openpyn-nordvpn
openpyn-nordvpn copied to clipboard
jotyGill
"Not modifying '/etc/resolv.conf'" always on MacOS causing DNS leaks
When running openpyn us on MacOS Catalina 10.15 it never seems to modify the /etc/resolv.conf file (no matter what settings or flags are supplied, both run as user and sudo) resulting in DNS leaks:
2019-11-04 20:44:15 [SUCCESS] CONNECTING TO SERVER us4374 ON PORT udp
2019-11-04 20:44:15 [WARNING] Not modifying '/etc/resolv.conf', DNS traffic likely won't go through the encrypted tunnel
Mon Nov 4 20:44:15 2019 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Mon Nov 4 20:44:15 2019 OpenVPN 2.4.7 x86_64-apple-darwin19.0.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 29 2019
Mon Nov 4 20:44:15 2019 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Mon Nov 4 20:44:15 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7015
Mon Nov 4 20:44:15 2019 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Mon Nov 4 20:44:15 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 4 20:44:15 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 4 20:44:15 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]64.44.81.51:1194
Mon Nov 4 20:44:15 2019 Socket Buffers: R=[786896->786896] S=[9216->9216]
Mon Nov 4 20:44:15 2019 UDP link local: (not bound)
Mon Nov 4 20:44:15 2019 UDP link remote: [AF_INET]64.44.81.51:1194
Mon Nov 4 20:44:15 2019 TLS: Initial packet from [AF_INET]64.44.81.51:1194, sid=7b90afe3 89a8ce90
Mon Nov 4 20:44:15 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Nov 4 20:44:15 2019 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Mon Nov 4 20:44:15 2019 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA3
Mon Nov 4 20:44:15 2019 VERIFY KU OK
Mon Nov 4 20:44:15 2019 Validating certificate extended key usage
Mon Nov 4 20:44:15 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Nov 4 20:44:15 2019 VERIFY EKU OK
Mon Nov 4 20:44:15 2019 VERIFY OK: depth=0, CN=us4374.nordvpn.com
Mon Nov 4 20:44:15 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mon Nov 4 20:44:15 2019 [us4374.nordvpn.com] Peer Connection Initiated with [AF_INET]64.44.81.51:1194
Mon Nov 4 20:44:16 2019 SENT CONTROL [us4374.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Mon Nov 4 20:44:16 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.3.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.3.13 255.255.255.0,peer-id 10,cipher AES-256-GCM'
Mon Nov 4 20:44:16 2019 OPTIONS IMPORT: timers and/or timeouts modified
Mon Nov 4 20:44:16 2019 OPTIONS IMPORT: explicit notify parm(s) modified
Mon Nov 4 20:44:16 2019 OPTIONS IMPORT: compression parms modified
Mon Nov 4 20:44:16 2019 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Mon Nov 4 20:44:16 2019 Socket Buffers: R=[786896->524288] S=[9216->524288]
Mon Nov 4 20:44:16 2019 OPTIONS IMPORT: --ifconfig/up options modified
Mon Nov 4 20:44:16 2019 OPTIONS IMPORT: route options modified
Mon Nov 4 20:44:16 2019 OPTIONS IMPORT: route-related options modified
Mon Nov 4 20:44:16 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Nov 4 20:44:16 2019 OPTIONS IMPORT: peer-id set
Mon Nov 4 20:44:16 2019 OPTIONS IMPORT: adjusting link_mtu to 1657
Mon Nov 4 20:44:16 2019 OPTIONS IMPORT: data channel crypto options modified
Mon Nov 4 20:44:16 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Nov 4 20:44:16 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Nov 4 20:44:16 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Nov 4 20:44:16 2019 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Mon Nov 4 20:44:16 2019 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Mon Nov 4 20:44:16 2019 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Mon Nov 4 20:44:16 2019 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Mon Nov 4 20:44:16 2019 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Mon Nov 4 20:44:16 2019 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Mon Nov 4 20:44:16 2019 Opened utun device utun6
Mon Nov 4 20:44:16 2019 /sbin/ifconfig utun6 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
Mon Nov 4 20:44:16 2019 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Mon Nov 4 20:44:16 2019 /sbin/ifconfig utun6 10.8.3.13 10.8.3.13 netmask 255.255.255.0 mtu 1500 up
Mon Nov 4 20:44:16 2019 /sbin/route add -net 10.8.3.0 10.8.3.13 255.255.255.0
