Recently I became a VPN user (Nord VPN). The service sees to be fine, but I wanted to verify it if it is secure.
For that I just wanted to make sure/understand if all of my internet traffic goes through the tunnel. Of coures on the Nord vpn websites it says that I am perfectly secure now, but I wanted to verify that.
For that purpose I decided to use Wire-Shark. After VPN installation I see that in my system there are now two Ethernet cards, one called TAP Windows adapter, which was added by VPN, and other native WiFi card. As I understand all traffic (through the route table) should be directed to TAP card, where it gets encrypted and then all data are send to Internet through my native WiFi card (already encrypted). To check that, I used Wire-shark, and monitored my Internet WiFi card. 98% of packets are of OpenVPN type -which is encrypted -good. But the rest is DNS queries (send to VPN DNS servers) which are in plain text, that I can read. In these it is written which websites I am trying to access.
Please seen screenshot of the Wire-shark results: https://postimg.org/image/4xh0mfqez/
I used a website of: https://ipleak.net/ to check if it is connected with DNS leakage, but NO IP leak is detected.
So for me it seems that DNS queries are not encrypted, send to VPN DNS servers in plain text. If it is a case, then man in the middle or ISP can easily trace my activity and websites I am trying to access. Please let my know if that is true, or if not, how then does it work.
I tried to get descriptive answer at VPN provider, but they only claimed that everything is fine/secure.
Looking forward for you hints.
Best regards John
asked 27 May '16, 06:14
closed 27 May '16, 06:26
Your understanding is correct, this would be a secure setup. I cannot see any reason why the VPN client software should set the default route to the tunnel interface but create exceptional routes via the original gateway for the DNS servers. So once the VPN is up and running,
If you find exceptional routes for individual addresses of the DNS servers, removing them should be enough to make the DNS queries be routed through the tunnel as well. But if there is an exceptional route for a whole subnet which covers both the VPN server and the DNS servers, removing such route would make the VPN stop working, as the encrypted packets have to be sent to the VPN server using the original gateway as provided by the WiFi AP. If this is the case, you would have to manually configure some DNS servers outside that subnet, i.e. not belonging to the VPN provider, to allow sending DNS queries through the VPN as well. These DNS servers may be your ISP's ones, as the queries to them would come from the outer address of the VPN server, so they wouldn't disclose it is you who is asking.
I just wonder whether you are sure that it is safer to be spied on by the VPN provider than to be spied on by your ISP.
answered 27 May '16, 06:54
If you're using openvpn client and you're on windows 8-10, you need to configure your client to ignore any DNS server but those pushed by your server. It's because windows tries to play smart and send DNS queries to the fastest server.
So if it appears that your gateway answers to those queries faster than your vpn server (must be always the case), everything queries will be sent to it without encryption.
You need to open you .opvn file and add at the end of it : "block-outside-dns" (without the quotes).
In the log of openvpn, you'll see the client picking up that line and stating that it will ignore any DNS server but those pushed by the vpn server you're trying to connect to.
Also, in wireshark, you'll never be able to read anything again : encryption to it's fullest !
answered 06 Oct '17, 06:48