OpenVPN via NetworkManager - IPv6 DNS and traffic leak

I started my OpenVPN connection this morning and tested for DNS leakage. It was not leaking for IPv4, but it was using my ISP’s DNS for IPv6. Not good.

So, I started searching for documentation that could help me figure out how to fix it. I have been searching for about seven hours (not constantly, but a lot), and have not found anything yet on my specific needs.

The Fedora 34 docs, themselves, do not seem to even have a section on OpenVPN. If they do, I cannot find it.

So, a friend on another web site pointed me to a Fedora 33 magazine article which may end up helping me. But why should I have to look for a magazine article for documentation? https://fedoramagazine.org/systemd-resolved-introduction-to-split-dns/

Anyway, can anyone point me to specific documentation on managing DNS resolution with an OpenVPN client connection? For my issue, it needs to address how IPv6 DNS resolution is managed and can be configured.

4 Likes

https://discussion.fedoraproject.org/t/systemd-resolved-not-querying-dns-server-set-by-openvpn/74961/2?u=vgaetera

1 Like

Thank you. I will work on figuring out what that means and trying it. I note that the post referred to references the same Fedora Magazine article I referenced in my top post.

PS - It looks like that nmcli command would have to be executed every time I started a VPN connection. Is that correct?

Assuming the VPN connection is configured with NetworkManager, you need to modify its DNS priority and scope to override DNS provided by other connections.

The changes should persist when applied to the proper connection identifier:

nmcli connection show

Make sure not to confuse the persistent identifier with the runtime one.

1 Like

Ok, I successfully ran this command:

nmcli connection modify id is-us-01.protonvpn.com.udp ipv4.dns-search ~. ipv6.dns-search ~. ipv4.dns-priority -50 ipv6.dns-priority -50

Then, I stopped and restarted the VPN connection. Now, dnsleaktest only shows an IPv4 DNS, and it is the correct server of the VPN provider.

However, whatismyipaddress is showing the IPv4 address of the VPN provider, but the IPv6 address of my local ISP. And I am afraid that I mis-described my original problem. It was not the DNS, it was the actual WAN address of my internet connection. I apologize. All I can say is that networking is not my strong point.

Should I start a new thread with a better problem description, or can we continue in this thread?

2 Likes

You can either utilize IPv6 tunneling to route IPv6 traffic over the VPN, or simply disable IPv6 on the main connection.
IPv6 tunneling requires support by the VPN server that depends on your VPN provider.
When the VPN server supports IPv6 tunneling, typically no extra action is required as it automatically redirects IPv6 gateway.
Check out if your VPN interface has a valid IPv6 ULA or GUA which is a prerequisite for IPv6 tunneling.

1 Like

Thank you. I don’t think my VPN provider provides IPv6 (I will check).

PS - Yes, even at the current date, ProtonVPN still does not support IPv6. They automatically disallow all IPv6 traffic, “… so you don’t have to worry about doing this yourself,” but, if my IPv6 address is still exposed through my browser, I am not fully protected, IMO.

1 Like

The simplest way to prevent IPv6 traffic leak is disabling IPv6 on the main connection:

nmcli connection modify id ethernet ipv6.method disabled
nmcli connection up id ethernet

A more complicated method is disabling IPv6 dynamically upon connecting the VPN.

But if you need dual-stack connectivity, find a VPN provider that supports IPv6 tunneling.

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.