Jump to content
TorGuard
  • 0

iOS DNS Leak with IKEv2 and/or IPSec VPN


4b3e098b

Question

When using OpenVPN via OpenVPN Connect, I do not get DNS Leaks, but OpenVPN on iOS doesn't auto-reconnect or support On Demand VPN. TorGuard L2TP doesn't DNS leak like IKEv2 or IPSec, but it's the least secure protocol.

When setting up TorGuard with IKEv2 or IPSec, regardless if using the TorGuard iOS app, manually configuring in Settings, or using a .mobileconfig profile to load the VPN configuration settings, TorGuard leaks the DNS, and this has been happening since I've tried.

I'm using a .mobileconfig profile to load all my VPN servers/configuration, and I wrote it to effectively kill-switch/auto-reconnect, which works well with TorGuard minus the DNS Leak (I get this no matter how I connect via IKEv2 or IPSec so I know it isn't the profile, as the official iOS app has the same problem).

I have a different VPN service that can do IKEv2 (they don't support IPSec, and I prefer IKEv2 over that anyway), though I've been having trouble connecting to it over Wi-Fi via IKEv2. That they avoid the DNS leak though shows that TorGuard should as well.

Link to post
Share on other sites

5 answers to this question

Recommended Posts

  • 0
Support

Hey there,

IKEv2 is commonly blocked on many networks which is why we offer both Cisco IPSec (over TCP) and IKEv2 (mainly UDP) as options - when IKEv2 doesn’t work, 99% of the time UDP is blocked on that port or all ports. What I find strange is that L2TP isn't leaking and only Ikev2 when they both use very similar configs and the same DNS settings as each other so I do not see how one could leak and one wouldn’t if one leaked both should leak.

What exactly do you see in leak tests? I'm testing here over O2 on both through the iOS app, and I do not see any DNS other than the endpoint DNS.

Regards

Link to post
Share on other sites
  • 0
1 hour ago, Support said:

Hey there,

IKEv2 is commonly blocked on many networks which is why we offer both Cisco IPSec (over TCP) and IKEv2 (mainly UDP) as options - when IKEv2 doesn’t work, 99% of the time UDP is blocked on that port or all ports. What I find strange is that L2TP isn't leaking and only Ikev2 when they both use very similar configs and the same DNS settings as each other so I do not see how one could leak and one wouldn’t if one leaked both should leak.

What exactly do you see in leak tests? I'm testing here over O2 on both through the iOS app, and I do not see any DNS other than the endpoint DNS.

Regards

 

It seems I'm getting Google DNS IPs.

Cellular No VPN:
1 AT&T DNS IP (Expected)

Cellular ProtonVPN IKEv2:
1 Endpoint IP (Expected)

Cellular ProtonVPN OpenVPN:
1 Endpoint IP (Expected)

Cellular TorGuard AnyConnect:
Several Level 3 DNS IPs

Cellular TorGuard Dedicated IP OpenVPN:
1 Endpoint IP (Expected)

Cellular TorGuard Dedicated IP IKEv2:
Several Google DNS IPs

Cellular TorGuard Dedicated IP IPSec:
Several Google DNS IPs

Cellular TorGuard Dedicated IP L2TP:
1 Endpoint IP (Expected)

Cellular TorGuard New York OpenVPN:
1 Endpoint IP (Expected)

Cellular TorGuard New York IKEv2:
Several Google DNS IPs

Cellular TorGuard New York IPSec:
Several Google DNS IPs

Cellular TorGuard New York L2TP:
1 Endpoint IP (Expected)

Wi-Fi No VPN:
Several OpenDNS IPs (Expected)

Wi-Fi ProtonVPN IKEv2:
1 Endpoint IP (Expected)

Wi-Fi ProtonVPN OpenVPN:
1 Endpoint IP (Expected)

Wi-Fi TorGuard AnyConnect:
Several Google DNS IPs

Wi-Fi TorGuard Dedicated IP OpenVPN:
1 Endpoint IP (Expected)

Wi-Fi TorGuard Dedicated IP IKEv2:
Several Google DNS IPs

Wi-Fi TorGuard Dedicated IP IPSec:
Several Google DNS IPs

Wi-Fi TorGuard Dedicated IP L2TP:
1 Endpoint IP (Expected)

Wi-Fi TorGuard New York OpenVPN:
1 Endpoint IP (Expected)

Wi-Fi TorGuard New York IKEv2:
Several Google DNS IPs

Wi-Fi TorGuard New York IPSec:
Several Google DNS IPs

Wi-Fi TorGuard New York L2TP:
1 Endpoint IP (Expected)

Notes
-I use UDP for all OpenVPN, though TCP doesn't make a difference.
-My carrier is AT&T.
-It hasn't mattered in the past which New York server I use, though I'm using a direct IP so that I always get the same one.
-I do get the WAN IP successfully in all cases, and I can connect to all protocols listed regardless of being at home, work, or on cellular.
-AnyConnect seemed to differ depending on Wi-Fi or Cellular. Everything else was the same DNS service regardless of Wi-Fi or Cellular. I don't plan on using AnyConnect, but wanted to compare it here.
-ProtonVPN doesn't DNS leak over IKEv2. They only offer OpenVPN and IKEv2, and no Dedicated IP options (or port forwarding) so the other protocols don't apply.
-OpenVPN works fine in all cases.
-I also get DNS Leaks over IKEv2 if I connect on Mac settings instead of my iPhone.

Link to post
Share on other sites
  • 0

I got the idea to test a UK server since you mentioned O2. I also tested Chicago.

They don't seem to leak, but I have a lot more difficulty connecting to them than NY. I can't connect to either over IKEv2 at all if I use my iOS profile, but I can if I setup manually (not sure if these have different settings than NY IKEv2).

Link to post
Share on other sites
  • 0

Connecting via IKEv2, I tested what DNS leaks and what doesn't. I used the Direct IP, though the one for Chicago never works, so I did an nslookup and used a working IP.

PS: I tested almost 50 different Chicago servers via OpenVPN and they all had bad speeds (and there are some IPs that I can never connect to via Chicago). Oddly, I can get full speeds from LA despite being much farther away.

DNS LEAK YES
Atlanta
Dedicated IP
New Jersey
New York
Seattle

DNS LEAK NO
Chicago (I did not test every IP out the the many I tried, but the ones I did look at didn't leak)
Dallas
Las Vegas
Los Angeles
Miami 

Link to post
Share on other sites
  • 0
Support
2 hours ago, 4b3e098b said:

Connecting via IKEv2, I tested what DNS leaks and what doesn't. I used the Direct IP, though the one for Chicago never works, so I did an nslookup and used a working IP.

PS: I tested almost 50 different Chicago servers via OpenVPN and they all had bad speeds (and there are some IPs that I can never connect to via Chicago). Oddly, I can get full speeds from LA despite being much farther away.

DNS LEAK YES
Atlanta
Dedicated IP
New Jersey
New York
Seattle

DNS LEAK NO
Chicago (I did not test every IP out the the many I tried, but the ones I did look at didn't leak)
Dallas
Las Vegas
Los Angeles
Miami 

 

Would it be possible to retest this now? Chicago did have a network issue but it seems to have been fixed now even though we didn't have many complaints in regards to speeds.

In regards to the DNS being google, it isn't necessarily a DNS leak, if it showed your ISP it would be a leak but your profile will use the best DNS for you at that time, they will all push endpoint DNS first.

Regards

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...