Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

VPN, how much and what one

Featured Replies

Update: Had a strange DNS leak where ipleak.net and dnsleaktest.com would show proper VPN IP, but with my ISP IP as DNS server.  Not ISP DNS, but my actual assigned ISP IP as reported DNS server.  To fix I removed the 'route-nopull' from the openvpn config advanced options and added one rule to Firewall->Rules->LAN above the two that were added to push everything but the alias to the WAN/ISP gateway.  Pic attached.  With this in place devices in the Alias now show the VPN IP as both IP and DNS IP.  On non-VPN devices, the IP is my ISP and my DNS is the VPN DNS.  Not the end of the world for me, but something to note.  When the VPN goes down the block works for the Alias and non-VPN devices revert back to non-VPN DNS.  Might be some quirk in pfSense I have yet to figure out as I already specify OpenDNS servers, but my ISP may be running a DNS proxy.  Definitely an issue when things that are suppost to go over VPN do, but DNS does not.  Could be how the DNS tests work, but regardless real IP was leaking.  Perhaps someone with more knowledge can shed some light on it.

 

 

OK...I added the rule and this is what I see from dnsleaktest.com:

 

IP	Hostname	ISP	Country
74.125.x.x	none	Google	United States
74.125.x.x	none	Google	United States
74.125.x.x	none	Google	United States
74.125.x.x	none	Google	United States
74.125.x.x	none	Google	United States
74.125.x.x	none	Google	United States

 

Not good.  :(

 

Anyway...since I only care about my Sonarr, CP, SAB and Deluge dockers using the VPN, I'll just assign them PIA's DNS servers in the static maps.  Tested on my laptop and all is good:

 

IP	Hostname	ISP	Country
208.167.x.x	none	Choopa, LLC	United States

 

John

 

Did you remove the 'route-nopull' from the OpenVPN config?  That and the rule should be a workaround for the leak issue for now until it can be figured out.  Basically just reversing things so everything is on VPN initially then pushing everything but the VPN clients over the WAN gateway.  Redirecting the traffic is easy, but DNS is missing some rules to prevent leaks on lookups.  I think it is in the pfsense Unbound config or associated (lack of) rules as I specify OpenDNS servers in general setup, but they are never used from what I see in the DNS tests, always shows my ISP assigned IP for DNS server.  Has to be DNS config or lack of rules.

 

 

  • Replies 60
  • Views 10.5k
  • Created
  • Last Reply

 

 

Did you remove the 'route-nopull' from the OpenVPN config?  That and the rule should be a workaround for the leak issue for now until it can be figured out.

 

I did remove route-nopull and added the rule and added the IP of my laptop to the VPN alias.  However, my laptop was still showing Google DNS servers @ dnskleaktest.com.

That appears to have done the trick...

 

root@unRAID:~# cat /etc/resolv.conf
# Generated by dhcpcd from br0.dhcp
# /etc/resolv.conf.head can replace this line
domain workgroup
nameserver 209.222.18.218
nameserver 209.222.18.222
# /etc/resolv.conf.tail can replace this line
root@unRAID:~# docker exec -it Sonarr bash
root@775d079610f4:/# cat /etc/resolv.conf
# Generated by dhcpcd from br0.dhcp
# /etc/resolv.conf.head can replace this line
domain workgroup
nameserver 209.222.18.218
nameserver 209.222.18.222
# /etc/resolv.conf.tail can replace this line

 

unevent, do you know how to test dns leaks from a command line within a container (just to make sure)?

 

John

 

I let pfsense handle DNS so my results show my pfsense box IP as nameserver.  Don't know a way to do it from command line as dig, nslookup, etc. are not available in unRAID or in the package managers of the Dockers I use.  With the route-nopull taken out and the rule added above the other two new ones I get proper IP for those not on VPN, but get VPN DNS server listed, and those on VPN report only VPN IP and DNS server.  So that will work for now until I can figure this out or someone more knowledgeable can chime in.

 

 

Did you remove the 'route-nopull' from the OpenVPN config?  That and the rule should be a workaround for the leak issue for now until it can be figured out.

 

I did remove route-nopull and added the rule and added the IP of my laptop to the VPN alias.  However, my laptop was still showing Google DNS servers @ dnskleaktest.com.

 

Do you happen to have DNS server specified in DHCP server config?  That will override everything.

That appears to have done the trick...

