# Will my VPN leak?



## scobiehague (Jul 18, 2018)

I've setup OpenVPN to run on a second fib on boot. If OpenVPN goes down on this fib, I want to be sure that applications running on that fib do not leak traffic to the outside world.

When connected to uk-london.privateinternetaccess.com, PIA assigns the VPN IP from a pool, so to allow for the IP to get assigned on boot, I allow fib1 access to the public internet facing wlan0 interface initially:

/etc/rc.conf

```
static_routes="vpn"
route_vpn="default -iface wlan0 -fib 1"
```


The reason I don't pass a static IP here is that wlan0 gets a DHCP IP from my home router.

It concerns me that I need to expose fib1 to unencrypted internet even for a short while, but it seems necessary to get the VPN IP assigned from PIA.

To make sure all further traffic is sent encrypted over the tun, I don't let OpenVPN set the default route:

/usr/local/etc/openvpnv/openvpn.conf

```
route-noexec
```


Instead, I call a script from OpenVPN to set the default route manually based on the tun IP:


```
script-security 2
up "/usr/local/etc/openvpn/link-up.sh tun0"
```


/usr/local/etc/openvpn/link-up.sh


```
#!/bin/sh
IP=`/sbin/ifconfig $1 | grep "inet " | cut -d" " -f4`
echo "LINK-UP - SETTING AS DEFAULT GATEWAY FOR ROUTING TABLE 1: $IP"
/usr/sbin/setfib -1 /sbin/route delete default
/usr/sbin/setfib -1 /sbin/route add default $IP
```


To prevent DNS leaks, my /etc/resolv.conf connects to a dnscrypt server without logs. I run applications with e.g., `setfib -1 application`, or through a jail with the default fib set to 1.

Is this setup safe? If the OpenVPN connection drops, my understanding is that the default route to the tunnel device for fib1 will go down. Therefore, no applications running through fib1 will have a route to the public facing wlan0, so no unencrypted traffic will leak. Is that understanding correct? Or do I need some firewall rules to strengthen this?

Thanks for reading.


----------



## ShelLuser (Jul 18, 2018)

Safe... safe from what exactly?  That's the part I don't quite understand here.

Also: using different FIB's is one thing, did you (re)configure your kernel or set net.fibs as mentioned in ifconfig(8)?


----------



## scobiehague (Jul 19, 2018)

Yes, I have net.fibs=2 set in /boot/loader.conf. By safe, I mean safe from unencrypted traffic leaking from applications that I specify to run on the second fib.


----------



## ShelLuser (Jul 19, 2018)

The real question then is if you have defaultrouter defined in /etc/rc.conf? If not then I don't see how your system can "just" make a connection to the outside. But if you do then yeah, there's always a risk factor.

One thing though, setfib(2) tells me that: "_The fib argument must be greater than or equal to 0 and less than the current system maximum which may be retrieved by the net.fibs sysctl._". I see you're using -1 a few times so I don't know for sure what effect that'll have.

But other than that this setup looks foolproof from what I can tell.


----------



## scobiehague (Jul 19, 2018)

Sorry the -1 was a typo. It should read setfib 1, and I do not have defaultrouter= option in /etc/rc.conf. Thanks for your input.


----------



## Lamia (Jul 19, 2018)

You should test if it is leaking on test sites like dnsleak.com and dnsleaktest.com.
What happen most times is that your choice DNS server isn't listed in the test. And as such, your setup may be leaking DNS. 

You had better setup a dnscrypt-proxy and enforce your vpn and host dns-resolvers to use only no-log & dnscrypt-only servers. You may need run a local DNS server like unbound too.


----------



## scobiehague (Jul 19, 2018)

Lamia said:


> You should test if it is leaking on test sites like dnsleak.com and dnsleaktest.com.
> What happen most times is that your choice DNS server isn't listed in the test. And as such, your setup may be leaking DNS.
> 
> You had better setup a dnscrypt-proxy and enforce your vpn and host dns-resolvers to use only no-log & dnscrypt-only servers. You may need run a local DNS server like unbound too.



Yes. Currently I point my host /etc/resolv.conf to a jail running local_unbound and dnscrypt-proxy2. I opt for no-log dnscrypt servers. I will post any useful ways I find to diagnose traffic leaks in the next few days.


----------

