Note: this guide is complementary to many guides on how to setup Transmission with OpenVPN, hence it assumes you have already followed those guides and you are just looking for some extra security protection
Problem
Case 1 : Your OpenVPN client refuses to use your VPN Provider's DNS server hence you resort to all sort of tricks to ensure your normal DNS server is not exposed while you are on VPN.
Case 2 : You use OpenVPN client to secure your Jail's traffic via your favourite VPN provider, but when you run the following command your ISP DNS shows up !! Your DNS queries are leaking
Solution Overview
Step 1: Change OpenVPN service to run at security level 2
Console into your jail and Open your rc.conf
Paste the below line in the file, press Ctrl+X and save.
Exit your jail and restart for the settings to take effect
Step 2: Move the DNS setup scripts in place
Copy the DNS setup scripts onto the OpenVPN config directory and grant them exec rights
The files should look something like this
Open openvpn-client.up and add the following line before the "exit 0" statement.
This will ensure your ISP DNS is removed, keeping only your VPN provider's DNS while the OpenVPN is active
Open openvpn-client.down and add the following line before the "exit 0" statement.
This will ensure your ISP DNS is put back while your VPN provider's DNS entries are removed once OpenVPN goes down
Step 3: Setup your OpenVPN client config to use the DNS setup scripts
Add the following two lines at the top of the openvpn config file, press Ctrl+X and save
Your config file should look like this ...
Step 4: Restart your OpenVPN service and check the DNS used
Restart your openvpn service for the settings to take effect
Once the service is back you should be able to see only your VPN providers DNS servers
Similarly stop the OpenVPN service
Once the service is down you should be able to see back your ISP's DNS server
Problem
Case 1 : Your OpenVPN client refuses to use your VPN Provider's DNS server hence you resort to all sort of tricks to ensure your normal DNS server is not exposed while you are on VPN.
Case 2 : You use OpenVPN client to secure your Jail's traffic via your favourite VPN provider, but when you run the following command your ISP DNS shows up !! Your DNS queries are leaking
Code:
# iocage console <<your transmission jail with OpenVPN >> .... # drill google.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 23327 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;; google.com. IN A ;; ANSWER SECTION: google.com. 11 IN A 216.58.212.174 ;; AUTHORITY SECTION: google.com. 41496 IN NS ns4.google.com. google.com. 41496 IN NS ns2.google.com. google.com. 41496 IN NS ns3.google.com. google.com. 41496 IN NS ns1.google.com. ;; ADDITIONAL SECTION: ;; Query time: 34 msec ;; SERVER: XXX.XXX.XXX.XXX <<-<-<-<- YOUR ISP's DNS HERE !! ;; WHEN: Mon Nov 23 21:00:46 2020 ;; MSG SIZE rcvd: 116
Solution Overview
- Step 1: Enable OpenVPN service to run at security level 2
- Step 2: Customise the ready-made "openvpn-client.up" & "openvpn-client.up" scripts that do the DNS configuration for you
- Step 3: Setup your OpenVPN client config to use the DNS config scripts
- Step 4: Restart your OpenVPN service and check the DNS used
Step 1: Change OpenVPN service to run at security level 2
Console into your jail and Open your rc.conf
Code:
# iocage console <<your transmission jail>> ... # nano /etc/rc.conf
Paste the below line in the file, press Ctrl+X and save.
Code:
openvpn_dir="/usr/local/etc/openvpn" # this is where we'll copy the up/down scripts openvpn_flags="--script-security 2" # allow .conf to invoke DNS setting scripts
Exit your jail and restart for the settings to take effect
Code:
# exit ... # iocage restart <<your transmission jail>> ... # iocage console <<your transmission jail>>
Step 2: Move the DNS setup scripts in place
Copy the DNS setup scripts onto the OpenVPN config directory and grant them exec rights
Code:
# cd /usr/local/etc/openvpn/ # cp /usr/local/libexec/openvpn-client.* . # chmod 500 openvpn-client.*
The files should look something like this
Code:
# ls -la ... drw------- 3 root wheel 11 Nov 23 18:53 . drwxr-xr-x 19 root wheel 29 Nov 23 19:14 .. -r-x------ 1 root wheel 1755 Nov 23 18:44 openvpn-client.down -r-x------ 1 root wheel 2982 Nov 23 18:45 openvpn-client.up ...
Open openvpn-client.up and add the following line before the "exit 0" statement.
This will ensure your ISP DNS is removed, keeping only your VPN provider's DNS while the OpenVPN is active
Code:
echo -n nameserver <<your ISP DNS>> | resolvconf -d epair0b exit 0
Open openvpn-client.down and add the following line before the "exit 0" statement.
This will ensure your ISP DNS is put back while your VPN provider's DNS entries are removed once OpenVPN goes down
Code:
echo -n nameserver <<your ISP DNS>> | resolvconf -a epair0b exit 0
Step 3: Setup your OpenVPN client config to use the DNS setup scripts
Add the following two lines at the top of the openvpn config file, press Ctrl+X and save
Code:
up openvpn-client.up down openvpn-client.down
Your config file should look like this ...
Code:
up openvpn-client.up down openvpn-client.down client dev tun proto udp ; Cert remote-cert-tls server cipher AES-256-CBC ...
Step 4: Restart your OpenVPN service and check the DNS used
Restart your openvpn service for the settings to take effect
Code:
# service openvpn restart
Once the service is back you should be able to see only your VPN providers DNS servers
Code:
# cat /etc/resolv.conf # Generated by resolvconf nameserver <<VPN Provider DNS1>> nameserver <<VPN Provider DNS2>> ....
Similarly stop the OpenVPN service
Code:
# service openvpn stop
Once the service is down you should be able to see back your ISP's DNS server
Code:
# cat /etc/resolv.conf # Generated by resolvconf nameserver <<ISP DNS Server here>> .....