Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dns leak (windows) #253

Open
Vai3soh opened this issue Dec 26, 2022 · 8 comments
Open

dns leak (windows) #253

Vai3soh opened this issue Dec 26, 2022 · 8 comments

Comments

@Vai3soh
Copy link

Vai3soh commented Dec 26, 2022

Hello.

I test on windows 7. There is a dns leak. In the code I see there is a protection against this, but it does not work.

[](

// defines below are taken from openvpn2 code (https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/block_dns.c)

// Use WFP for DNS leak protection.
)

@schwabe
Copy link
Contributor

schwabe commented Dec 26, 2022

Please explain how you are testing this.

@Vai3soh
Copy link
Author

Vai3soh commented Dec 27, 2022

Please explain how you are testing this.

Sites with test - https://dnsleaktest.com/, https://dnsleak.com/

This was tested on several clients (different software):

  1. build ovpncli.exe
  2. build client with this lib https://github.com/Vai3soh/ovpncli
  3. openvpn connect v3 https://openvpn.net/client-connect-vpn-for-windows/

DNS leak everywhere

@schwabe
Copy link
Contributor

schwabe commented Dec 27, 2022

If that lines are active depends on a number of factors like Split dns etc. I would be good if you can include logs and configuration to make the issue reproducible. For Connect v3 please use https://support.openvpn.net as the Connect team does not want to participate in Github issues.

@Vai3soh
Copy link
Author

Vai3soh commented Dec 27, 2022

If that lines are active depends on a number of factors like Split dns etc. I would be good if you can include logs and configuration to make the issue reproducible.

You don't reproduce this issue?

For Connect v3 please use https://support.openvpn.net as the Connect team does not want to participate in Github issues.

I mean that this software uses the same lib, or does it have its own patches?

step by step,

  1. download config:
    https://www.freeopenvpn.org/pservers/Japan/Japan_219.100.37.31_tcp.ovpn

use ovpncli.exe log:

ovpncli.exe -Q -j Japan_219.100.37.31_tcp.ovpn
CONNECTING...
Thread starting...
Wed Dec 28 05:53:03 2022 OpenVPN core 3.8_git:master win x86_64 64-bit OVPN-DCO
Wed Dec 28 05:53:03 2022 Frame=512/2112/512 mssfix-ctrl=1250
Wed Dec 28 05:53:03 2022 NOTE: This configuration contains options that were not
 used:
Wed Dec 28 05:53:03 2022 Unsupported option (ignored)
Wed Dec 28 05:53:03 2022 5 [resolv-retry] [infinite]
Wed Dec 28 05:53:03 2022 7 [persist-key]
Wed Dec 28 05:53:03 2022 8 [persist-tun]
Wed Dec 28 05:53:03 2022 EVENT: RESOLVE
Wed Dec 28 05:53:03 2022 Contacting 219.100.37.31:443 via TCPv4
Wed Dec 28 05:53:03 2022 EVENT: WAIT
NOT IMPLEMENTED: *** socket_protect 404 219.100.37.31
Wed Dec 28 05:53:03 2022 Connecting to [219.100.37.31]:443 (219.100.37.31) via T
CPv4
Wed Dec 28 05:53:03 2022 EVENT: CONNECTING
Wed Dec 28 05:53:03 2022 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 15
00,proto TCPv4_CLIENT,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-
client
Wed Dec 28 05:53:03 2022 Peer Info:
IV_VER=3.8_git:master
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-G
CM:CHACHA20-POLY1305
IV_GUI_VER=cli 1.0

Wed Dec 28 05:53:03 2022 VERIFY OK: depth=2, /C=US/O=Internet Security Research
Group/CN=ISRG Root X1, signature: RSA-SHA256
Wed Dec 28 05:53:03 2022 VERIFY OK: depth=1, /C=US/O=Let's Encrypt/CN=R3, signat
ure: RSA-SHA256
Wed Dec 28 05:53:03 2022 VERIFY OK: depth=0, /CN=opengw.net, signature: RSA-SHA2
56
Wed Dec 28 05:53:03 2022 SSL Handshake: peer certificate: CN=opengw.net, 2048 bi
t RSA, cipher: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=A
ESGCM(256)            Mac=AEAD

Wed Dec 28 05:53:03 2022 Session is ACTIVE
Wed Dec 28 05:53:03 2022 EVENT: GET_CONFIG
Wed Dec 28 05:53:03 2022 Sending PUSH_REQUEST to server...
Wed Dec 28 05:53:04 2022 Sending PUSH_REQUEST to server...
Wed Dec 28 05:53:06 2022 Sending PUSH_REQUEST to server...
Wed Dec 28 05:53:08 2022 OPTIONS:
0 [ping] [3]
1 [ping-restart] [10]
2 [ifconfig] [10.234.9.5] [10.234.9.6]
3 [dhcp-option] [DNS] [10.234.254.254]
4 [dhcp-option] [DNS] [8.8.8.8]
5 [route-gateway] [10.234.9.6]
6 [redirect-gateway] [def1]

