Answered: Delete route and prevent DNS leaks when using a router. HELP!

Pease

Member
Delete route and prevent DNS leaks when using a router. HELP!
Hi folks!
I need a little help. I know how to use batch files to automatically delete my Internet Service Providers Route and to prevent DNS leaks. It has always worked out fine. But now I have fixed a router and that’s where the problems began. Before I had always a static IP configuration, but now it only seems to work with automatic configuration if I want to log in to the Internet. To prevent DNS leaks for example the network configuration must be static not automatic.
1. Can I fix the delete route and DNS leak even though I now have a router? If the answer is yes. How shell I do?
2. Must I fix something on my computer or in the router?
3. If there are ways to fix my issue, can other computers anyway log in to the Internet through the same router I have as before?
Thanks for some answers.
 
Solution
Hi,

usually you don't have to change the configuration of your router to prevent any leaks, which is a good thing as you might have situations where you don't have access to the router at all. And other computers in your LAN are not affected also.

To fix DNS leaks you need to manually set your DNS servers used on your PC to some external DNS servers on the Internet. Do not use the IP address of your router as DNS server, as this would of course bypass the VPN as it is a local IP address. I can recommend using OpenDNS (208.67.222.222, 208.67.220.220) or Google (8.8.8.8, 8.8.4.4).

Don't hesitate to ask if you need any more instructions on this topic.
Hi,

usually you don't have to change the configuration of your router to prevent any leaks, which is a good thing as you might have situations where you don't have access to the router at all. And other computers in your LAN are not affected also.

To fix DNS leaks you need to manually set your DNS servers used on your PC to some external DNS servers on the Internet. Do not use the IP address of your router as DNS server, as this would of course bypass the VPN as it is a local IP address. I can recommend using OpenDNS (208.67.222.222, 208.67.220.220) or Google (8.8.8.8, 8.8.4.4).

Don't hesitate to ask if you need any more instructions on this topic.
 
Solution
Hi and thanks for the answers. I tested with other DNS servers before but it didn´t work out. I tested again now and it works fine. Weird?
4. You wrote: “Do not use the IP address of your router as DNS server, as this would of course bypass the VPN as it is a local IP address.”. Does that mean that the encryption did not work as it should? Or was ther aDNS leak? Or could the Internet service provider se information? Or exactly what do you mean?
5. In the router I had to write in my Internet Service Providers IP information I before had on my computer. I chose one of those DNS servers now on my computer to. Is that ok? So now I am using IP address, Subnet mask and Default Gateway I got from the router and the same DNS server I used before I got the router.
6. The problem is that the OpenVPN connection drop every hour. Before the router when I had static ip it dropped every 24 hours. How can I fix that? I know before a couple of years ago I had automatic ip and at that time it was also one hour I could surf before Open VPN dropped. It was something with the lease time to do. I know I read something in the router setting that I now have 24hours leasing time. Shouldn´t the Open VPN work 24hours then? Somebody who can help me out?
Thanks as usual.
 
Hi,

regarding 4: If you use the IP address of your router, your router then usually uses a DNS server on the Internet for any non local queries. This may either be one from your ISP or any other manually entered DNS server. The important thing to keep in mind: These DNS queries would not be routed through your VPN.. this is exacly what is called a DNS leak. The ISP could of course then see this unencrypted traffic, even if you don't use their DNS servers. So ensure DNS queries are made via VPN also.

regarding 5: Yes this is OK if you have enough trust in your ISP not to eavesdrop on your DNS queries. If you don't trust your ISP, you may use any other DNS server, preferably from an entity you trust. As long as the IP addresses used for DNS servers are not from your LAN the requests will be routed via OpenVPN also.

regarding 6: We do not drop or cancel any OpenVPN connections after an hour or any other amount of time. I guess this is caused by either your router or your ISP, and is most likely not supposed to be like this. A 24 hour disconnect is pretty common, but one hour seems wrong and way too short. The lease time is probably what is causing this.. does your external IP address (the one you get assigned by your ISP) change when a disconnect/reconnect happens? I'm not sure what causes these reconects but we can try to figure this out and find a solution.
 
Thanks again for your help and information. Now all questions I had is fixed except question 6.

You wrote: ” I guess this is caused by either your router or your ISP”.

