OpenVPN DNS problem with NordVPN

  • There is an issue that keeps NordVPN from functioning smoothly during update while this could be fixed by changing the DNS on your router to something other than NordVPN's DNS while updating .ovpn files I find it to be kind of obnoxious when software's main reason for development in my mind is to automate things and make other things possible this software currently fails at both objectives.

    - It does not allow changing DNS from within the program

    - It does not automatically change DNS while updating to fix the issue either

    The author is not interested in fixing the issue because to him it is a non issue and not worth changing code and I totally understand this which is why I am trying to take my own little journey into the unknown. I surely cannot expect someone to always do my bidding but if you care to join in this is excellent and welcomed.

    So basically I want the program to do the changing or possibly run scripts but there are a number of things I must first figure out not knowing all too much about any of it.

    This is kind of what I want to add before and after the updates in plain english:

    Code
    If UpdateRequired = NordVPN
    then run googledns.sh
    
    If Download = Complete
    then run norddns.sh


    Was actually looking how to do the scripting I believe something like this may work:

    Below would be norddns.sh

    Code
    #/bin/sh
    interface eth0
    static domain_name_servers=162.242.211.137 78.46.223.24
    interface wlan0
    static domain_name_servers=162.242.211.137 78.46.223.24

    Then googledns.sh

    Code
    #/bin/sh
    interface eth0
    static domain_name_servers=8.8.8.8 8.8.4.4
    interface wlan0
    static domain_name_servers=8.8.8.8 8.8.4.4

    Other things I need to figure out: Notes to self and thinking process for all to see.

    Who knows I may need to specify everything as static maybe it does not allow for only static DNS?

    Will root be required for the software to properly invoke the script?

    Will the settings take hold automatically or will I need to somehow disable and enable the eth0 and wlan0 to get things going?

    Need to figure out where to invoke the scripts exactly?

    Created a github account now I need to figure out how to use it properly... Clone or fork etc but first figure out the next question?

    Maybe .py script would be better to use or just integrating the code into the existing .py code IDK?

    X DONE X need to figure out if I have permission to use the code I never did look at the license to see what the requirements are of zomboided so I may possibly have to keep my build private if there is any type of requirements? Ahh it is GNU GPL Answered Yes Perfectly Fine If I keep code open source!

    Anyone not interested feel free to ignore my journey. I am trying to gather all the info needed to put the plan into action now that I have one. I don't expect anyone to be interested in this but if you are reply's are most welcome thanks in advance for your reply.

    Edited 2 times, last by forlotto (September 22, 2017 at 8:18 AM).

  • Ok so minor update I've forked the code and been reading over the code to try and understand it all day.

    I came across the following in vpnproviders.py

    Code
    1086: # Uncomment the next line to make test for NordVPN download easier...
    1087:  # if file_count == 20: break

    I am curious if he breaks at 20 for his testing purposes or if other users could break at 20 to make the downloading process easier somehow.

    I must say interesting little bit of code which makes me think that tests being run for NordVPN are not as thorough as other providers but maybe thorough enough IDK no expert heck it all might as well be egyptian or greek to me I have a small understanding of code in general I know enough to be dangerous.

    What I am looking for is where to implement code to switch DNS I believe it is going to be in this general area where I will need to execute scripts to change code but it may be best to have this as a debug option instead of forcing it upon every downloader or possibly I can say if provider is NordVPN then run bash script to set DNS to google.

    I am really trying to think what the best avenue would be I need to see how files are installed and copied over to the disk I really wish I had a better understanding of all of this already unfortuneately I do not all I can do is keep reading and try to decipher everything should likely be an easy task to fix this for most but it is like climbing mount Everest to me at current. I don't even understand what is possible or file permissions or what is required to do what I have to do 100%

  • To be specific though starting at line 1058 in vpnproviders.py I think this is the code that I should likely shoot to modify right before the download starts I should check provider then if it is NordVPN then I should change DNS

    The above code is critical to the whole operation of downloading .ovpn files I believe if I am reading and understanding things correctly.

    So time to think on modification. These are my notes thus far very little accomplished in a day of reading through code I understand as I said this is likely going to be a slow process for me alone with some help maybe a bit faster.

    It would be a tad bit cooler if the program set the DNS for the provider automatically after downloading the files before trying to connect anyways I feel and from a safety standpoint according to everything I have read it is important that you use the DNS of the provider to ensure your safety anyways which is why I don't get why autoDNS is not implemented according to provider.

    I would be willing to bet my right toenail clippings that many people running a VPN are using their ISP's DNS servers because they are unaware they believe that the program just works and does it for you or it doesn't matter!

    DNS leaks are critical when it comes to protection of your activity online think about this a second if you were to constantly visit a website that was involved in something Taboo just the fact that you were served a domain through your provider cold add to evidence that you were involved in something Taboo. For instance lets say that you used thepiratebay to check out what the top downloaded stuff was out of curiosity to see what is really worth buying the very fact that you were resolving that website through their domain name servers adds evidence to a case built against you it is a slippery slope really all DNS should be resolved by a trusted 3rd party such as you VPN provider to keep you safe.

    This program lacks this and also lacks appropriate warnings.

    Funny thing how none of this is mentioned in the wiki along with the security warnings...

    Edited 4 times, last by forlotto (September 23, 2017 at 6:36 AM).

  • You're wrong, period. You can google why that is because I'm not going to explain. I will say that the configs are based on those provided by the VPN providers. Some have submitted their own to the repo. None of them agree with you, but maybe you should email them all and let them know what they're doing wrong.

    If you think I'm wrong, that's fine. I provide free software for free. You can choose not to use it, I'm good with this. Enjoy your journey, I won't be engaging with you anymore.

  • You're wrong, period. You can google why that is because I'm not going to explain. I will say that the configs are based on those provided by the VPN providers. Some have submitted their own to the repo. None of them agree with you, but maybe you should email them all and let them know what they're doing wrong.

    If you think I'm wrong, that's fine. I provide free software for free. You can choose not to use it, I'm good with this. Enjoy your journey, I won't be engaging with you anymore.

    Stop and listen to yourself for a moment you are so worried and hell bent on being wrong or right and making a wrong or right war out of this I assume this is how you go through life constantly trying to prove your identity through feedback instead of being at peace with who you are.

    I may be wrong I may be right it is of no difference to me either way just like a moment of life this is for experience and to be honest in the long run it is to help you out!

    If you would be kind as to actually read the issue and understand it it has nothing to do with your provider files it is a connection issue the issue is already understood!

    I have already gotten an email back from NordVPN...

    The issue is their DNS server and it may also be related to IPSEC being enabled on my account.

    But either way I can use my ISP's or another DNS and it works just fine so that tells me that the IPSEC is done through blacklisting and filtering rules similar to that of OpenDNS where you can setup rules to filter out certain content and block certain things from happening in this manner there is no true firewall almost all ports are open it all makes since to me I understand the issue it is you who do not understand the issue!

    So the issue at hand has nothing to do with the config files as the config files are on the server and they are fine!

    The issue has to do with DNS NordVPN's Domain Name Servers "with ipsec enabled".

    THE SOLUTION: temporarily set the DNS to something else before the download phase, then they download the files, then once completed they set the DNS to the VPN providers DNS.


    The issue is downloads fail when using nordvpns DNS and having IPSEC enabled I did not disable IPSEC and test because I don't feel I need to because if I simply change DNS servers it works downloading the files ahhh there in lies the solution!

    I know this may all be hard for you to take in but the seed is planted and maybe someday you will realize that people in the free world using your free software are also free to speak and heavens forbid think without google. Oh no he didn't use google hang him!

    One thing with your software is that it does not address DNS at all! This is critical as stated by VPN providers as well as security experts.

    DNS provides you with the ability to translate information from an IP to a readable name in place of those numbers.

    You do not take criticism very well and this is fine I forgive you for all of your misconceptions and the idea of this is not to prove your wrong or right or say anything negative here the objective is to reach an end goal that will be useful for you, me and everyone really it is not all about me or all about you. You can attempt to silence me over and over either on github or elsewhere it don't really make no difference to me I am pesty as you said on the github comment but I am also many other things and so are you you are just to wrapped up in your identity and not self aware enough to realize it.

  • Quote


    Wow isn't that the solution I told you to use 3 days ago....at least you made a lot of self entitled noise though. Well done

    This has nothing to do with self how much more clear can I be it is more so for the next guy that uses your software and to make you aware as well as others aware so you do not have to waste as much time on support and others do not have to waste as much time coming to this conclusion.

    The problem is able to be solved easily through your software is it not?

    The software also has the intrinsic problem of not handling DNS which is an important part to the security of VPN connections isn't it so?

    The idea is to improve things.

    Some other suggestions is maybe to include things and not be so vague in your wiki about the importance of the user setting their DNS outside of the program for now.

    Possibly state that they may experience problems if using DNS servers that have IP security features enabled.

    As I said if you were not interested in solving this problem you did not have to I don't expect you to work for free that was your choice I even offered you money!

    Just assuming that everyone is up to speed or expecting them to be because they have google is not the greatest at least from what I have found and luckily other people have found this to be the case as well this is why we have this forum.

    I see this cop out all the time just google it. Why even post such a silly thing you are on a help forum help others out or don't it is your choice a comment is better left ignored then telling someone to google it you defeat the whole purpose of a help forum. Every time i see this response on a help forum there is the immediate face palm that happens! It it is creepy to me but somehow this has become socially acceptable for a comment often people look up to people who make this comment looking down on others and they shouldn't but at the same time I am greatful for free speech and realize that I am far removed from perfection as well.

    But I appreciate all your work and your comments and remarks and I thank you for not totally ignoring this thread as well very respectable. And I wish you could see through all of this crap that you think is bad or that I am out to get you or prove anything I assure you this has nothing to do with any of it. Nor do I care to make noise. Or do I feel any entitlement that I should be owed anything. Don't believe me use your thinker for a minute and not google for once. Ask yourself these questions? Is he or she selling anything? Is he or she trying to sell his or herself? (is there a picture or a real name? is there a link to an about me page.) I am just under educated in this field and do not have the hands on experience and I thought I could possibly enlist your help you implicitly stated you did not want to help and that the issue didn't exist then it was a 1 in 40 issue lacking importance but now it was an issue and you solved it... But the problem still exists for the next person and it can be solved with lines of code. You know it as well as I do people should not have to disable using NordVPN's DNS nor their IPSEC and potentially unwillingly expose themselves and make their VPN connection essentially as useless as tits on a bull but it will happen. I do not expect you to solve it or help me at all but your help is still welcomed if you have a change of heart or spare time etc... We all lead busy lives. I get it really. And we are constantly trying to be the best versions of ourselves but can we be that without being self aware? You could argue that I am self entilted but I not only offered you a tip but offered to pay you as well to fix the issue. Does that seem like someone who is self entitled by definition?

    These are all things that a self aware person would think of I guess that is the take home from all of this. If I just attack you back and start name calling what good is that. There is nothing useful that comes from such an exchange. I can only forgive what was said and apologize for any action or inaction you feel I am guilty of and move on and enlist the help of google and people who are not so hard pressed that is what I have been doing really. And raise awareness to save other people from suffering through these little nuances. Feel free to respond and do as you need everything said or believe has value no matter what my opinion or thought process is. Sometimes I need to hear things and understand ideals and ideas weather they are what I want to hear or not. Thanks again for everything.

    Edited 2 times, last by forlotto (September 23, 2017 at 10:07 PM).

  • So looking at the file I see some code that could be of use not knowing python I assume that DEF means define and it appears to be that they are defining a function.

    So if I modify this code above to setup a googledns file like the code below maybe it will work:

    Add norddns.sh as well

    This may or may not do the trick but I will have to do some more reading as I know nothing of python nor have I looked into it at all I am just sitting here reading through code to try and make heads or tails of it. I don't know if os.system(command) invokes it or if I have to invoke it later to execute it after I write it or if variables are locally or globally recognized or if the variable command is built in or users specified etc not sure on the syntax but this is where I am at for now I know this must be painful to someone reading this that knows already but at the same time my lack of knowledge will possible help some of the other know nothings like myself be unafraid of taking a stab at something they do not understand there is a lot of learning to be had in sharing thought process.

    Thinking out loud below to keep track of every thing:

    Q: Will I need to use nDNScmd and gDNScmd as a variable in place of command?

    A: It can be any command so why not change it to something different to be on the safe side I believe.

    Will I need to run the file somewhere else or does os.system(variable) run the file?

    A: According to what the code is saying it looks like it and according to documentation I assume so. 15.1. os — Miscellaneous operating system interfaces — Python 2.7.14 documentation

    Q: Will I need to reset the connection once the DNS will change?

    A: Don't know yet need to test this to see if it is even a workable solution.

    Q: Is there a better way to handle DNS settings like for instance integration of DNS settings?

    A: dnspython seems to have everything to aptly handle DNS but take it with a grain of salt as I said this is all new to me I could be wrong maybe it is not possible to do so not sure how dependancies work technically either but if I recall right the license for this program is similar to Zomboided's license free to use and distribute as long as you share the source of the work (and the modifications you make I believe?)

    Edited 6 times, last by forlotto: Updated now that I found some answers to some of the questions. Still a bit in limbo will update and post back once I am further along. (September 24, 2017 at 6:33 PM).

  • So I am thinking best way is to use the DNS for the provider to close up a potential hole for people in their DNS at the same time while doing this I still need to figure out the values and if the syntax is right not used to python or programming but seems pretty cool thus far.

    Syntax I am unsure of has to do with "" and the use of them for strings

    if vpn_provider == "NordVPN": DNSIP == "1.2.2.2 3.4.5.6"

    or is it?

    if vpn_provider == NordVPN: DNSIP == "1.2.2.2 3.4.5.6"


    Which would be correct I think the first one I may also need a space on both sides of the " : " not sure...

    But anyways this is what I have thus far... A work in progress as I will need to get all the DNS servers for each provider then integrate it into the batch file as well as find all appropriate places to place this function. If not the batch file then I guess it will have to be used for dnspython or however it has got to be done. A molasses in the winter time upgrade I don't forsee this coming very fast but it will improve the program I believe quite a bit for people who are unaware of what a DNSLEAK is. And also not aware the the program does not currently set any DNS at all so I would assume most people using the program without a clue are just using it with default ISP DNS potentially leaking all of their information as it stands.

    There is so much out there with kodi you should be careful of this is one of them and also pairing with content providers whoever thought this was some good idea is totally wrong.

    Edited 2 times, last by forlotto: Edit to add potentially see the discussion below. (September 25, 2017 at 5:30 AM).

  • You're so missing the point (which is your prerogative entirely) and spreading mis-information (which bothers me).

    Most (all?) VPN providers push their DNS settings on connect and change it back on disconnect. The way this is done is documented in the openvpn manual. I think you should google exactly what happens when you connect a VPN, what the dns leak issues were and how they were solved. If you don't want to google, don't...makes no difference to me, I understand this stuff.

    If you want to change what the VPN provider has done, you can modify it using up/down scripts. And you can change the DNS server used outside of the VPN using the existing LE interface. I've told you this already. How to use up/down scripts with the add-on is documented on the wiki. How to use up/down scripts is documented in the openvpn manual. There are many examples of up/down scripts out there if you google for some.

    Personally, I use my ISPs DNS settings, and my VPN provider (being competent) automatically changes this for me on a system by system basis. If I'm on a Windows machine, the add-on takes advantage of a particular parameter to avoid the particular DNS leak issue that was an issue on that platform. I absolutely disagree with you that I have a DNS leak.

    Of course, you're free to continue to argue that this add-on should manipulate DNS servers, and you're free to change it - I really am not interested what you do. But please stop making incorrect and misleading statements about the way VPNs work.
       

  • Will the up/down scripts allow for automation of using DNS servers during the update on nordvpn ovpn files?

    This is what started things off I wanted to automate changing DNS during this process.

    So while I am "misinforming" about DNS Leaks or not I still would like to do this in an automated fashion.

    I personally don't care if it is a permanent fork or you accept a pull for it.

    I have googled DNS Leaks to be honest there are so many people claiming to be experts but yet they and many of them still claim you should set your DNS servers manually and clear any other DNS servers for safety.

    As far as windows goes I tested it with IPLeak and DNSLeak.

    In order to get a leak proof machine one of the things I had to change was a browser setting, another thing I had to change was a IPV4 on windows and on my router and finally the last thing I had to change was my DNS servers! And would you know it I had no leaks after that point so I mean if something changed since I ran into that issue about 6 months ago I guess I haven't really kept up to date.

    On one hand I have NordVPN being pretty flamboyant about changing your DNS servers and in the correspondence with them through email over the last week they also mentioned the fact that you can push any DNS server using OPENVPN the open source version as well as their software so I don't doubt for the most part you are right. Like I said before it is not a matter of me being right here I appreciate the input.

    Is it misinformation though that leaks may still be possible and it is good practice to change your DNS servers manually? I really do not know for sure this is where the jury is still out for me I suppose you seem to be certain but how do I know that LE is not going to add something to make media playing easier that will possibly cause a leak in the future.

    There are a number of things with this whole OPENVPN that I do not find right that deserve attention and discussion.

