Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

IPLeak.net broken?

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
MOQ888
Posts: 59
Joined: Sun Apr 02, 2017 6:31 pm

IPLeak.net broken?

Post by MOQ888 » Sat Apr 20, 2019 1:40 pm

Over the last few days I've noticed that ipleak.net fails on all the DNS Leak tests. At first I thought it was because I installed RealVNC on this Kubuntu box but I tested on a Win10 PC and its Kubuntu VM and both fail in the same way.

I've found other DNS Leak pages but I was wondering what others are experiencing and what alternatives are suggested. I don't really want to use a DNS Leak page from a VPN provider (although I now know that ipleak.net is affiliated with AirVPN).

At the moment I've reset my home page to ipleak.org as this seems to do a fairly thorough job with revealing a similar list of DNS that ipleak.net did.


wpaschukat
Posts: 13
Joined: Sun Mar 22, 2015 3:25 am

Re: IPLeak.net broken?

Post by wpaschukat » Sun Apr 21, 2019 4:31 am

Yepp, it fails on the dns test. I've used https://www.dnsleaktest.com/ in the past, still works fine and is my usual pick. Apparently https://browserleaks.com/ip is also a thing, but I've only recently used it.


Topic Author
MOQ888
Posts: 59
Joined: Sun Apr 02, 2017 6:31 pm

Re: IPLeak.net broken?

Post by MOQ888 » Mon Apr 22, 2019 6:37 am

Tks for confirming.

What's strange for me)in Firefox is that if ipleaks.net starts its DNS leak testing (which is very slow) then no other tab can resolve any DNS hosts. Closing FF and relaunching it sorts this weirdness. Haven't tried another browser.

During this I can resolve and ping host names in bash just fine, it only seems to screw up that browser instance.

I'm curious if this affects others too ... and why!

User avatar

df
Site Admin
Posts: 417
Joined: Thu Jan 01, 1970 5:00 am

Re: IPLeak.net broken?

Post by df » Wed Apr 24, 2019 6:45 am

I haven't noticed that issue, but I don't use ipleak.net often. My go to is usually dnsleaktest.com.

We also have our own at https://cryptostorm.is/dnsleaktest that might work better for some people.
It's kinda BETA-ish, so it might fail to load completely, sometimes, but it seems fine so far in our tests.

Those DNS leak test sites work by resolving a random sub-domain (or sub-sub-domain) against a domain's DNS server, which is configured to log requests, then the page checks that log and tells the visitor what the DNS client's IP was.
The problem is that those random sub-domains usually don't resolve to anything, so you have to wait for your browser to timeout the DNS request before the page will finish loading. That might cause problems in some cases, especially if you're doing a bunch of other stuff and there's a limit set somewhere on how many things can be in a "waiting for timeout" state.

In our DNS leak test page, the random sub-domains resolve to a real IP of a web server setup to actually respond to requests, so no waiting for the timeout to finish. And just because, we wrote ours to work without JavaScript =D

User avatar

parityboy
Site Admin
Posts: 1215
Joined: Wed Feb 05, 2014 3:47 am

Re: IPLeak.net broken?

Post by parityboy » Fri Apr 26, 2019 9:51 pm

@df

I just tried the CS DNS Leak Test page. The IPs it listed are actually the IPs of the exit nodes I'm connected to, rather than the DNS servers I'm using, hence it lists them in red as "not cryptostorm DNS". I've configured pfSense to use 82.163.72.123 and 128.127.104.108 as DNS servers.

User avatar

df
Site Admin
Posts: 417
Joined: Thu Jan 01, 1970 5:00 am

Re: IPLeak.net broken?

Post by df » Sat Apr 27, 2019 12:33 am

@parityboy
You sure it's exit node IPs that's showing? Because it shouldn't do that...
The custom DNS server behind it works the same way whoami.cryptostorm.is does, i.e. it only sees your DNS IP, no direct connection to the custom DNS server should happen.
If you do `host whoami.cryptostorm.is` it should show you the same thing as https://cryptostorm.is/dnsleaktest


wpaschukat
Posts: 13
Joined: Sun Mar 22, 2015 3:25 am

Re: IPLeak.net broken?

Post by wpaschukat » Sat Apr 27, 2019 1:44 am

Just to confirm, works with pfsense and Italy. It shows 185.94.193.234.


Topic Author
MOQ888
Posts: 59
Joined: Sun Apr 02, 2017 6:31 pm

Re: IPLeak.net broken?

