cant make heads or tails of the custom openvpn guide

[verisar]

starting at 2 from https://github.com/qdm12/gluetun/wiki/OpenVPN-configuration-file

bind mount from where? i just drop files into my created docker folder per container for configs so i dont understand where i would keep this file and bind mount it to? LIke do i need a folder at /gluetun/ on my distro?

4. wow like holy how i dont understand, is this for .env file and am i just circle jerking the .conf file, i have no clue why its called in the .env and is it just like a ghost or something could i not instead do like -e /path/to/conf:/glueton/custom.conf

this is thuraly thrown my thought process thru a loop.

after writing the above i said fuck it and just did it the way i thought and well the checked ip results look like they worked

[alexeyhome21]

Hi all! (same for open vpn) and who knows, installed the client in the docker. And if your server is openvpn. That's where the files are imported, ovpn. Or am I misunderstanding how it works, thanks in advance.

[beyondunreal79]

I am in the same boat. Ever get anywhere with his?

[bnhf]

@beyondunreal79

Lots of people use custom configurations with Gluetun. It can either be for those that have their own OpenVPN server somewhere, or for an as yet unsupported VPN provider.

Linux OpenVPN clients typically use a .conf file (containing the OpenVPN directives required for the client), with separate .crt and .key files. If you're using a commercial VPN service you'll need to be able to download those by logging into your provider's website, and generating them. If your provider only offers a .ovpn file, then you'll want to use a text editor to separate the OpenVPN directives from the cert and key. Usually you can download a zip where they're already separate files.

The other key thing you need to do, in this case somewhat specific to Gluetun, is to turn the hostname of the OpenVPN server into an IP address. This is required because Gluetun blocks DNS queries until the VPN tunnel is up-and-running. See the guide referenced at the beginning of this discussion for a suggested way to turn the server's hostname into an IP address.

Once you have your .conf, .crt and .key files, they need to be placed in a directory on your host computer and that directory needs to be bound to the Gluetun Docker container. An example of a docker-compose for a custom config would look like this:

version: '3.7'
services:
  gluetun:
    image: qmcgaw/gluetun:latest
    cap_add:
      - NET_ADMIN
    volumes:
      - /yourpath:/gluetun
      - /yourpath/custom.conf:/gluetun/custom.conf:ro
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - OPENVPN_CUSTOM_CONFIG=/gluetun/custom.conf
      - VPN_TYPE=openvpn
      - OPENVPN_USER='yourusername'
      - OPENVPN_PASSWORD='yourpassword'
      - TZ=Europe/London

So those are the basics stated in a little bit different way than the referenced guide. Let us know if you have any more specific questions.

[beyondunreal79]

Thanks. I have since figured some of this out. The only bit of trouble I am having now is the authentication part. I use mullvad. I got my conf, crt and key files where they are supposed to be. Gluetun is seeing them but can't authenticate. The error is: No client side authentication method is specified. You must either use --cert/--key, --pkc12, or --auth-user-pass. This is where I am stuck right now

[bnhf]

@beyondunreal79

Since Mullvad is a supported provider, you'll want to connect this way rather than using the custom provider method.

[beyondunreal79]

The reason i want to try the custom open config, is that I was using openvpn docker. There is an up and down resolve conf in the file that seems to stop dns leaks. When I do a dns leak test using gluetun, the result i get it that my dns may be leaking. I just want to be sure I don't have any dns leaks.

[bnhf]

@beyondunreal79

One of the absolute strengths of Gluetun is the prevention of DNS leaks. DNS is disabled in Gluetun until the tunnel is established and then DNS over TLS is used with Cloudflare. What type of testing are you doing that suggested you may have a DNS leak?

Here's an example of the way I like to test, which is to use a Firefox container in a stack together with Gluetun. I use Canada as my exit point, but am outside of that country. Using the IPLeak.net website, you can see with nearly 500 DNS hits -- it was Cloudflare in Canada every time:

[beyondunreal79]

This is interesting, So I tested it two ways, I do a docker exec -it gluetun /bin/sh to get into the container, then I have to add curl apk to it, then a ./dnsleaktest.sh (I have to install it first) My result is "Your dns may be leaking".

Now If I do the same test you show me I get this. That being said I am in the states and used mullvad to connect to Athens and here is my result.

If I use Mullvad dns leak test I get this:

Do these results make sense to you?

[bnhf]

@beyondunreal79

Definitely interesting, but somewhat typical when it comes to DNS leak testing. I believe both tests assume that you're going to use the DNS servers that Mullvad offers up, rather than the Gluetun approach which is to use DNS over TLS (for additional security and privacy). I.E., neither your ISP nor your VPN, are able to monitor your DNS queries.

