From: Julien Lepiller <julien@lepiller.eu>
To: jbranso@dismail.de, Raghav Gururajan <rg@raghavgururajan.name>,
help-guix@gnu.org
Subject: Re: OpenVPN Service
Date: Thu, 19 Nov 2020 06:36:55 -0500 [thread overview]
Message-ID: <F9377DB1-8C96-4D88-8CFB-1CBCC92FD12C@lepiller.eu> (raw)
In-Reply-To: <a59308586784f4e5b2c66335564d7c3e@dismail.de>
Le 18 novembre 2020 20:04:33 GMT-05:00, jbranso@dismail.de a écrit :
>I had an issue with openvpn service leaking my DNS queries. I've set
>up network manager to manage my vpn connections. Though, I think I had
>to use DNS over HTTPS to fix the leaking DNS issue.
Well, this is not tomething you can configure on the VPN side I think. The server might advertise a DNS server on the VPN, in which case it won't leak. Ocherwise, you need to check your DNS settings and default routes to make sure that your DNS server is not on your local network, and uses the VPN route.
DoH does not solve this: it's only a way to use DNS over a diffirent, encrypted port. Usually it's used with an external server (eg. Cloudflare), but it can also be implemented on your local network, in which case you're still leaking your DNS queries. Again, if you want to use DoH, you need to configure it properly :)
>
>November 18, 2020 2:55 PM, "Raghav Gururajan" <rg@raghavgururajan.name>
>wrote:
>
>> Hello Julien!
>>
>>> I'm surprised by this one: you already set ca to something
>different. Can you share the generated
>>> openvpn.conf?
>>
>> OOPS! There was a mistake in config.scm. This error is gone now.
>>
>> Now the openvpn.conf is https://paste.debian.net/1173026
>>
>> and error is https://paste.debian.net/1173027
>>
>>> Ok, looking at the service definition, this is not so surprising: it
>expects a file in the cert and
>>> key fields, and uses the defaults here. I'm surprised it doesn't
>complain about client.crt. I
>>> pushed a small update to the service. After you run guix pull, you
>should be able to specify (cert
>>> 'disabled) and (key 'disabled).
>>
>> Thanks a lot! I will try it.
>>
>>> This is only a warning, but you don't want your password to be world
>readable: chown it to
>>> openvpn's user, and chmod it to 600.
>>
>> Cool!
>>
>> Regards,
>> RG.
prev parent reply other threads:[~2020-11-19 11:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-18 2:36 OpenVPN Service Raghav Gururajan
2020-11-18 14:06 ` Julien Lepiller
2020-11-18 19:54 ` Raghav Gururajan
2020-11-19 1:04 ` jbranso
2020-11-19 11:36 ` Julien Lepiller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=F9377DB1-8C96-4D88-8CFB-1CBCC92FD12C@lepiller.eu \
--to=julien@lepiller.eu \
--cc=help-guix@gnu.org \
--cc=jbranso@dismail.de \
--cc=rg@raghavgururajan.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).