Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.
Resource icon

Transmission Jail setup with OpenVPN and DNS Leak protection

Note: this guide is complementary to many guides on how to setup Transmission with OpenVPN, hence it assumes you have already followed those guides and you are just looking for some extra security protection

Problem

Case 1 :
Your OpenVPN client refuses to use your VPN Provider's DNS server hence you resort to all sort of tricks to ensure your normal DNS server is not exposed while you are on VPN.

Case 2 : You use OpenVPN client to secure your Jail's traffic via your favourite VPN provider, but when you run the following command your ISP DNS shows up !! Your DNS queries are leaking

Code:
# iocage console <<your transmission jail with OpenVPN >>
....
# drill google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 23327
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com.    IN    A

;; ANSWER SECTION:
google.com.    11    IN    A    216.58.212.174

;; AUTHORITY SECTION:
google.com.    41496    IN    NS    ns4.google.com.
google.com.    41496    IN    NS    ns2.google.com.
google.com.    41496    IN    NS    ns3.google.com.
google.com.    41496    IN    NS    ns1.google.com.

;; ADDITIONAL SECTION:

;; Query time: 34 msec
;; SERVER:   XXX.XXX.XXX.XXX      <<-<-<-<- YOUR ISP's DNS HERE !!
;; WHEN: Mon Nov 23 21:00:46 2020
;; MSG SIZE  rcvd: 116


Solution Overview
  • Step 1: Enable OpenVPN service to run at security level 2
  • Step 2: Customise the ready-made "openvpn-client.up" & "openvpn-client.up" scripts that do the DNS configuration for you
  • Step 3: Setup your OpenVPN client config to use the DNS config scripts
  • Step 4: Restart your OpenVPN service and check the DNS used

Step 1: Change OpenVPN service to run at security level 2
Console into your jail and Open your rc.conf
Code:
# iocage console <<your transmission jail>>
...
# nano /etc/rc.conf


Paste the below line in the file, press Ctrl+X and save.
Code:
openvpn_dir="/usr/local/etc/openvpn"         # this is where we'll copy the up/down scripts
openvpn_flags="--script-security 2"             # allow .conf to invoke DNS setting scripts


Exit your jail and restart for the settings to take effect
Code:
# exit
...
# iocage restart <<your transmission jail>>
...
# iocage console <<your transmission jail>>


Step 2: Move the DNS setup scripts in place
Copy the DNS setup scripts onto the OpenVPN config directory and grant them exec rights
Code:
# cd /usr/local/etc/openvpn/
# cp /usr/local/libexec/openvpn-client.* .
# chmod 500 openvpn-client.*


The files should look something like this
Code:
# ls -la
...
drw-------   3 root  wheel    11 Nov 23 18:53 .
drwxr-xr-x  19 root  wheel    29 Nov 23 19:14 ..
-r-x------   1 root  wheel  1755 Nov 23 18:44 openvpn-client.down
-r-x------   1 root  wheel  2982 Nov 23 18:45 openvpn-client.up
...



Open openvpn-client.up and add the following line before the "exit 0" statement.
This will ensure your ISP DNS is removed, keeping only your VPN provider's DNS while the OpenVPN is active
Code:
echo -n nameserver <<your ISP DNS>> | resolvconf -d epair0b

exit 0


Open openvpn-client.down and add the following line before the "exit 0" statement.
This will ensure your ISP DNS is put back while your VPN provider's DNS entries are removed once OpenVPN goes down
Code:
echo -n nameserver <<your ISP DNS>> | resolvconf -a epair0b

exit 0


Step 3: Setup your OpenVPN client config to use the DNS setup scripts

Add the following two lines at the top of the openvpn config file, press Ctrl+X and save
Code:
up openvpn-client.up
down openvpn-client.down


Your config file should look like this ...
Code:
up openvpn-client.up
down openvpn-client.down

client
dev tun
proto udp
; Cert
remote-cert-tls server
cipher AES-256-CBC
...


Step 4: Restart your OpenVPN service and check the DNS used
Restart your openvpn service for the settings to take effect
Code:
# service openvpn restart


Once the service is back you should be able to see only your VPN providers DNS servers
Code:
# cat /etc/resolv.conf

# Generated by resolvconf
nameserver <<VPN Provider DNS1>>
nameserver <<VPN Provider DNS2>>
....


Similarly stop the OpenVPN service
Code:
# service openvpn stop


Once the service is down you should be able to see back your ISP's DNS server
Code:
# cat /etc/resolv.conf

# Generated by resolvconf
nameserver <<ISP DNS Server here>>
.....
Author
FreeVel
Views
264,158
First release
Last update
Rating
5.00 star(s) 3 ratings

Latest reviews

Thank you for this. Just found this article and resolved my issue.
Just what I needed. Amazing stuff! Thank you!
Brilliant, brilliant, brilliant. I set up OpenVPN as per many online instruction and discovered my DNS queries were still going via my ISP. I couldn't work out why (maybe because I have a separate Pi Hole local DNS server set up that was still dealing with all LAN DNS requests - including my jail even with OpenVPN up and running). Anyway this guide fixed the issue. Resolv.conf now points to the VPN DNS server when OpenVPN is running and my local Pi Hole DNS server when down - exactly as I wanted. Thank you for this....
Top