Tether only WiFi traffic over VPN

I’ve managed to get a bit of time to test this further.

For my testing, I used the free VPNBook service and the dnsleaktest.sh script you used above.

Result: It seems to work correctly when the OSMC Pi has a static IP address. You can set the address from the command line:

connmanctl config ethernet_b827eb26fa82_cable --ipv4 manual <address> <netmask> <gateway>

The update-resolv-conf script requires /sbin/resolvconf to be present, which it wasn’t on my Pi, but it seems to be installed on your box.

PS I’ve edited your last post slightly so that it conforms with forum rules.

I have also tried using the free vpnbook, and I have some success but with a strange outcome.
I chose the german vpn on their site, and the IP address and the DNS look good when running the dnsleaktest.sh. But on the tethered device it receives the same IP address, but a different DNS address but interestingly not the VPN server provided ones.

Pi IP = 51.68.180.4
Tether IP = 51.68.180.4
Pi DNS = 51.38.107.66
Tether DNS = 130.225.244.166
The pushed DNS servers from the VPN = 213.186.33.99 & 91.239.100.100
Thu Nov 28 21:59:05 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 213.186.33.99,dhcp-option DNS 91.239.100.100,route 10.8.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.8.0.10 10.8.0.9,peer-id 8,cipher AES-256-GCM'

This is very strange to me and I certainly don’t understand it or how it is getting a different DNS. Seems there is something going on between the pi and the tethered devices.

Just to clarify too, that I do have a static IP address already on the pi and I tried setting the settings again after the connman --nameserver command to see if it would kick start this but no changes.

Does the connman-vpn service work?

Also want to note that dnsleaktest.sh also shows no leak on the Pi when connected to the nord VPN, the issue is still only on the tethered devices.
I’ve also noticed that connmand -v = 1.36, is it possible to update connman to the latest version independently from the OS?

On both the Pi and tethered client, I see the same. Right now, also using DE4, it’s showing:

osmc@osmc:/etc/openvpn$ ./dnsleaktest.sh 
Your IP:
51.68.180.4 [France, French Republic AS16276 OVH SAS]

You use 1 DNS server:
130.226.161.34 [Denmark AS1835 Danish network for Research and Education]

So it looks like it’s working on my devices.

No.

It looks like a leak to me with those outcomes, as the IP and DNS are not too similar and the detected server is completely different.
Those are the same details I get on the tethered device though, not the Pi itself.
This is getting too difficult and I may have to try a completely different approach without connman tethering

It doesn’t look like a DNS leak. How did you reach such a conclusion? When you use 8.8.8.8 and 8.8.4.4 do you see those IP addresses returned by dnsleaktest.sh? Of course not. VPNBook care a small operation and don’t provide their own DNS servers. The IP address 91.239.100.100 points to Denmark:

nslookup 91.239.100.100
100.100.239.91.in-addr.arpa	name = anycast.censurfridns.dk.

I think it’s no coincidence that 130.226.161.34 is also in Denmark:

nslookup 130.226.161.34
34.161.226.130.in-addr.arpa	name = deic-ore.anycast.censurfridns.dk.

Since it’s working fine for me on a fresh install of 2019.07-1, perhaps you might consider a resinstall of OSMC.

Update: The other DNS IP address pushed by VPNBook, 213.186.33.99, is (correctly) redirecting to an IP address, from the same domain:

nslookup 213.186.33.99
99.33.186.213.in-addr.arpa	name = cdns.ovh.net.

redirects to

nslookup 51.38.107.66
66.107.38.51.in-addr.arpa	name = host2.lim.cdns.ovh.net.

and IP address 130.225.244.166 that you saw is also from anycast.censurfridns.dk:

nslookup 130.225.244.166        
166.244.225.130.in-addr.arpa	name = deic-lgb.anycast.censurfridns.dk.

So your Pi and tethering both seem to be working correctly on VPNBook.