How to Prevent VPN DNS Leaks through TAP Adapters

Discussion in 'privacy technology' started by SteveTX, Jan 30, 2009.

Thread Status:
Not open for further replies.
  1. SteveTX

    SteveTX Registered Member

  2. jonw

    jonw Registered Member

    Nice article but it looks to me if I did that to my system I would never be able to connect to anything but my homenetwork I have to use public hotspots a lot so wouldn't it be best for me to just leave all that alone?
  3. SteveTX

    SteveTX Registered Member

    This will work on any network you are connected to. Your computer doesn't know the difference between a hotspot or anything else.
  4. jonw

    jonw Registered Member

    No what I am saying is correct me if I am wrong it sets your network adapter to static ip well thats cool if I am on a wired connection or a my laptop is always going to be on the same hotspot,this wouldn't work for me I am on a lot of different hotspots.
  5. SteveTX

    SteveTX Registered Member

    You would do this every time you are connected, not just once, if you connect to a lot of different networks.
  6. Z32

    Z32 Registered Member

    Hi Steve

    In your instructions, it may be worth mentioning (before step 2) that the commands are input via cmd?

    I can't see it on there - may be helpful for the less tech savvy.
  7. SteveTX

    SteveTX Registered Member

    I'm going to do it on video to show people. I think.
  8. jonw

    jonw Registered Member

    Well thanks for the info I check my network connections with wireshark a lot and nothing is leaking out some I good to go.Again great job with the fix on the DNS leaks!
  9. Z32

    Z32 Registered Member

    Sounds like a top idea :thumb:

    Since some users would have to go through this often, would it be possible to build a script/add-on into your vpn app. to achieve this?

    i.e. automated process or right click on the systray icon, click 'plug Windows', etc.

    I know leak issues at the user's end isn't your responsibility, but if it were easy enough to do, it'd be a pretty valuable addition & streamline the process imo. Just a thought! :)
  10. SteveTX

    SteveTX Registered Member


    That is exactly what we are working on, among two other things. :)

  11. paulxx

    paulxx Registered Member

    The fix wouldn't work for me and I spent some time on it. In particular, I found the connection would break when changing to a fixed IP/DNS after the VPN connection was established with dhcp lan settings. I preferred to keep the auto dhcp when not on the VPN and also wanted something for on the laptop on the move.

    Here's what I have found to work (from a post I made at perfect privacy):

    To fix the leak it is necessary to:
    1) Set the computer end to use fixed IP settings - before connecting the VPN (afterwards breaks the connection)
    2) While connected to the VPN, set the DNS address of the internet connection (not the VPN) to 'none'
    3) Set everything back to normal after disconnecting the VPN.


    I have found a relatively simple fix will work on any computer and router, wireless or not, without the need to alter any other network settings, using a free program called Netsetman, from

    After downloading/installing, you will see several Tabs, starting with 'SET1', for each network setting and an 'Activate' button for these on the right.

    Initial setup - assuming automatic/DHCP network settings on router and computer (do not yet connect VPN):

    1) You will need to use SET1, SET2 and SET3. There is a drop down button at the top of each Setting tab where the active internet connection (ie. not the 'Tap-Win32' VPN connection) should be selected for each.

    2) Select the first SET1 tab. Choose Profile>Get all current settings - IP/DNS addresses should then appear in SET 1. Tick only 'IP' and 'DNS Server'. Select 'Use the following IP address' and 'Use the following DNS Server addresses' leaving the IP/DNS addresses untouched.

    3) Select SET2 tab. Tick only 'Use the following DNS Server addresses'. 'Preferred' and 'Alternate' should be blank.

    4) Select SET3 Tab. Tick only 'IP' and 'DNS Server'. Select 'Obtain an IP address automatically' and 'Obtain an DNS address automatically'

    These settings will now be remembered. Occasionally it may be necessary to repeat the 'Choose Profile>Get all current settings' operation for the SET 1 tab, but only if the router changes the automatic (dhcp) addresses for the computer due to a change in the network.

    Here is normal usage:

    1) Before connecting VPN, open Netsetman, select SET 1 and click 'Activate'.

    2) Immediately after establishing a VPN connection, select SET 2 and Activate.

    3) After disconnecting VPN select SET 3 and Activate.

    If the computer already is set up with fixed IP/DNS settings, rather than the usual automatic/DHCP setting, then step 3) would be to Select SET 1 again and Activate. SET 3 would not be needed.


    I have another one click automatic solution using batch files incorporated into the OpenVPN startup, but it is initially more complicated and can only be used on one familiar network without reconfiguring. So no good for wireless laptops on the move. I think someone with more coding knowledge could solve the difficulty of reading the current automatic/dhcp settings and temporarily turning the network connection into a static one with the same settings.

    OpenVPN allows for batch files (xxxx_pre.bat, xxxx_up.bat, xxxx_down.bat) to run prior to connecting, after connecting and after disconnecting the VPN. So if the connection in the Openvpn 'config' folder is 'Steinsel.ovpn' then 'Steinsel_pre.bat', 'Steinsel_up.bat' and 'Steinsel_down.bat' are the file names for this. They are all placed in the 'config' folder.

    First save a one-off snapshot of the standard network config:
    netsh.exe interface ip dump > c:\net.cfg

    Basically the code for the xxxx_pre.bat is as follows (just make a text file and rename .txt to .bat):

    netsh.exe interface ip set address "Local Area Connection" static 1
    netsh.exe interface ip set dns "Local Area Connection" static

    The settings are specific to my network except for a space followed by '1' at the end of the first line. So replace with your own Connection/IP/DNS info, found from either netsetman or Start>Run>cmd >> ipconfig /all. The quotes are needed for the connection name.

    The code for the xxxx_up.bat:

    ipconfig /flushdns
    netsh.exe interface ip set dns name="Local Area Connection" source=static addr=none

    The code for the xxxx_down.bat:

    netsh.exe exec c:\net.cfg

    This just replaces the original saved network settings.

    The three batch files are the the same for all connections but they must be duplicated and named for each OpenVPN connection. If accidentally the system crashed in the middle of a VPN session, run any of the _down.bat files manually to reset your connection to normal.
  12. coderman

    coderman Registered Member

    note that all of these fixes are for accidental / non-directed DNS requests to specific nameservers on the local subnet. to truly plug all DNS leaks in all situations you need to be sure DNS and/or UDP cannot be routed outside of the proxy software.

    luckily for most situations fixes like these for adjusting winsock / adapter DNS settings are sufficient.

    best regards,
  13. dan901

    dan901 Registered Member

    so steve, the fix you describe in your article, basically you are setting everything static and leaving out the dns entry. By leaving out the dns entry from your network adapter you force all dns traffic through the vpn dns. Am I understanding correctly?
  14. SteveTX

    SteveTX Registered Member

    That's right, and we're keeping DHCP from being able to update the interface with new DNS information.
  15. paulxx

    paulxx Registered Member

    Except Steve's method of clearing the ARPcache didn't work for me.

    Maybe I have a stubborn router dns/dhcp combination but even after setting the lan with fixed IP settings manually, prior to connecting the VPN (doing it afterward broke the connection) and then running the rest of Steve's stuff, the dns kept coming back.

    That's why the method I posted above, setting the dns address to 'none', is what worked for me.
  16. lansing

    lansing Registered Member

    Isn't enough to use this code?

    netsh.exe interface ip set dns name="Lokalt natverk" source=static addr=
Thread Status:
Not open for further replies.