Re: OpenVPN Service

[Julien Lepiller]

Le 18 novembre 2020 20:04:33 GMT-05:00, jbranso@dismail.de a écrit :
>I had an issue with openvpn service leaking my DNS queries.  I've set
>up network manager to manage my vpn connections.  Though, I think I had
>to use DNS over HTTPS to fix the leaking DNS issue.

Well, this is not tomething you can configure on the VPN side I think. The 
server might advertise a DNS server on the VPN, in which case it won't leak. 
Ocherwise, you need to check your DNS settings and default routes to make sure 
that your DNS server is not on your local network, and uses the VPN route.

DoH does not solve this: it's only a way to use DNS over a diffirent, encrypted 
port. Usually it's used with an external server (eg. Cloudflare), but it can 
also be implemented on your local network, in which case you're still leaking 
your DNS queries. Again, if you want to use DoH, you need to configure it 
properly :)

>
>November 18, 2020 2:55 PM, "Raghav Gururajan" <rg@raghavgururajan.name>
>wrote:
>
>> Hello Julien!
>> 
>>> I'm surprised by this one: you already set ca to something
>different. Can you share the generated
>>> openvpn.conf?
>> 
>> OOPS! There was a mistake in config.scm. This error is gone now.
>> 
>> Now the openvpn.conf is https://paste.debian.net/1173026
>> 
>> and error is https://paste.debian.net/1173027
>> 
>>> Ok, looking at the service definition, this is not so surprising: it
>expects a file in the cert and
>>> key fields, and uses the defaults here. I'm surprised it doesn't
>complain about client.crt. I
>>> pushed a small update to the service. After you run guix pull, you
>should be able to specify (cert
>>> 'disabled) and (key 'disabled).
>> 
>> Thanks a lot! I will try it.
>> 
>>> This is only a warning, but you don't want your password to be world
>readable: chown it to
>>> openvpn's user, and chmod it to 600.
>> 
>> Cool!
>> 
>> Regards,
>> RG.