How to fix DNS leak on linux ?

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!
Locked
nullstrike

How to fix DNS leak on linux ?

Post by nullstrike » Mon Aug 07, 2017 8:16 pm

I got the OpenVPN config from GitHub and I fallowed the indications to disable IPv6 and to add those 3 lines in the .ovpn config file.
After a visit to https://ipleak.net I saw that I still have a DNS leak with the IP from my ISP.

How to fix this major issue ?

I'm using Linux mint 18.1 Serena, and I tried it through NetworkManager and directly from terminal, in both cases I have the same issue.

Thanks!
Top
User avatar
parityboy
Site Admin
Posts: 1271
Joined: Wed Feb 05, 2014 3:47 am

Re: How to fix DNS leak on linux ?

Post by parityboy » Mon Aug 07, 2017 8:52 pm

@OP

Try this.

Code: Select all

sudo apt-get install iptables-persistent
Then edit /etc/iptables/rules.v6 to look like this:

Code: Select all

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
Now edit /etc/iptables/rules.v4. The idea is to permit traffic over eth0 to the exit nodes, but everything else goes over the tunnel.

Code: Select all

*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]

# Permit/accept traffic from localhost
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT -s 127.0.1.1/32 -d 127.0.1.1/32 -j ACCEPT
-A OUTPUT -s 127.0.1.1/32 -d 127.0.1.1/32 -j ACCEPT

# Permit/accept traffic to NL exit node
-A INPUT -i eth0 -s 213.163.64.209/32 -p udp --sport 443 -j ACCEPT
-A OUTPUT -o eth0 -d 213.163.64.209/32 -p udp --dport 443 -j ACCEPT
-A INPUT -i eth0 -s 185.107.80.85/32 -p udp --sport 443 -j ACCEPT
-A OUTPUT -o eth0 -d 185.107.80.85/32 -p udp --dport 443 -j ACCEPT

# Only permit/accept other traffic if it's going/coming over the VPN tunnel
-A INPUT -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
COMMIT
Now do "sudo iptables-restore /etc/iptables/rules.v4" and the firewall will be active. This method means that you'll need to make sure that the IP addresses of all current nodes are in your firewall rules.
Top
LazyAss

Re: How to fix DNS leak on linux ?

Post by LazyAss » Wed Aug 30, 2017 5:42 am

Nice information. Compared to messing around with up/down scripts and openvpn settings, this is a more bulletproof method.

Would it be possible to add a "Rules.v4" to the Linux section on Github populated (and updated) with all the current CS exit node IP's? Maybe add a small readme with the basics of this thread as well. Job done.
Top
User avatar
parityboy
Site Admin
Posts: 1271
Joined: Wed Feb 05, 2014 3:47 am

Re: How to fix DNS leak on linux ?

Post by parityboy » Fri Sep 01, 2017 8:50 pm

LazyAss wrote:Nice information. Compared to messing around with up/down scripts and openvpn settings, this is a more bulletproof method.

Would it be possible to add a "Rules.v4" to the Linux section on Github populated (and updated) with all the current CS exit node IP's? Maybe add a small readme with the basics of this thread as well. Job done.
That sounds like a good idea. :)
Top
Locked

Return to “cryptostorm in-depth: announcements, how it works, what it is”