 

root@unRAID:~# cat /etc/resolv.conf
# Generated by dhcpcd from br0.dhcp
# /etc/resolv.conf.head can replace this line
domain workgroup
nameserver 209.222.18.218
nameserver 209.222.18.222
# /etc/resolv.conf.tail can replace this line
root@unRAID:~# docker exec -it Sonarr bash
root@775d079610f4:/# cat /etc/resolv.conf
# Generated by dhcpcd from br0.dhcp
# /etc/resolv.conf.head can replace this line
domain workgroup
nameserver 209.222.18.218
nameserver 209.222.18.222
# /etc/resolv.conf.tail can replace this line

 

unevent, do you know how to test dns leaks from a command line within a container (just to make sure)?

 

John

 

Also, unfortunately when the container is updated those changes may get lost...and unRAID or the containers do not contain the programs needed to do DHCP with Pipework so assigning DNS server to the static mapping won't do any good as it won't be pulled to the Docker.  This setup is policy based since we are using the same pipe without vlan or using a separate physical interface so everything must be vanilla until the pfsense box where there it is to be routed through the appropriate interface.  It works as we can get the traffic to go where we want, but DNS leak test sites are getting ISP IP in the DNS server test probably to do Unbound and lack of proper rules.  I think the DNS queries are being tagged with the wrong source IP by Unbound which is why I am seeing my ISP IP as the DNS server in the tests.

TorGuard 50% off code:  YBS4S3G88P

 

You can get a full year of VPN for $30 with this coupon.

This is from Docker docs...

 

Your container will use the same DNS servers as the host by default, but you can override this with --dns.

 

So, containers only get what the host has in teh way of DNS server entries.  Regardless, I was at least able to work around unRAID jamming it's DNS servers down my docker's throats by appending the docker run line:

 

-e 'pipework_cmd=br0 @CONTAINER_NAME@ 192.168.1.100/[email protected] 00:08:f4:3e:26:1e' --dns=209.222.18.218 --dns=209.222.18.222

 

So now unRAID and all of my other dockers and VMs can use my regular public DNS servers while Sonarr, CP, SAB and Deluge all use PIA's.

 

Ahhhh...much better!  :)

 

root@unRAID:~# cat /etc/resolv.conf
# Generated by dhcpcd from br0.dhcp
# /etc/resolv.conf.head can replace this line
domain workgroup
nameserver 8.8.8.8
nameserver 4.2.2.1
nameserver 208.67.222.222
nameserver 209.222.18.222
# /etc/resolv.conf.tail can replace this line
root@unRAID:~# docker exec -it Sonarr bash
root@7cc12a46316f:/# cat /etc/resolv.conf
nameserver 209.222.18.218
nameserver 209.222.18.222
root@7cc12a46316f:/#

Good deal.  It didn't turn out quite like I had hoped on my end, but at least no IP or DNS leaks now.  I took a look at some of the containers here with VPN built-in to see how DNS was handled and one I looked at was hard coded to use Google DNS.  Kind of defeats the purpose of a VPN in my mind.  What I did for my setup since my VPN is up any time pfSense is up I listed the PIA DNS servers (and specifying the VPN gateway) in pfsense general setup so all my DNS lookups go to VPN regardless of open net or VPN net.  Its kind of a compromise as pfSense will use all DNS servers in parallel so queries from open net will sometimes go through VPN and vice versa which was causing the ISP IP leak.  I did add the 'route-nopull' back in the openvpn config and kept the rules described in the guide.  I didn't use the -dns option on pipework, everything goes to the pfsense box then it has lookups going out VPN DNS which is actually not that bad speed-wise.  30-50ms lookups on average.

Edit: using the non-standard UDP port for the other cipher options with PIA has made the VPN snappy and can saturate my connection.  Using the standard 1194 port with the Blowfish cipher was always slow.

I didn't use the -dns option on pipework, everything goes to the pfsense box then it has lookups going out VPN DNS which is actually not that bad speed-wise.

 

Actually the --dns is a docker run switch...not pipework.  Now only if it had --ip and --gw switches we would be set.  :)

My bad, tick "Register DHCP static mappings in the DNS Resolver" under DNS Resolver config".

 

For the life of me I couldn't figure out why I couldn't get this to work.  Seemed simple enough but nothing would resolve.

 

And then I released/renewed my IP on my laptop which refreshed my DNS Server list.  Bingo!  :) 

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.