[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

DNS leaks with VPN -> TOR

Support
#1

Hi,
I use VPN on my Whonix Gateway to connect with TOR.

I managed to configure everything as in this tutorial. My fail close mechanism works great but I’m not sure if I should do something more to prevent OpenVPN DNS leaks ? Normally I would edit /etc/resolv.conf and set static nameservers (VPN’s nameservers), but I’m not sure if that’s fine with Whonix. I don’t want to mess up something.

Thanks.

#2

Feel free to edit that file, but be are of this:

#3

What should I put into that file?

I have working connection me -> VPN on W-Gateway -> TOR

I already set up VPN Firewall on W-Gateway by using built in fail closed mechanism.

Last thing to do is preventing from DNS leaks when using my VPN.

Normally when I use OpenVPN I always set VPN static nameserver in /etc/resolv.conf to avoid DNS leaks but I’m not sure if that is a good idea for Whonix.

My /etc/resolv.conf on Whonix Gateway contains this line:

nameserver 127.0.0.1

Is it a good idea to change it to:

#nameserver 127.0.0.1
nameserver MY.VPN.IP.NAMESERVER

?

#4

You can do this, but it doesn’t really matter, because Whonix-Gateway has no functional system DNS for its own traffic by default and design anyhow.

(DNS requests you do in the workstation will still be resolved by Tor [in default config, unless you installed a VPN there as well or so]. But as you configured Tor on the gateway, any Tor connection will go through the VPN first as you expect.)

#5

I understand then it makes more sense to edit /etc/resolv.conf on Whonix Workstation like in this example: https://www.whonix.org/wiki/TestVPN#Riseup_DNS

Editing on W-Gateway is pointless because Gateway has Torified nameservers ?

For example if I had me -> VPN -> Tor -> VPN connection I could edit /etc/resolv.conf on W-Workstation to prevent TOR DNS leaks from there?

#6

Pointless yes, because when VPN_FIREWALL=1, no connections besides connections to the VPN server IP are allowed anyhow and because all applications using the network are configured to use Tor [font=courier]SocksPort[/font]s. System DNS on the gateway is neither desired nor needed for anything.

For example if I had me -> VPN -> Tor -> VPN connection I could edit /etc/resolv.conf on W-Workstation to prevent TOR DNS leaks from there?
Yes, that would make sense. Then you could prevent DNS from hitting Tor exit relays and rather let it go through the post-Tor-VPN.
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]