Before I had automatic settings for the Ethernet and had one hours leasing time. Then I changed to static ip and the leasing was 24 hour. Now I fixed a router a couple of days ago. Do you think my ISP changed to one hour because of my router?

You wrote: ” does your external IP address (the one you get assigned by your ISP) change when a disconnect/reconnect happens? ”.

No the external address should be the same because I am the one who made the settings in the router and I know that I chose static IP address settings.

When I have time I will log in to the router settings and look again to be shore. In the Open VPN log I can se this:
“TLS: soft reset sec=0 bytes=65278961/0 pkts=89881/0” and
“TLS: tls_process: killed expiring key” “TLS: soft reset sec=0 bytes=37692087/0 pkts=59814/0” when OpenVPN drops.

Can this be any clue for you to help me?

7. When OpenVPN drop the login popup and I write in my username and password. Does it leak something between the drop and login (this is if it works directly to log in and I don’t have to log in from start)? Sometimes I must disconnect after the login popup because I have no internet connection and start over the login process from the beginning where I choose a PP server first and the write in the login username and password. I don’t know why it behaves so weird.

8. If I have my browser open all the time and Open VPN drops and I have to star over from start to log in. Can for example my ISP se something while I’m logging in again to internet through a PP server?

9. Can I see my internal and external IP address through cmd.exe? If yeas which command is it?
 
Hi,

regarding 6: The TLS soft reset is a normal thing, key renegotiation should not cause a disconnect, neither of the OpenVPN nor of the Internet connection. It is done to enhance security of the VPN connection. However our servers don't enforce this every hour, thus you may try changing the parameter "reneg-sec" in the configuration file for the OpenVPN server of your choice to something bigger than 3600. Double this value and if this then causes trouble every two hours it may very well be the reasen for the disconnects you are experiencing, although the TLS soft reset usually doesn't cause a disconnect.

Is only the OpenVPN connection dropped or is your Internet connection as a whole gone? Knowing this is essential to find out what exactly is causing these disconnects.

7: I can't say for sure, and of course this depends also on the status of your Internet connection when this occurs. But yes this may happen with standard configurations, and can be prevented by not allowing any other traffic except the OpenVPN traffic.

8: If you have a working Internet connection and any software causes traffic at this time, and that traffic gets not routed via the OpenVPN tunnel because this has just lost it's connection, and there is no Firewall denying all traffic except the data which gets routed via VPN then yes.

9: No, your external IP is usually known to your router and of course any system on the Internet your router makes connections to, but not to devices in your LAN. They only know their local IP addresses and the internal IP address of your router as default gateway. So in order to view your external IP address you may either look on your router or use some service on the Internet like our Check-IP: https://checkip.perfect-privacy.com
 
Hi!

10: You wrote “The TLS soft reset is a normal thing, key renegotiation should not cause a disconnect, neither of the OpenVPN nor of the Internet connection. It is done to enhance security of the VPN connection.”. How much does the security reduce if I change the parameter "reneg-sec" to higher?

11: Lately I have to log in twice because the first log in with OpenVPN GUI doesn’t work. Why? I get this log: “Thu Jul 03 01:09:20 2014 us=531000 ERROR: could not read Auth username from stdin
Thu Jul 03 01:09:20 2014 us=531000 Exiting”.

12. You wrote: “although the TLS soft reset usually doesn't cause a disconnect.” What’s the differens with my computer and others which it’s not cause any problem?

13. You wrote “Is only the OpenVPN connection dropped or is your Internet connection as a whole gone? Knowing this is essential to find out what exactly is causing these disconnects.” The answer is that the hole Internetconnection drops because I killed the ISP rout with batchfiles with the “up batch”.


14.1 You wrote: ” and can be prevented by not allowing any other traffic except the OpenVPN traffic” How exactly can I do that?

14.2 You wrote: “and there is no Firewall denying all traffic except the data which gets routed via VPN then yes.” I have ZoneAlarm as firewall. How can I only allow just openVPN with ZoneAlarm?

Thanks for all help.
 
Hi,

10: This is more of an additional protection, so increasing this value will not make OpenVPN terribly unsafe, especially not if it is just done for a short period of time for testing.
11: I have no idea, often such things are caused by firewalls and other security software.
12: We are still trying to figure this out, aren't we? ;) I doubt the disconnects you have, have anything to do with this setting, but I asked you to test this to make sure. Do you have any results from this test?
13: Well that is obviously not a good thing. What is the reason for this? It looks to me like one messed up setup.
14: I think we should rather concentrate working on the other problem first.

