OpenVPN, moving from init.d way to the Stretch/systemd way

A belated reply on the subject of leakage.

DNS leakage. As long as the VPN is directing all external traffic through the tunnel, no DNS leakage should occur. There was an issue with Connman where traffic to DNS resolvers was being sent outside the VPN but that’s been fixed in 2017.12-1. The one remaining possibility for leakage is if your DNS resolver is on your locall network, eg your router or a local instance of PiHole. So whenever using a VPN make sure that your DNS resolver is not on the local network. In practice, most VPNs will push their own resolver, so this isn’t usually such an issue.

Data leakage. You can mess around with iptables and create a bulletproof set-up but in my opinion it’s overkill for 99% of cases. However, what is very useful is to define an automatic restart for the openvpn service, so if it fails the downtime will be measured in seconds. The best way to do this is:

sudo mkdir /etc/systemd/system/openvpn@.service.d
sudo nano /etc/systemd/system/openvpn@.service.d/restart.conf

and in the file paste these three lines:

[Service]
Restart=always
RestartSec=5