option] [DNS] [8.8.8.8]
5 [route-gateway] [10.234.9.6]
6 [redirect-gateway] [def1]

Wed Dec 28 05:53:08 2022 PROTOCOL OPTIONS:
  cipher: AES-128-CBC
  digest: SHA1
  key-derivation: OpenVPN PRF
  compress: NONE
  peer ID: -1
Wed Dec 28 05:53:08 2022 EVENT: ASSIGN_IP
Wed Dec 28 05:53:08 2022 CAPTURED OPTIONS:
Session Name: 219.100.37.31
Layer: OSI_LAYER_3
Remote Address: 219.100.37.31
Tunnel Addresses:
  10.234.9.5/30 -> 10.234.9.6 [net30]
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
Block IPv4: no
Block IPv6: no
Add Routes:
Exclude Routes:
DNS Servers:
  10.234.254.254
  8.8.8.8
Search Domains:

Wed Dec 28 05:53:08 2022 GetBestGateway: selected gateway 192.168.122.1 on adapt
er 11 for destination 219.100.37.31
Wed Dec 28 05:53:08 2022 proxy_auto_config_url
Wed Dec 28 05:53:09 2022 TAP ADAPTERS:
guid='{B0057AA0-AD9A-458C-9459-15715AF9E2D9}' index=18 name='OpenVPN TAP-Windows
6'

Open TAP device "OpenVPN TAP-Windows6" PATH="\\.\Global\{B0057AA0-AD9A-458C-9459
-15715AF9E2D9}.tap" SUCCEEDED
TAP-Windows Driver Version 9.24
ActionDeleteAllRoutesOnInterface iface_index=18
netsh interface ip set interface 18 metric=1
Ok.

It makes sense to put the log from Connect v3 or is that enough?

If using the old openvpn client with block-outside-dns works fine, no dns leak.

[schwabe]

You don't reproduce this issue?

We get a lot of reports of all random things. So having a good way to reproduce the issue is an important step to look into a report/issue. Also I am not a Windows developer and just doing some initial triaging on this bug.

I mean that this software uses the same lib, or does it have its own patches?

Use the support link to speak with the Connect team. As much as I don't like their stance of not using proper communication, I cannot change that.

You still have not mentioned how you are determining the existance or absence of DNS leaks.

[Vai3soh]

You still have not mentioned how you are determining the existance or absence of DNS leaks.

go to https://bash.ws/dnsleak/
run start test, see log

You use 15 DNS servers:
xx.xx.xx.xx1		See this provider dns
162.158.117.72	Japan	AS13335 CloudFlare Inc.
172.70.121.7		Japan	AS13335 CloudFlare Inc.
172.70.121.34		Japan	AS13335 CloudFlare Inc.
172.70.221.54		Japan	AS13335 CloudFlare Inc.
172.253.6.194		Hong Kong	AS15169 Google LLC
172.253.7.129		United States of America	AS15169 Google LLC
172.253.7.132		United States of America	AS15169 Google LLC
172.253.236.1		Japan	AS15169 Google LLC
172.253.236.2		Japan	AS15169 Google LLC
173.194.168.3		Japan	AS15169 Google LLC
173.194.168.5		Japan	AS15169 Google LLC
173.194.168.129		Japan	AS15169 Google LLC
173.194.168.131		Japan	AS15169 Google LLC
xx.xx.xx.xx2		See this provider dns

xx.xx.xx.xx - ip's address provider dns
There is a dns leak, other sites have the same principle

Use the support link to speak with the Connect team.

Does it make sense to write there (Connect team)? If there is a fix, will it be here?

[Vai3soh]

test on win10, no dns leak, with log:

NRPT::ActionCreate names=[.] dns_servers=[10.237.254.254,8.8.8.8]
ActionWFP openvpn_app_path=C:\ovpncli.exe tap_index=9 enable=1
permit IPv4 DNS requests from OpenVPN app
permit IPv6 DNS requests from OpenVPN app
block IPv4 DNS requests from other apps
block IPv6 DNS requests from other apps
allow IPv4 traffic from TAP
allow IPv6 traffic from TAP
ipconfig /flushdns

[emoxam]

Can we disable "block IPv4 DNS requests from other apps" on windows openvpn connect ?
P.S. "Use the support link to speak with the Connect team" - What link ?