Bottom line: You need to find out whether your Internet connection is gone also or if it is just the OpenVPN connection that gets dropped. Right now I don't have any clue what really happens. It is rather pointless to fiddle with OpenVPN before even knowing what exactly causes these disconnects. Tackling one issue after another would help:

- Does yout Internet connection still disconnect every hour?
- Does this happen with an OpenVPN tunnel running?
- Does this happen without an OpenVPN tunnel running?
 
Hi again!

6. If I´m not using openVPN then my external IP address is the one I used to have before I bought a Router every time I log in to Internet. I tested to disable the network and start again but the external IP is always the same.

10: You wrote: “This is more of an additional protection, so increasing this value will not make OpenVPN terribly unsafe, especially not if it is just done for a short period of time for testing.”.

But if it this that is the problem I must use 86400 in the parameter "reneg-sec". And perhaps that’s not so good to have that so all the time?

12. “Do you have any results from this test?

If I double the value of the parameter “reneg-sec”, then everything works for two hours. Does this happen on my computer only because I have some setting other computers don’t have. Or?

13 You wrote: “Well that is obviously not a good thing. What is the reason for this? It looks to me like one messed up setup.

What do you mean? If I delete the rout it’s not meaning that I shell have an internet connection on my computer after the openVPN drop. That’s the purpose of deleting the ISP rout with up batch. Am I not wright ? The other computers connected to the router still have internet connection. If I fill in the default gateway and DNS server info I can surf the Internet again without problem.

14.1 and 14.2
You wrote: “- Does yout Internet connection still disconnect every hour?"

No it has to do with the parameter "reneg-sec" in the configuration file for the OpenVPN server of my choice. I can surf two hours if I double the parameter "reneg-sec".

You wrote: "- Does this happen with an OpenVPN tunnel running?" Yes

You wrote: "- Does this happen without an OpenVPN tunnel running?

I don’t know yet. But i don’t think so because other peoples internetconnection works fine as long as they want, so it shouldn’t be different on my computer.

15. If I write 86400 in the parameter "reneg-sec" is that ok or shell I write a little less than 24 hours?

Thanks for all help.
 
Hi,

OK if this behaviour of not having Internet access without a working OpenVPN connection is intended, it is of course not a "messed up" setup :) Sorry I dindn't get that point. :eek:

So we now know the disconnect has to do with reneg-sec happening, which is a little strange as this does not happen for anybody else of our members (to my best knowledge) using the same configuration. I'll talk to Lars and see if he has any ideas about this.

It is however safe to set this to 86400 (seconds which equals 24 hours as you mentioned). Any more will not help as the OpenVPN server will do this after 24 hours anyway. To give you an idea what the reneg-sec parameter does: This determines how often the keys used for the encryption of the data channel get renegotiated (replaced by new ones) between the OpenVPN client and server. So without some terrible bug in OpenVPN like Heartbleed a higher value does not affect the security of your encryption. This is more of an additional safety measure, to ensure the keys used are not used for too long as in "forever", but nothing that makes the encryption itself any less secure.

Try setting it to 86400 seconds, and let me know how that works out.


Kind regards,

Daniel
 
Hi
I have used 86400 second a couple of days and it works fine of course for 24 hours. But I would like to fix this issue anyway because it has some negative effects as you said about Heartbleed.

16.How do I know if I has that bug Heartbleed?

17. I hope you can help me out about reneg-sec problem. Weird that its only me who has this problem and that it started with the router? I suppose that its something in the router settings perhaps I must change?

Bye for now.
 
Hi,

you can learn more about Heartbleed here: http://heartbleed.com/
It is a bug in OpenSSL, and if your client is affected or not depends on the version used (on your router in this case). Which router model and firmware version is it? And do you know if the firmware/software running on it is up to date? Using the most recent version might perhaps help fixing the issue. And finding out which version of OpenSSL you are using is how you determine whether or not your version is affected by the Heartbleed bug.

Most likely it has something to do with either the software/firmware on your router or the settings. I'd recommend starting with making sure you use the latest firmware/software on your router.
 
Back
Top