Wed Dec 28 05:53:08 2022 PROTOCOL OPTIONS:
  cipher: AES-128-CBC
  digest: SHA1
  key-derivation: OpenVPN PRF
  compress: NONE
  peer ID: -1
Wed Dec 28 05:53:08 2022 EVENT: ASSIGN_IP
Wed Dec 28 05:53:08 2022 CAPTURED OPTIONS:
Session Name: 219.100.37.31
Layer: OSI_LAYER_3
Remote Address: 219.100.37.31
Tunnel Addresses:
  10.234.9.5/30 -> 10.234.9.6 [net30]
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
Block IPv4: no
Block IPv6: no
Add Routes:
Exclude Routes:
DNS Servers:
  10.234.254.254
  8.8.8.8
Search Domains:

Wed Dec 28 05:53:08 2022 GetBestGateway: selected gateway 192.168.122.1 on adapt
er 11 for destination 219.100.37.31
Wed Dec 28 05:53:08 2022 proxy_auto_config_url
Wed Dec 28 05:53:09 2022 TAP ADAPTERS:
guid='{B0057AA0-AD9A-458C-9459-15715AF9E2D9}' index=18 name='OpenVPN TAP-Windows
6'

Open TAP device "OpenVPN TAP-Windows6" PATH="\\.\Global\{B0057AA0-AD9A-458C-9459
-15715AF9E2D9}.tap" SUCCEEDED
TAP-Windows Driver Version 9.24
ActionDeleteAllRoutesOnInterface iface_index=18
netsh interface ip set interface 18 metric=1
Ok.

It makes sense to put the log from Connect v3 or is that enough?

If using the old openvpn client with block-outside-dns works fine, no dns leak.

@schwabe
Copy link
Contributor

schwabe commented Dec 30, 2022

You don't reproduce this issue?

We get a lot of reports of all random things. So having a good way to reproduce the issue is an important step to look into a report/issue. Also I am not a Windows developer and just doing some initial triaging on this bug.

I mean that this software uses the same lib, or does it have its own patches?

Use the support link to speak with the Connect team. As much as I don't like their stance of not using proper communication, I cannot change that.

You still have not mentioned how you are determining the existance or absence of DNS leaks.

@Vai3soh
Copy link
Author

Vai3soh commented Dec 31, 2022

You still have not mentioned how you are determining the existance or absence of DNS leaks.

go to https://bash.ws/dnsleak/
run start test, see log

You use 15 DNS servers:
xx.xx.xx.xx1		See this provider dns
162.158.117.72	Japan	AS13335 CloudFlare Inc.
172.70.121.7		Japan	AS13335 CloudFlare Inc.
172.70.121.34		Japan	AS13335 CloudFlare Inc.
172.70.221.54		Japan	AS13335 CloudFlare Inc.
172.253.6.194		Hong Kong	AS15169 Google LLC
172.253.7.129		United States of America	AS15169 Google LLC
172.253.7.132		United States of America	AS15169 Google LLC
172.253.236.1		Japan	AS15169 Google LLC
172.253.236.2		Japan	AS15169 Google LLC
173.194.168.3		Japan	AS15169 Google LLC
173.194.168.5		Japan	AS15169 Google LLC
173.194.168.129		Japan	AS15169 Google LLC
173.194.168.131		Japan	AS15169 Google LLC
xx.xx.xx.xx2		See this provider dns

xx.xx.xx.xx - ip's address provider dns
There is a dns leak, other sites have the same principle

Use the support link to speak with the Connect team.

Does it make sense to write there (Connect team)? If there is a fix, will it be here?

@Vai3soh
Copy link
Author

Vai3soh commented Jan 5, 2023

test on win10, no dns leak, with log:

NRPT::ActionCreate names=[.] dns_servers=[10.237.254.254,8.8.8.8]
ActionWFP openvpn_app_path=C:\ovpncli.exe tap_index=9 enable=1
permit IPv4 DNS requests from OpenVPN app
permit IPv6 DNS requests from OpenVPN app
block IPv4 DNS requests from other apps
block IPv6 DNS requests from other apps
allow IPv4 traffic from TAP
allow IPv6 traffic from TAP
ipconfig /flushdns

Vai3soh added a commit to Vai3soh/goovpn that referenced this issue Jan 5, 2023
Removed QT framework due to complex build system.
Use Wails https://github.com/wailsapp/wails
Remove using config files, use Boltdb https://github.com/etcd-io/bbolt to store configuration application

Bugs:
In windows version there is a DNS leak, create issue OpenVPN/openvpn3#253

What need to do:
Notification missing, need merge pull request wailsapp/wails#2206
@emoxam
Copy link

emoxam commented Jun 16, 2023

Can we disable "block IPv4 DNS requests from other apps" on windows openvpn connect ?
P.S. "Use the support link to speak with the Connect team" - What link ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants