This resource was originally created by user: FreeVel on the TrueNAS Community Forums Archive. Please DM this account or comment in this thread to claim it.
Note: this guide is complementary to many guides on how to setup Transmission with OpenVPN, hence it assumes you have already followed those guides and you are just looking for some extra security protection
Problem
Case 1 : Your OpenVPN client refuses to use your VPN Provider’s DNS server hence you resort to all sort of tricks to ensure your normal DNS server is not exposed while you are on VPN.
Case 2 : You use OpenVPN client to secure your Jail’s traffic via your favourite VPN provider, but when you run the following command your ISP DNS shows up !! Your DNS queries are leaking
Code:
iocage console <>
…
drill google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 23327
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com. IN A
;; ANSWER SECTION:
google.com. 11 IN A 216.58.212.174
;; AUTHORITY SECTION:
google.com. 41496 IN NS ns4.google.com.
google.com. 41496 IN NS ns2.google.com.
google.com. 41496 IN NS ns3.google.com.
google.com. 41496 IN NS ns1.google.com.
;; ADDITIONAL SECTION:
;; Query time: 34 msec
;; SERVER: XXX.XXX.XXX.XXX <<-<-<-<- YOUR ISP’s DNS HERE !!
;; WHEN: Mon Nov 23 21:00:46 2020
;; MSG SIZE rcvd: 116
Solution Overview
Step 1: Enable OpenVPN service to run at security level 2
Step 2: Customise the ready-made “openvpn-client.up” & “openvpn-client.up” scripts that do the DNS configuration for you
Step 3: Setup your OpenVPN client config to use the DNS config scripts
Step 4: Restart your OpenVPN service and check the DNS used
Step 1: Change OpenVPN service to run at security level 2
Console into your jail and Open your rc.conf
Code:
iocage console <>
…
nano /etc/rc.conf
Paste the below line in the file, press Ctrl+X and save.
Code:
openvpn_dir=“/usr/local/etc/openvpn” # this is where we’ll copy the up/down scripts
openvpn_flags=“–script-security 2” # allow .conf to invoke DNS setting scripts
Exit your jail and restart for the settings to take effect
Code:
exit
…
iocage restart <>
…
iocage console <>
Step 2: Move the DNS setup scripts in place
Copy the DNS setup scripts onto the OpenVPN config directory and grant them exec rights
Code:
cd /usr/local/etc/openvpn/
cp /usr/local/libexec/openvpn-client.* .
chmod 500 openvpn-client.*
The files should look something like this
Code:
ls -la
…
drw------- 3 root wheel 11 Nov 23 18:53 .
drwxr-xr-x 19 root wheel 29 Nov 23 19:14 …
-r-x------ 1 root wheel 1755 Nov 23 18:44 openvpn-client.down
-r-x------ 1 root wheel 2982 Nov 23 18:45 openvpn-client.up
…
Open openvpn-client.up and add the following line before the “exit 0” statement.
This will ensure your ISP DNS is removed, keeping only your VPN provider’s DNS while the OpenVPN is active
Code:
echo -n nameserver <> | resolvconf -d epair0b
exit 0
Open openvpn-client.down and add the following line before the “exit 0” statement.
This will ensure your ISP DNS is put back while your VPN provider’s DNS entries are removed once OpenVPN goes down
Code:
echo -n nameserver <> | resolvconf -a epair0b
exit 0
Step 3: Setup your OpenVPN client config to use the DNS setup scripts
Add the following two lines at the top of the openvpn config file, press Ctrl+X and save
Code:
up openvpn-client.up
down openvpn-client.down
Your config file should look like this …
Code:
up openvpn-client.up
down openvpn-client.down
client
dev tun
proto udp
; Cert
remote-cert-tls server
cipher AES-256-CBC
…
Step 4: Restart your OpenVPN service and check the DNS used
Restart your openvpn service for the settings to take effect
Code:
service openvpn restart
Once the service is back you should be able to see only your VPN providers DNS servers
Code:
cat /etc/resolv.conf
Generated by resolvconf
nameserver <>
nameserver <>
…
Similarly stop the OpenVPN service
Code:
service openvpn stop
Once the service is down you should be able to see back your ISP’s DNS server
Code:
cat /etc/resolv.conf
Generated by resolvconf
nameserver <>
…