Post by MOQ888 » Sat Apr 27, 2019 8:39 am

df wrote:
Wed Apr 24, 2019 6:45 am
I haven't noticed that issue, but I don't use ipleak.net often. My go to is usually dnsleaktest.com.
I used ipleak.net because it was listed in the cryptostorm.is/map page that I look at to grab info if I have to run up a new machine. Since it appears problematic maybe it can be removed and the CS test put there instead.

I'll definitely forget ipleak.net and use the CS dnsleaktest instead, it's heaps faster ..,. thanks for setting it up!

User avatar

parityboy
Site Admin
Posts: 1215
Joined: Wed Feb 05, 2014 3:47 am

Re: IPLeak.net broken?

Post by parityboy » Sun Apr 28, 2019 12:24 am

@df
Screenshot_20190427_202245.png

Code: Select all

whoami.cryptostorm.is has address 88.202.180.213
Those are exit node IPs. : ) They are what shows up on https://cryptostorm.is/test, depending on the exit node being used.

User avatar

df
Site Admin
Posts: 417
Joined: Thu Jan 01, 1970 5:00 am

Re: IPLeak.net broken?

Post by df » Sun Apr 28, 2019 12:46 am

@parityboy
Weird... Not sure how that could happen.
What do you get if you go to: https://aeopfieahofherurt.dnsl.cryptostorm.is/ ?
That's the backend site that loads the images containing IPs, the "aeopfieahofherurt" bit can be any random letters.
The IP in the image is what the custom DNS server sees as making the request for that "aeopfieahofherurt" hostname.


User avatar

df
Site Admin
Posts: 417
Joined: Thu Jan 01, 1970 5:00 am

Re: IPLeak.net broken?

Post by df » Sun Apr 28, 2019 9:35 am

Do you have any custom iptables rules that are doing any SNAT or DNAT or MASQUERADE?
Because I can't think of any other reason why an exit IP would show up in the whoami results or the dnsleaktest one, since none of the exit IPs are running any DNS servers.
That's why `host whoami.cryptostorm.is 88.202.180.213` fails, but `host whoami.cryptostorm.is 82.163.72.123` goes through, since the former is a VPN IP, the latter is one of our public DNS IPs.

User avatar

parityboy
Site Admin
Posts: 1215
Joined: Wed Feb 05, 2014 3:47 am

Re: IPLeak.net broken?

Post by parityboy » Sun Apr 28, 2019 4:42 pm

@df

Apart from the usual SNAT/MASQ stuff which is needed anyway, the only thing outstanding I have in pfSense is a port forward rule to support a private tracker and that only applies to a single VM guest on a host-only network of its own.

Another thing I noticed is that I can't get pfSense to resolve .onion or .i2p domains using its configured (public) Cryptostorm DNS servers. However, if I tell one of my desktops (sitting behind pfSense) to use 10.31.33.8 in Network Manager, they resolve. It used to work in pfSense perfectly well.

I wonder if pfSense is doing something strange (which might explain both DNS test failures)...

User avatar

df
Site Admin
Posts: 417
Joined: Thu Jan 01, 1970 5:00 am

Re: IPLeak.net broken?

Post by df » Sat May 04, 2019 7:45 pm

@parityboy
Maybe you're right, something in pfSense changed recently... the .i2p/.onion/.bit/etc. thing works by first resolving to something in 10.0.0.0/8 (10.99.0.0/16 for .onion, a single 10.98.0.1 for .i2p) and the VPN server sees the client trying to reach one of those ranges and forwards it to the proxy running on the server to get the whole thing to work.
So if pfSense is doing something else with those ranges, or if it doesn't know to route those ranges to the tunnel interface, then the transparent .onion/.i2p thing would fail.

As for the DNS leak test failing, I can only see that happening on a host behind the router, and only if the host is set to use DHCP and a DNS server running on the router (which would be connected to CS, and maybe set to use the DNS pushed by the VPN).

User avatar

parityboy
Site Admin
Posts: 1215
Joined: Wed Feb 05, 2014 3:47 am

Re: IPLeak.net broken?

Post by parityboy » Thu May 23, 2019 6:23 am

df wrote:
Sat May 04, 2019 7:45 pm
@parityboy

...

As for the DNS leak test failing, I can only see that happening on a host behind the router, and only if the host is set to use DHCP and a DNS server running on the router (which would be connected to CS, and maybe set to use the DNS pushed by the VPN).
That's the one thing that pfSense cannot do. It'll do it on it's WAN interface, but not on any of the tunnel interfaces. If it could, it would make life far, far simpler...

