[SOLVED] DNS leaks in PVE7

[Spoonman2002]

Hi all,

I have a VPN Gateway (Ubuntu 20.04 LXC) running in PVE7.
When I connect from a VM to this Gateway I have a DNS leak....
(https://dnsleaktest.com)

Same VPN Gateway setup on ESXi 6.x (Ubuntu 20.04) gives no DNS leaks.

Is there a network setting in PVE7 that needs further configuration?
I have no exotic setup, just nic0 and vmbr0 as Bridge (default).

 

[oguz]

hi,

I have a VPN Gateway (Ubuntu 20.04 LXC) running in PVE7.
When I connect from a VM to this Gateway I have a DNS leak....
(https://dnsleaktest.com)

Same VPN Gateway setup on ESXi 6.x (Ubuntu 20.04) gives no DNS leaks.

are you using the same openvpn configuration on both servers?

what kind of dns leak are you having? is there a configured dns server on the vpn side?

what OS is the client running?

 

[Spoonman2002]

- yes, same openvpn config files on both servers.
- DNS server is configured on the VPN side.
- the leak test shows DNS servers from my default VLAN1 network.
I have firewall rules in my router that isolate all my VLANs.
- The client from which I'm testing is a vm Linux Mint 20.2 on VLAN44.
(When I test from a Windows 10 client vm there are NO DNS leaks....).

 

[Spoonman2002]

I'm reading page 37 of the admin guide about VLAN 802.1Q.
Is this the solution?
https://proxmox.com/en/downloads/item/proxmox-ve-admin-guide-for-7-x

I have "VLAN aware" actived on vmbr0.
In ESXi I have created Virtual Switches for the VLANs.
Does Proxmox has this feature also?

 

[oguz]

- The client from which I'm testing is a vm Linux Mint 20.2 on VLAN44.
(When I test from a Windows 10 client vm there are NO DNS leaks....).

what is your /etc/resolv.conf contents in the linux mint VM? it should point to the correct dns server from your VPN.

maybe you can add in your client conf file:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

(on my machine the script doesn't have a ".sh" extension, check yours)

[0]: https://community.openvpn.net/openvpn/wiki/Pushing-DNS-to-clients

 

[Spoonman2002]

"what is your /etc/resolv.conf contents in the linux mint VM? it should point to the correct dns server from your VPN."
- it says: 127.0.0.53

By the way, I use this guide for my VNP Gateway:
https://www.youtube.com/watch?v=xFficDCEv3c

 

[oguz]

it says: 127.0.0.53

that's your local IP address. if you want no DNS leaks then you should be using the IP address of the DNS server supplied by your VPN server

 

[Spoonman2002]

that's your local IP address. if you want no DNS leaks then you should be using the IP address of the DNS server supplied by your VPN server

In my ESXi vm there is the same 127.0.0.53, and there are NO DNS leaks on that vm.

 

[Spoonman2002]

Okay........... I found the cause of the DNS leaks:
in my router/firewall (OPNsense) there was a mis-configuration with internal DNS traffic.
Solution:
delete all DNS entries in the general section in OPNsense and provide DNS servers per VLAN.

I also changed in Proxmox from default Bridge config to OVS with seperate intports/VLANs.
Probably not necessary to change to OVS but it gives me more structural overview.