In your first example, the Github page for that project is comparing the ASN for your exit IP and your DNS servers, and if both don't return "Mullvad" then you're told you might be leaking DNS. But in fact, the DNS IP addresses are both Cloudflare in Greece which tells you that everything is working as it should be. Neither your ISP's DNS servers nor Mullvad's DNS servers are used. Cloudflare would know your DNS queries, but they would originate from your VPN exit point IP address.

The Mullvad test is essentially the same situation, in that because we're not using their DNS servers, they're indicating a leak -- when once again all of your queries are being done in Greece through Cloudflare.

It is possible to disable DNS over TLS and use your VPN's DNS servers if your prefer, but by separating and encrypting DNS from your VPN provider (while still sending the DNS requests via the tunnel) you have an additional layer of anonymity.

[beyondunreal79]

This is great information. I am learning allot about this. I am interested to test out temporarily disabling DNS over TLS. Is that done simply by adding DOT=off to me compose under environments? I am interested to see what results I get them.

[bnhf]

@beyondunreal79

Since I've been happy with the way Gluetun handles DNS, I haven't experimented with the various DNS-related environment variables. But yes, as I understand it, DOT=off would disable DNS over TLS -- though I'd imagine you'd continue to use Cloudflare.

Not sure if there's an easy way to tell Gluetun to use the DNS server(s) offered up when the connection to the Mullvad server is established. It'll probably take some research on your part to figure out what IP to use if your goal is to use Mullvad's DNS. Mullvad lists 193.138.218.74 as its public DNS server, so DNS_ADDRESS=193.138.218.74 might do the trick.

You've probably seen the Gluetun DNS Wiki, but just in case: https://github.com/qdm12/gluetun/wiki/DNS-options

As you experiment with this, it'd be great if you could report back so we could both learn a little something. :-)

[beyondunreal79]

Here are my results by adding DOT=off. Mullvad's dns leak test is satisified

However, the ./dnslektest.sh test isn't. I am thinking that may be because it's still hitting two DNS servers. I think it wants to see one. Not sure if there is a wat to tell gluetun to only use one so I can confirm that. Also I am not sure what kind of DNS the first one is (the highlighted one). It looks more like a MAC address.

Finally the ipleaktest.net:

So it seems DOT=off forces the use of Mullvads DNS server for that particular server. Now this is using a wireguard protocol. I am interested to try this test with an openvpn protocol and see if the results are the same.

[bnhf]

@beyondunreal79

Thanks for reporting back -- good to know that DOT=off reverts to using the DNS servers offered up by the VPN provider. The address you highlighted is an IPv6 DNS server. And, as you can see, dnsleaktest.sh is in fact using the ASN to "decide" whether to show the warning about a possible DNS leak.

I realize there's a certain comfort in having a DNS leak test tell you there are no leaks. Now that you know a bit more about how this works, hopefully you can see that in all of the tests you've done, your DNS queries are being resolved in Greece. This means that your VPN exit IP address is where the request is originating from (as far as the DNS server is concerned), not your actual IP address.

The whole goal of these tests is to be sure that there are no DNS requests being resolved by your ISP, or any DNS servers that are close to you -- this would indicate that those requests are not going through your VPN tunnel, and would track back to your actual IP. These tests are just a tool, and whether they report a possible leak or not, it's best to do your own analysis to confirm the results.

[qdm12]

Thanks @bnhf what you described is exactly on point 🎖️

I would add handing over all your dns traffic to your vpn provider isn't the best idea, since they can indentify you more than a dns provider like google or Cloudflare. Ideally do dns split horizon to multiple dns servers (i. e. Cloudflare+google) so they can't profile nor identify you much.

[beyondunreal79]

Can gluetun do a dns split?

[bnhf]

@beyondunreal79

With DOT=on, give a comma separated list like this a try. If you experiment with any provider that resolves in Europe, but not in Greece -- I'd eliminate them in the interest of speed. Cloudflare and Google would be the best bets:

[beyondunreal79]

Very cool. Here are my results using google and cloudflare.

In terms of it being more difficult in being able to identify one, What does cloudflare, or google see? Just a Greek IP address search for a particular site rather than using my VPS's dns provider's seeing what my actual IP address is searching for?

[bnhf]

@beyondunreal79

In terms of it being more difficult in being able to identify one, What does cloudflare, or google see? Just a Greek IP address search for a particular site rather than using my VPS's dns provider's seeing what my actual IP address is searching for?

That's exactly right. Most VPN providers talk about not keeping logs -- and they probably don't. On the other hand, by using DNS over TLS through your VPN tunnel, your VPN provider won't have access to that information either way. And, as far as Google and Cloudflare are concerned they can store data, but it'll be from a Greek IP address -- which is not yours exclusively. There could potentially be tens or hundreds of people using your exit node at any given moment.

