How to fix OpenVPN DNS leak

I just subscribed to a VPN provider.

I have Xubuntu 17.10, openvpn 2.4.3. After launching the openvpn command I check the IP (fine) and performed a simple DNS leak test: not fine, it shows my Internet Service Provider!

How to fix this DNS leak?

I have one preliminary interrogation:

• is it "fixable" on my side? Or is the remote server wrongly configured?

On my side, I tried changing some values in the .ovpn config file for openvpn:

1. Originally there were already these lines, that are expected to work, but nope:

   script-security 2up /etc/openvpn/update-resolv-confdown /etc/openvpn/update-resolv-conf

2. I changed them according to this reddit answer (explicitly specifying DNS addresses):

   dhcp-option DNS 208.67.222.222dhcp-option DNS 208.67.220.220dhcp-option DNS 8.26.56.26up "/etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS 208.67.222.222' foreign_option_2='dhcp-option DNS 208.67.220.220' foreign_option_3='dhcp-option DNS 8.26.56.26'"down "/etc/openvpn/update-resolv-conf foreign_option_1='dhcp-option DNS 208.67.222.222' foreign_option_2='dhcp-option DNS 208.67.220.220' foreign_option_3='dhcp-option DNS 8.26.56.26'"

   Doing that seems to do the job, as the content of /etc/resolvconf gets updated by the up/down scripts:

   # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN# 127.0.0.53 is the systemd-resolved stub resolver.# run "systemd-resolve --status" to see details about the actual nameservers.nameserver 208.67.222.222nameserver 208.67.220.220nameserver 8.26.56.26search lan

   but DNSleaktest still showing my ISP.

3. So then I learned the existence of the ubuntu package openvpn-systemd-resolved which provides a script similar to update-resolve-conf but makes it work with systemd (here I have no idea what processes use this: network-manager? openvpn?). I installed the package and replaced the script name in my .ovpn file:

   up "/etc/openvpn/update-systemd-resolved ..."down "..."down-pre

   Still no luck. [While writing this I just figured out the solution, see my answer below]

4. Then I played a lot with the /etc/resolv.conf file. Normally it should not be changed, so I put my DNS servers addresses into /etc/resolvconf/resolv.conf.d/base, but issuing resolvconf -u did not appear to work.

5. Chatted with a support person from the VPN company, no solution.

6. I tried various solutions like this one, and subsequent unaccepted answers:

   • installing dnsmasq and putting server=... into /etc/dnsmasq.conf;
   • putting a "supersede" line in the /etc/dhcp/dhclient.conf (details);
   • the chattr-based hack.

7. I forgot the other things I tried, then I thought, stackexchange will save me from my misery, and it miraculously did, just by the power of formulating a question.

[Edit 1: Not solved! Actually my first answer is not the reason it works]

I noticed it after more checking. I can remove the systemd-update-resolved lines and it still works, but only on certain conditions:

When the openvpnservice is running, I get DNS leaks.If I stop it, and then restart only the service for my client:

sudo service openvpn stopsudo service openvpn@client start

then it works.

Sorry, I suppose I haven't check the openvpn manual thoroughly, but why is that? Isn't it a security leak? Especially because the openvpn service is activated automatically after installation from apt. How to make the change permanent? (I tried sudo systemctl disable openvpn, but at next startup I still had the same problem).

[Edit 2: routing tables]

Once I stopped openvpn and started openvpn@client, I don't have DNS leaks and the output of route -n is:

Kernel IP routing tableDestination     Gateway         Genmask         Flags Metric Ref    Use Iface0.0.0.0         91.240.65.1     128.0.0.0       UG    0      0        0 tun00.0.0.0         192.168.1.254   0.0.0.0         UG    100    0        0 eno191.240.64.17    192.168.1.254   255.255.255.255 UGH   0      0        0 eno191.240.65.0     0.0.0.0         255.255.255.224 U     0      0        0 tun0128.0.0.0       91.240.65.1     128.0.0.0       UG    0      0        0 tun0169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1

After a sudo service openvpn restart:

Kernel IP routing tableDestination     Gateway         Genmask         Flags Metric Ref    Use Iface0.0.0.0         91.240.66.1     128.0.0.0       UG    0      0        0 tun00.0.0.0         192.168.1.254   0.0.0.0         UG    100    0        0 eno191.240.64.16    192.168.1.254   255.255.255.255 UGH   0      0        0 eno191.240.66.0     0.0.0.0         255.255.255.224 U     0      0        0 tun0128.0.0.0       91.240.66.1     128.0.0.0       UG    0      0        0 tun0169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1

Not working anymore, I get DNS leaks in both cases. I tried installing the package openresolv (which replaces resolvconf), and it seems to work. Here is the new routing table:

Kernel IP routing tableDestination     Gateway         Genmask         Flags Metric Ref    Use Iface0.0.0.0         91.240.66.161   128.0.0.0       UG    0      0        0 tun00.0.0.0         192.168.1.254   0.0.0.0         UG    100    0        0 eno191.240.64.15    192.168.1.254   255.255.255.255 UGH   0      0        0 eno191.240.66.160   0.0.0.0         255.255.255.224 U     0      0        0 tun0128.0.0.0       91.240.66.161   128.0.0.0       UG    0      0        0 tun0169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eno1192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1