User avatar

df
Site Admin
Posts: 417
Joined: Thu Jan 01, 1970 5:00 am

Re: IPLeak.net broken?

Post by df » Sat Jun 08, 2019 9:21 am

@parityboy
Just had someone else in IRC showing this same symptom, where dns leak test sites would show the vpn's exit IP instead of the DNS IP.
But this person was also not able to resolve some obvious things like google/youtube/etc. from a host machine.
They were running WireGuard directly on an OPNsense router, which is similar to PfSense:

[19:43] <web_86194> I fixed opnsense
[19:44] <web_86194> I finally did it. I kept looking at the firewall logs and the addresses were being blocked every time. Only the google cryptostorm etc addresses. I messed with it for sooooooooo long and eventually i figured out that it was due to no interface adapter being added. No guide has had that in it

Not sure exactly what he meant by "no interface adapter being added", maybe the wg0 interface wasn't being created? Also dunno what the fix was since they left shortly after that.

Another thing that we noticed is that unbound is used on the router as a DNS server whose IP is pushed to the machines behind the router.
There was also no nameserver entry in /etc/resolv.conf, so the router's local DNS was also forwarded to that unbound instance using pf rules.
My suggestion was to edit unbound.conf and remove any forwarder that might already be in there and replace it with:

forward-zone:
name: "."
forward-addr: 212.129.46.32@53

But that would only work if the host was only connecting to the France VPN server.

User avatar

parityboy
Site Admin
Posts: 1215
Joined: Wed Feb 05, 2014 3:47 am

Re: IPLeak.net broken?

Post by parityboy » Mon Jun 24, 2019 5:20 pm

@df

Yeah, thanks for that. I think that for now 'll just set the 10.x.x.x DNS server address on the hosts I need it for. It works and is a simple fix. :)


DZmniJ
Posts: 1
Joined: Mon Sep 30, 2019 8:46 am

Re: IPLeak.net broken?

Post by DZmniJ » Mon Sep 30, 2019 9:20 am

df wrote:
Wed Apr 24, 2019 6:45 am
I haven't noticed that issue, but I don't use ipleak.net often. My go to is usually dnsleaktest.com.

We also have our own at https://cryptostorm.is/dnsleaktest that might work better for some people.
It's kinda BETA-ish, so it might fail to load completely, sometimes, but it seems fine so far in our tests.

Those DNS leak test sites work by resolving a random sub-domain (or sub-sub-domain) against a domain's DNS server, which is configured to log requests, then the page checks that log and tells the visitor what the DNS client's IP was.
The problem is that those random sub-domains usually don't resolve to anything, so you have to wait for your browser to timeout the DNS request before the page will finish loading. That might cause problems in some cases, especially if you're doing a bunch of other stuff and there's a limit set somewhere on how many things can be in a "waiting for timeout" state.

In our DNS leak test page, the random sub-domains resolve to a real IP of a web server setup to actually respond to requests, so no waiting for the timeout to finish. And just because, we wrote ours to work without JavaScript =D
I assume the https://cryptostorm.is/dnsleaktest result is a red and green coloring. Not a good design choice for some us! I can't tell if I pass or fail. :lol:
df wrote:
Sat Jun 08, 2019 9:21 am
@parityboy
Just had someone else in IRC showing this same symptom, where dns leak test sites would show the vpn's exit IP instead of the DNS IP.
But this person was also not able to resolve some obvious things like google/youtube/etc. from a host machine.
They were running WireGuard directly on an OPNsense router, which is similar to PfSense:

[19:43] <web_86194> I fixed opnsense
[19:44] <web_86194> I finally did it. I kept looking at the firewall logs and the addresses were being blocked every time. Only the google cryptostorm etc addresses. I messed with it for sooooooooo long and eventually i figured out that it was due to no interface adapter being added. No guide has had that in it

Not sure exactly what he meant by "no interface adapter being added", maybe the wg0 interface wasn't being created? Also dunno what the fix was since they left shortly after that.
Not too familiar with Opensense but if like PFsense you have to manually assign vpn to the interface for the gateway. PFsense calls it OPT1 OPT2 etc. I think you can rename but I never do. Then after you do that you have to enable it. So a typical setup might be WAN (re0), LAN (re1), OPT1 (ovpcn1 which is the vpn). WAN and LAN get set up on initial install. VPN to OPT1 has to be done manually, then OPT1 manually enabled (no clue why its disabled by default). This step is missing in the pfsense guide. Along with the NAT setup and LAN rules that you have to do next.

Post Reply