Skip to content

Use VPN native DNS server to avoid DNS leaks

Upon activation, VPN client will successfully create it's own resolv.conf.vpn.<my_vpn_connection>.conf file with preferred DNS resolver.

DNS switching might work automatically on upstream OpenWrt with dnsmasq as default resolver, see https://protonvpn.com/support/how-to-set-up-protonvpn-on-openwrt-routers/

However, unlike upstream OpenWrt, Turris OS is using Kresd as DNS resolver, so default resolv conf file (/tmp/resolv.conf.d/resolv.conf.auto) will be used instead of the vpn specific resolf.conf, which leads to DNS leaks.

We need to figure out how to switch the resolv files upon VPN client startup and shutdown. The resolv.conf.vpn.<my_vpn_connection>.conf file is created by the openvpn hotplug scripts, so perhaps we could adjust these scripts to switch DNS resolvers.

For example (crude idea):

# up
mv resolv.conf.auto resolv.conf.auto.bkp
ln -s resolv.conf.vpn.myvpn resolv.conf.auto
/etc/init.d/resolver restart

# down
rm resolv.conf.auto
/etc/init.d/resolver restart
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information