    This is one of them.

    The other is pairing with providers of content.

    The other is how people post logs to pastebin which contain way too much personal information if people are unaware and don't actually read through them and scrub the data there is a lot of information that is given away. I wouldn't doubt if this is how people snatch up IPTV subs at times.

    You have your concerns that I am being overly cautious and I have my concerns that the lack of awareness and the lack of informing people to do things like scrub their logs before posting them, set their DNS as an extra safety precaution, and not to use things like pairing for media providers is hardly every mentioned if at all. When malicious websites adopt the policy of delaying website response to the user computer thus resulting in the browser switching to an unsecured DNS. Meanwhile, the newer Windows OS has a few in-built features which increase its susceptibility to DNS leaks. Smart Multi-Homed Name Resolution featured in windows 8.1 and windows 10 was one of them if memory serves me right...

    I will note I will upgrade my last post to include the word potentially to put things into perspective.

    I am most positive I do not know everything about everything and this is where we should all remain and I may say something wrong that needs correction at times and I thank you for it you are always welcome to correct me and educate me and the public all at the same time I believe I learned a bit more about OpenVPN just by reading a bit.

    You have your concerns about me misinforming I have my concerns about things not being cautious enough do to the mass amounts of conflicting information on this issue.

    Update: I will likely just solve the DNS issue with a quick cheap switch during the download process from what I can see many of these providers on the list do NOT share the information as public and have "smartdns" or whatever they wish to call it if you ask me it is all somewhat sketchy as these providers likely host their DNS on a 3rd party server on a non physical server like a VPS or something of that nature. So that brings me to question sure your providers logging policy is "WE DONT LOG" but what about the people hosting the VPS server?

    One possibly interesting alternative OpenNIC Project

    Personally I like the pirate bays founders current initiative of being the man in the middle for Domain Name Registration you can register a Domain with their service and they will keep your information private at all costs they will refuse to give away your information and will assume all liabilities incurred by the domain itself from my understanding. Njalla — A privacy aware domain registration service

    It is pretty wild I am glad there are a lot of privacy advocates out their protecting the freedoms that the internet was founded on the ability to share information is constantly being attacked we need all the people we can to build up every possible avenue of encapsulating measures to keep things private i would love to see things reach a point where privacy can not be legislated away on the client side of things and things thus far are moving in that direction I'd like to see https replaced with something a bit more intuitive on this front as well as processing power has become a bit stronger and maybe functional with something like DNS crypt to really ensure privacy as it stands right now DNSCrypt is not a replacement for a VPN, as it only authenticates DNS traffic, and doesn't prevent third-party DNS resolvers from logging your activity. By design, the TLS protocol, as used in HTTPS and HTTP/2, leaks websites host names in plain text, so DNSCrypt is not enough to hide this information but it would be nice if their were a protocol developed with it that does aside from VPN that works in conjunction with DNSCrypt.

    Not to get too crazy but at this point I'm feeling a lot like you I believe due to all these factors I think it is quite possibly a non issue although I am not aware if DNScrypt is used if supported by default with OpenVPN I haven't done enough reading but it seems to me that the design of DNScrypt would be an advantage for providers to use implicitly. The local network is usually weak against attacks like DNS spoofing. The DNSCrypt server can run on your router (I know tomato,and DDWRT support it), along with the typical DNS resolver. Devices can then run the client code of DNSCrypt, leveraging the router DNS resolver.

    So to sum everything up YOU ARE CORRECT and I believe that people should set their router DNS as something other than their ISP's initially for optimal safety. Just as you said it is hard to say what VPN providers come along and what they do and how technically adept they may be initially. I kind of side with setting the DNS of your router than something other than just your ISP's heck use openDNS or opennic.org even after reading about googles new policies I likely will not be using googles DNS servers.

    Edited 2 times, last by forlotto: I'm going to keep it simple and just make a fork that will work for my personal use case no modification to DNS as stated. (September 28, 2017 at 3:55 AM).

  • Just to clarify for anyone (like me) who searches "libreelec openvpn nord dns issue", hopefully you see this post rather than any other long winded, unhelpful waffling. This info of course is probably elsewhere.

    All done from within kodi;

    Step 1: Disconnect vpn (if connected)

    Step 2: update vpn settings with first option in openvpn settings.

    Step 3: validate connection/s in settings tab 2

    Step 4: relax, because you are connected through your vpn again.