Many streaming services implement DNS check and block any user with IP and DNS in different geo locations. Unfortunately, the ibVPN app in ClearOS suffers from a DNS leak, which renders it useless with many video streaming providers.
I check the DNS leak using dnsleak.com and dnsleaktest.com. There is always a leak when connecting via ClearOS. No leak appears when connecting directly from a client computer using ibVPN's ovpn configuration file. Attached are the /etc/clearos/ibvpn.d/ibvpn.ovpn from ClearOS and ibVPN_reference.ovpn for comparison.
I tried to solve the leak in ClearOS by using ibVPN DNS in Network -> IP Settings -> Network -> DNS, but without success. The DNS server only appears as one of many servers used for resolving names.
I also edited /etc/resolv.conf in ClearOS by commenting out "nameserver 127.0.0.1" and by forcing another nameserver, but the leak is always there.
There are scripts in github, such as this one, for OpenVPN to prevent the leak but I'm not sure if there are compatible with ClearOS.
So, any suggestions to solve this issue?
Thank you Nick. I found it in clearos-contribs-testing.
The app's page is accessible now from within webconfig, but the service cannot be started! The "Status" remains "Stopped" after clicking on Start button. I tried to look for some log files for this app to see what's going on, but couldn't find any.
Accourding to ClearOS 7.4 change log:
Samba updates disable NTLMv1
Maybe that Win10 client is trying to use NTLMv1. See here please to fix this: https://forums.freenas.org/index.php?threads/smb-problem-on-win-10-client-fn11-rc.54316/
ipsets could be a little over the top if you want to try a different approach. For your kids, see if you can group them into a subnet somewhere within your LAN subnet but outside the DHCP range, so, if your DHCP range is .100 - .254, in the Webconfig > Network > Infrastructure > DHCP Server > Leases set your kids say somewhere between .64 and .71. (choose a bigger range if you have more kids!). Have a look at something like the Subnet Calculator to work out a good range, but starting at .64 (or .32) is quite a good starting point depending on your DHCP range. You will have to restart their devices or wait until their leases expire before they get the new IP's. If you do that then you can block using something like:This avoids multiple rules or ipsets.
To run ipsets, check you have ipset installed:Install it if necessary, but I think you must have it to create your set.
Because of timing issues, from my other post, create /etc/sysconfig/modules/ip_set.modules and make it executable and in it put:You can do this with the following:
Once you have created your set, use my three-liner to save it:You can adjust the file names as you want.
Then to reload the ipset set on boot up, add a line to /etc/rc.d/rc.local:Also see the note at the top of the file to make it executable.
You should then be ready to go.