The @qdm12 suggestion of using multiple DOT providers further diffuses your DNS data -- which is great, and something I'll probably start doing myself.

[beyondunreal79]

I really appreciate this great information. I guess my last question would be, is it possible for me to connect to the same IP address within a specific city. If I set up a vpn connection in Switzerland, each time the vpn container restarts, it grabs a different IP in Switzerland. I am currently using the wireguard protocol.

[beyondunreal79]

If I put DOT_PROVIDERS=quad9,cloudflare in my yaml, gluetun log only show one dns server (the first one which is quad9) Did I comma separate that correctly?

…

On Fri, Mar 17, 2023 at 8:17 PM Scott Ueland ***@***.***> wrote: @beyondunreal79 <https://github.com/beyondunreal79> In terms of it being more difficult in being able to identify one, What does cloudflare, or google see? Just a Greek IP address search for a particular site rather than using my VPS's dns provider's seeing what my actual IP address is searching for? That's exactly right. Most VPN providers talk about not keeping logs -- and they probably don't. On the other hand, by using DNS over TLS through your VPN tunnel, your VPN provider won't have access to that information either way. And, as far as Google and Cloudflare are concerned they can store data, but it'll be from a Greek IP address -- which is not yours exclusively. There could potentially be tens or hundreds of people using your exit node at any given moment. The @qdm12 <https://github.com/qdm12> suggestion of using multiple DOT providers further diffuses your DNS data -- which is great, and something I'll probably start doing myself. — Reply to this email directly, view it on GitHub <#1375 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6KWIA53YMR47DYJFVQUCTW4T5JZANCNFSM6AAAAAAULLMQFU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[beyondunreal79]

If I put DOT_PROVIDERS=quad9,cloudflare in my yaml, gluetun log only show one dns server (the first one which is quad9) Did I comma separate that correctly? Using Mullvad as my vpn provider.

…

On Fri, Mar 17, 2023 at 8:17 PM Scott Ueland ***@***.***> wrote: @beyondunreal79 <https://github.com/beyondunreal79> In terms of it being more difficult in being able to identify one, What does cloudflare, or google see? Just a Greek IP address search for a particular site rather than using my VPS's dns provider's seeing what my actual IP address is searching for? That's exactly right. Most VPN providers talk about not keeping logs -- and they probably don't. On the other hand, by using DNS over TLS through your VPN tunnel, your VPN provider won't have access to that information either way. And, as far as Google and Cloudflare are concerned they can store data, but it'll be from a Greek IP address -- which is not yours exclusively. There could potentially be tens or hundreds of people using your exit node at any given moment. The @qdm12 <https://github.com/qdm12> suggestion of using multiple DOT providers further diffuses your DNS data -- which is great, and something I'll probably start doing myself. — Reply to this email directly, view it on GitHub <#1375 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6KWIA53YMR47DYJFVQUCTW4T5JZANCNFSM6AAAAAAULLMQFU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[beyondunreal79]

If I put DOT_PROVIDERS=quad9,cloudflare in my yaml, gluetun log only show one dns server (the first one which is quad9) Did I comma separate that correctly? Using Mullvad as my vpn provider and trying to multiple dns providers to diffuse my dns data as @qdm12/gluetun ***@***.***> suggested

…

On Fri, Mar 17, 2023 at 8:17 PM Scott Ueland ***@***.***> wrote: @beyondunreal79 <https://github.com/beyondunreal79> In terms of it being more difficult in being able to identify one, What does cloudflare, or google see? Just a Greek IP address search for a particular site rather than using my VPS's dns provider's seeing what my actual IP address is searching for? That's exactly right. Most VPN providers talk about not keeping logs -- and they probably don't. On the other hand, by using DNS over TLS through your VPN tunnel, your VPN provider won't have access to that information either way. And, as far as Google and Cloudflare are concerned they can store data, but it'll be from a Greek IP address -- which is not yours exclusively. There could potentially be tens or hundreds of people using your exit node at any given moment. The @qdm12 <https://github.com/qdm12> suggestion of using multiple DOT providers further diffuses your DNS data -- which is great, and something I'll probably start doing myself. — Reply to this email directly, view it on GitHub <#1375 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6KWIA53YMR47DYJFVQUCTW4T5JZANCNFSM6AAAAAAULLMQFU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[beyondunreal79]

I'm curious. This is my config for a wireguard connection to Switzerland (based on my choosing on a specific country. Yet when I start the container, it connects to a completely different address from the endpoint I choose. Shouldn't it connect to 149.88.27.232?