add net 10.8.3.0: gateway 10.8.3.13
Mon Nov 4 20:44:16 2019 /sbin/route add -net 64.44.81.51 192.168.1.1 255.255.255.255
add net 64.44.81.51: gateway 192.168.1.1
Mon Nov 4 20:44:16 2019 /sbin/route add -net 0.0.0.0 10.8.3.1 128.0.0.0
add net 0.0.0.0: gateway 10.8.3.1
Mon Nov 4 20:44:16 2019 /sbin/route add -net 128.0.0.0 10.8.3.1 128.0.0.0
add net 128.0.0.0: gateway 10.8.3.1
Mon Nov 4 20:44:16 2019 Initialization Sequence Completed
Confirmed with DNS Leak Test simple and extended tests; using Google DNS servers 8.8.8.8 and 8.8.4.4 configured at router-level:
Simple Test unconnected to any VPN:
Extended Test unconnected to any VPN:
Simple Test connected to VPN using openpyn us:
Extended Test connected to VPN using openpyn us:
Content of /etc/resolv.conf before AND after running openpyn:
#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
# scutil --dns
#
# SEE ALSO
# dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
nameserver 192.168.1.1
Current workaround is to get the fastest server using openpyn and then connecting to the specified server through NordVPN GUI which prevents DNS leaking:
Simple Test connected to VPN using NordVPN GUI application:
Extended Test connected to VPN using NordVPN GUI application:
Content of /etc/resolv.conf after connecting to VPN using NordVPN GUI application:
#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
# scutil --dns
#
# SEE ALSO
# dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
nameserver 103.86.99.99
nameserver 103.86.96.96
So NordVPN is able to modify /etc/resolv.conf to prevent DNS leaks but openpyn is unable to it seems.
Why is openpyn not modifying /etc/resolv.conf when it is run (regardless of sudo, options, and flags added)?
Would be happy to open a PR to fix this issue but likely would need some guidance to do so. Thanks! 👍
Note: Above ran with both the latest master and test branches of openpyn with fresh --init on each
Believe I have fixed this on the test branch; trying to push a feature branch for a PR but getting:
ERROR: Permission to jotyGill/openpyn-nordvpn.git denied to joaufi.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Could I get push access? ⬆️
You can set the DNS manually, that's was one of the reason I set it to disabled on macOS, when porting/testing openpyn on MacOS, since I didn't test the script openpyn uses to modify the /etc/resolv.conf
I did not know that you could open a PR using a forked repo branch onto the forked-from repo branch- thanks for the knowledge! I'll open a PR.
Fwiw the script does successfully modify /etc/resolv.conf (tested a few times), but it does not change it back to whatever the user had in the resolv.conf if / when openpyn is closed and the vpn is disconnected. Going to make my changes do that so that it more closely mimics the NordVPN GUI (and seems a bit more user friendly).
it does not change it back to whatever the user had in the resolv.conf
Yeah, that what I thought, would be great if you can fix this!
I finally got around to this ☠️ See: https://github.com/jotyGill/openpyn-nordvpn/pull/252
Feel like it is a somewhat sloppy solution but it works 😅
There's a MacOS notice in the /etc/resolv.conf file claiming it's not used for DNS hostname resolution and that it is generated automatically. (I'm running macOS Catalina 10.15.4)
# macOS Notice # # This file is not consulted for DNS hostname resolution, address # resolution, or the DNS query routing mechanism used by most # processes on this system. # # To view the DNS configuration used by this system, use: # scutil --dns # # SEE ALSO # dns-sd(1), scutil(8) # # This file is automatically generated.
Trying to replace the resolv.conf file doesn't do the trick for me and it also requires privileges, e.g.
sudo mv -n /etc/resolv.conf /etc/resolv.conf.backup
sudo /bin/sh -c "echo 'nameserver $nordDNS1' > /etc/resolv.conf"
Suggested fix
I've resolved the issue with simple aliases that I run before/after connecting to the NordVPN server of choice.
alias resetdns="networksetup -setdnsservers Wi-Fi 192.168.1.1 192.168.1.1"
alias norddns="networksetup -setdnsservers Wi-Fi 103.86.99.100 103.86.96.100 208.67.222.220"
networksetup -setdnsservers also updates /etc/resolv.conf i.e "...is automatically generated."
