Maybe i should open a thread for VPN-Firewall .
I use this command to open openvpn : sudo openvpn --config .
If i connect to internet with my host, i’ll use the VPN DNS ?
The same question is for Gateway to make a connection with the tor entry nodes .

Quote GitHub - adrelanos/vpn-firewall: Leak Protection (Fail Safe Mechanism) for (Open)VPN

What does it NOT do

Care about DNS leaks. Consult your VPN software's/provider's documentation and configure /etc/resolv.conf to use the DNS server of your VPN server.</blockquote>

[hr]

On Whonix-Gateway, Whonix-Gateway’s own DNS traffic is always resolved by Tor.

The VPN server doesn’t give me anything about resolv.conf .
For using, just for a case, a VPN-Firewall on the host i did this :

1. Run VPN-Firewall
2. Run Tor by tor-arm
3. Run system updates or surf on the net ( is a risk )
4. I set up a socks port for dns query and for torsocks traffic .
5. I need to run system updates by vpn—>tor, i did this : sudo torsocks apt-get update && sudo torsocks apt-get dist-upgrade .

Arm has noticed me that DNS request is taken by the tor network and that apt-get didn’t leak anything .
However, how can i set up resolv.conf ? For only system updates i think there’s no problem .
What about dns query for gateway ? Yes, they are routed through Tor but the dns query are performed by me or the VPN provider ?

Consult the documentation of some random VPN provider. Then port these instructions to you VPN provider.

See also:

tor-arm is not a tool for detecting leaks

Whonix-Gateway’s own traffic is resolved through Tor. There is no global DNS. See this very chapter: Whonix-Gateway System DNS - Whonix (not the rest of that page)

I didn’t trust to tor-arm but I also tested with Wireshark .
I was connected only to a VPN, I setted only the IP of my VPN-provider on Network Manager ( Debian ), the same IP for Openvpn tunnel .
It seems the all traffic is passed through VPN, Did I make mistakes ?

Curiosity : if the VPN didn’t resolve my DNS-query, my connection shouldn’t been possible ? ( I think the connection isn’t possible )

If your DNS resolving mechanism (/etc/resolv.conf) points to an external IP. Or allowed internal IP (router)… Then the DNS might be resolved by that.

File /etc/resolv.conf :
#Generated by Network Manager
nameserver

Not, my router doesn’t resolve anything unless specified from my PC .
Is it all ok ?

I have seen other settings but I didn’t understand what they are do :
/etc/resolv.conf.d/update-libc.d/avahi-daemon .
#!/bin/sh

if we have an unicast .local domain, we immediately disable avahi to avoid conflicts with the multicast IPV4 .local domains .

if [ -x /usr/lib/avahi/avahi-daemon-check-dns.sh ]; then
exec /usr/lib/avahi/avahi-daemon-check-dns.sh
fi

I didn’t understnd nothing .

Distribution specific. Debian doesn’t use /etc/resolv.conf.d. Up to your distribution. Consider uninstalling avahi-daemon.

That’s why VPN-Firewall documentation says the following…

What does it NOT do

Care about DNS leaks. Consult your VPN software's/provider's documentation and configure /etc/resolv.conf to use the DNS server of your VPN server.