Bug #6719


OpenVPN DNS Leak Windows 10

Added by Moritz Hofmann almost 8 years ago. Updated over 7 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


Windows 10 DNS resolver always uses local DNS server, which defeats the point of --redirect-gateway / Road-Warrior scenario.

The DNS Servers provided by OpenVPN are not used.

Actions #1

Updated by Jim Pingle almost 8 years ago

Did you try the suggested fix on the ticket you linked? Put this in your advanced server config box:

push block-outside-dns

We could add that to the exporter, either in all cases or as another checkbox option.

Actions #2

Updated by Moritz Hofmann almost 8 years ago

I tried

push block-outside-dns pfSense & *setenv opt block-outside-dns* openVPN-Client

nslookup still tries to connect to local dns and gets a timed out. Maybe i missunderstood the ticket.

Modifying the metric of the local connection to a higher value than the vpn connection solves the problem but this isnt a good solution i think.

Actions #3

Updated by Jim Pingle almost 8 years ago

All we could do is push the setting or add it to the config. Beyond that it's a Windows problem that isn't anything we can help.

I haven't tested this either way, but according to the ticket you should be able to push that so long as your client is running a current version of OpenVPN. Try uninstalling the OpenVPN client and then installing the latest version either from the export package or from the OpenVPN community downloads. Then try the test again. Pushing the option should be enough, you don't need to use the setenv bit unless you want to control it in the client directly and not push it from the server.

Actions #4

Updated by Jim Pingle almost 8 years ago

  • Status changed from New to Assigned
  • Assignee set to Jim Pingle
  • Target version set to 2.4.0
  • Affected Version changed from 2.3.2 to All

Ran some quick tests and both ways work so long as the client is current. With the option present, DNS queries only go across OpenVPN. Looks like ideally we could handle this both ways:

1. RA Server option to push block-outside-dns, checkbox next to the DNS settings with a note about it being specific to Windows 10 clients that leak DNS queries
2. OpenVPN Client Export Package option to add setenv opt block-outside-dns to the client configuration, with a similar note.

Non-windows clients and older clients will ignore the pushed option if they don't recognize it. Similarly, the setenv method is non-fatal if the client does not support the option.

Actions #5

Updated by Daryl Morse almost 8 years ago

I use mullvad vpn on one of my PCs which is running windows 10. As long as you are using openvpn 2.3.9 or newer, it has the block-outside-dns feature, which uses WFP. It definitely works. If you invoke this feature, you should not experience dns leakage.

Actions #6

Updated by Jim Pingle almost 8 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100
Actions #7

Updated by Jim Pingle almost 8 years ago

  • Status changed from Feedback to Resolved

New options are being pushed correctly when selected.

Actions #8

Updated by Jim Pingle over 7 years ago

  • Target version changed from 2.4.0 to 2.3.3

Also available in: Atom PDF