I started my OpenVPN connection this morning and tested for DNS leakage. It was not leaking for IPv4, but it was using my ISP’s DNS for IPv6. Not good.
So, I started searching for documentation that could help me figure out how to fix it. I have been searching for about seven hours (not constantly, but a lot), and have not found anything yet on my specific needs.
The Fedora 34 docs, themselves, do not seem to even have a section on OpenVPN. If they do, I cannot find it.
Anyway, can anyone point me to specific documentation on managing DNS resolution with an OpenVPN client connection? For my issue, it needs to address how IPv6 DNS resolution is managed and can be configured.
Thank you. I will work on figuring out what that means and trying it. I note that the post referred to references the same Fedora Magazine article I referenced in my top post.
PS - It looks like that nmcli command would have to be executed every time I started a VPN connection. Is that correct?
Assuming the VPN connection is configured with NetworkManager, you need to modify its DNS priority and scope to override DNS provided by other connections.
The changes should persist when applied to the proper connection identifier:
nmcli connection show
Make sure not to confuse the persistent identifier with the runtime one.
Then, I stopped and restarted the VPN connection. Now, dnsleaktest only shows an IPv4 DNS, and it is the correct server of the VPN provider.
However, whatismyipaddress is showing the IPv4 address of the VPN provider, but the IPv6 address of my local ISP. And I am afraid that I mis-described my original problem. It was not the DNS, it was the actual WAN address of my internet connection. I apologize. All I can say is that networking is not my strong point.
Should I start a new thread with a better problem description, or can we continue in this thread?
You can either utilize IPv6 tunneling to route IPv6 traffic over the VPN, or simply disable IPv6 on the main connection.
IPv6 tunneling requires support by the VPN server that depends on your VPN provider.
When the VPN server supports IPv6 tunneling, typically no extra action is required as it automatically redirects IPv6 gateway.
Check out if your VPN interface has a valid IPv6 ULA or GUA which is a prerequisite for IPv6 tunneling.
Thank you. I don’t think my VPN provider provides IPv6 (I will check).
PS - Yes, even at the current date, ProtonVPN still does not support IPv6. They automatically disallow all IPv6 traffic, “… so you don’t have to worry about doing this yourself,” but, if my IPv6 address is still exposed through my browser, I am not fully protected, IMO.