Added by Moritz Hofmann over 8 years ago. Updated almost 8 years ago.
100%
Description
Windows 10 DNS resolver always uses local DNS server, which defeats the point of --redirect-gateway / Road-Warrior scenario.
The DNS Servers provided by OpenVPN are not used.
Updated by Jim Pingle over 8 years ago
Did you try the suggested fix on the ticket you linked? Put this in your advanced server config box:
push block-outside-dns
We could add that to the exporter, either in all cases or as another checkbox option.
Updated by Moritz Hofmann over 8 years ago
I tried
push block-outside-dns pfSense & *setenv opt block-outside-dns* openVPN-Client
nslookup still tries to connect to local dns and gets a timed out. Maybe i missunderstood the ticket.
Modifying the metric of the local connection to a higher value than the vpn connection solves the problem but this isnt a good solution i think.
Updated by Jim Pingle over 8 years ago
All we could do is push the setting or add it to the config. Beyond that it's a Windows problem that isn't anything we can help.
I haven't tested this either way, but according to the ticket you should be able to push that so long as your client is running a current version of OpenVPN. Try uninstalling the OpenVPN client and then installing the latest version either from the export package or from the OpenVPN community downloads. Then try the test again. Pushing the option should be enough, you don't need to use the setenv bit unless you want to control it in the client directly and not push it from the server.
Updated by Jim Pingle over 8 years ago
Ran some quick tests and both ways work so long as the client is current. With the option present, DNS queries only go across OpenVPN. Looks like ideally we could handle this both ways:
1. RA Server option to push block-outside-dns, checkbox next to the DNS settings with a note about it being specific to Windows 10 clients that leak DNS queries
2. OpenVPN Client Export Package option to add setenv opt block-outside-dns to the client configuration, with a similar note.
Non-windows clients and older clients will ignore the pushed option if they don't recognize it. Similarly, the setenv method is non-fatal if the client does not support the option.
Updated by Daryl Morse over 8 years ago
I use mullvad vpn on one of my PCs which is running windows 10. As long as you are using openvpn 2.3.9 or newer, it has the block-outside-dns feature, which uses WFP. It definitely works. If you invoke this feature, you should not experience dns leakage.
Updated by Jim Pingle over 8 years ago
Applied in changeset 13ac08b8c500cd05f2a351d0d0d37f0d00514a55.
Updated by Jim Pingle about 8 years ago
New options are being pushed correctly when selected.
Updated by Jim Pingle almost 8 years ago