OpenVPN DNS Leak Windows 10
Windows 10 DNS resolver always uses local DNS server, which defeats the point of --redirect-gateway / Road-Warrior scenario.
The DNS Servers provided by OpenVPN are not used.
Add an option to push "block-outside-dns" to clients of an RA OpenVPN. Fixes #6719
#2 Updated by Moritz Hofmann 9 months ago
pfSense & *setenv opt block-outside-dns* openVPN-Client
nslookup still tries to connect to local dns and gets a timed out. Maybe i missunderstood the ticket.
Modifying the metric of the local connection to a higher value than the vpn connection solves the problem but this isnt a good solution i think.
#3 Updated by Jim Pingle 9 months ago
All we could do is push the setting or add it to the config. Beyond that it's a Windows problem that isn't anything we can help.
I haven't tested this either way, but according to the ticket you should be able to push that so long as your client is running a current version of OpenVPN. Try uninstalling the OpenVPN client and then installing the latest version either from the export package or from the OpenVPN community downloads. Then try the test again. Pushing the option should be enough, you don't need to use the setenv bit unless you want to control it in the client directly and not push it from the server.
#4 Updated by Jim Pingle 9 months ago
- Status changed from New to Assigned
- Assignee set to Jim Pingle
- Target version set to 2.4.0
- Affected version changed from 2.3.2 to All
Ran some quick tests and both ways work so long as the client is current. With the option present, DNS queries only go across OpenVPN. Looks like ideally we could handle this both ways:
1. RA Server option to
push block-outside-dns, checkbox next to the DNS settings with a note about it being specific to Windows 10 clients that leak DNS queries
2. OpenVPN Client Export Package option to add
setenv opt block-outside-dns to the client configuration, with a similar note.
Non-windows clients and older clients will ignore the pushed option if they don't recognize it. Similarly, the setenv method is non-fatal if the client does not support the option.