[elsuva]

ASUS RT-AC5300 / DD-WRT v3.0-r36596 std (08/14/18) / WiFi - OpenVPN - VPN Guest Network / DNS Leak / PBR (Policy based Routing) / Startup Script from eibgrad (ticket #5690)

I have installed the DD-WRT v3.0-r36596 std (08/14/18) firmware (BrainSlayer build) on my ASUS RT-AC5300 (Broadcom BCM4709) router (that I bought from FlashRouters more than a year ago), setting up (resetting it before, after, etc.), the Basics, the WiFi, an ExpressVPN OpenVPN and a VPN Guest Network.

As it is well known (I suppose), there are problems with filling the PBR (Policy based Routing) field, using the Web Interface, on the Services->VPN page.

Without filling the PBR the VPN traffic uses the ExpressVPN DNS servers, without any DNS Leak (by the way, strangely, I am not able to ping the www.netflix.com site).

As soon as I fill (and apply - even rebotting everything) the PBR field, everything goes wrong and is not possible to browse a lot of sites...

Using the Startup Script written by eibgrad (ticket #5690), things start to go right, but the VPN traffic does not use the ExpressVPN DNS servers, it uses the Static DNS 1 server, set by me (Setup->Basic Setup page) for the local traffic.

For me, using the Static DNS 1 server for the VPN traffic, shoud be consider a DNS Leak (by the way, in this case, I am able to ping and browse the www.netflix.com site, but not to stream from it - maybe, detecting the DNS leaks, they suppose I am using a VPN).

Unless a member from the forum ask me to create a new ticket, I do not think it will be a useful idea to do that.

I think I will have to wait for a new BS build... Anyway, I will try the v3.0-r36070 kongac (Kong) build (2018-05-31) to see if I am able to find better results...

Regards,
Ernesto.

P.S.: this is my first forum message... sorry for my English... it is not my mother tongue.

[grc]

look at the solution from eibgrad with second instance of Dnsmasq for VPN traffic in this thread:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=288986&postdays=0&postorder=asc&start=0

to prevent VPN server from pushing DNS use -- pull-filter ignore "dhcp-option DNS" -- in OpenVPN client additional config

for me it works flawlessly

[elsuva]

Thank you for the answers!

I am having SFE disabled (I knew that there were some problems with it and the PBR).

I want that the VPN traffic uses the DNS servers from my OpenVPN provider (ExpressVPN)... that would be no DNS leaks for me. Therefore, I will try the v3.0-r36070 kongac (Kong) build (2018-05-31)...

I will write about the results.

Regards,
Ernesto.

[grc]

thank you eibgrad for clarifying this. I appreciate your work very much.

[egc]

I am using Kong's build (and a lot of @eibgrad's recommended settings and scripts) but even with Kong's build there can be a DNS leak. If your WAN interface is set to automatic the ISP DNS server is automatically added to the DNS server list. It is on the bottom of the list but if other DNS servers are slow then it can respond.
The easiest method is to enable "Query Strict Order" on the Services page, however this is of course not fool proof (@Eibgrad will not approve ) (I am using this method, lazy as I am)

Perhaps a better option is to use the no-resolv directive added in the DNSMasq options followed with the public DNS servers of your VPN Provider i.e.

[elsuva]

First of all... thank you for all your replies!

Having the purpose of being sure that I have explained well this issue, I will add the following:

When I have up and running an OpenVPN without using any PBR, my VPN traffic (only) use one of the DNS Servers from my VPN provider (ExpressVPN in my case)… BUT… when I use the PBR… it starts to use one of the static DNS Servers I filled on the Setup -> Basic Setup of the Web GUI! Not a DNS server from my VPN provider!

This is (when I use PBR) what I think is a DNS Leak… (and, maybe consider a bug).

Let me give you some more data… first of all, I tell you that I started trying different Static DNS servers… finally choosing the following OpenNIC DNS Servers (filling the three Static DNS fields on the Setup -> Basic Setup page):
172.98.193.42
162.248.241.94
128.52.130.209

The following results confirm what I am telling you… using the ExpressVPN Internet test pages…

WHEN... I have up and running the OpenVPN WITHOUT USING any PBR, these are the results…

"What is my IP address location?
Protection green ExpressVPN Connected
You’re connected to: USA - New Jersey - 3
ExpressVPN IP address: xxx.xxx.xxx.xxx (Sorry, but I do not want to make public the IP #)
IP address secure: The websites you visit cannot use your IP address to identify you."

"DNS Leak Test
Protection green ExpressVPN Connected
You’re connected to: USA - New Jersey - 3
All DNS requests are going through ExpressVPN's encrypted, private servers. No DNS leaks detected. You’re using ExpressVPN’s secure DNS servers.
IP address: xxx.xxx.xxx.yyy (Sorry, but I do not want to make public the IP #) Provider: ExpressVPN Country: USA - New Jersey - 3".

"WebRTC Leak Test
Protection green ExpressVPN Connected
You’re connected to: USA - New Jersey - 3
Your browser is not leaking your IP address to the websites you visit. No WebRTC leak detected. ExpressVPN is protecting you from WebRTC leaks.
IP address: 192.168.11.100 Type: Local Status: No leak
IP address: xxx.xxx.xxx.xxx (Sorry, I do not want to make public the IP #) Type: Public IPv4 (ExpressVPN) Status: No leak".

BUT WHEN... I have up and running the OpenVPN USING the PBR, these are the results…

"What is my IP address location?
Protection green ExpressVPN Connected
You’re connected to: USA - New Jersey - 3
ExpressVPN IP address: zzz.zzz.zzz.zzz (Sorry, I do not want to make public the IP #)
IP address secure: The websites you visit cannot use your IP address to identify you."

"DNS Leak Test
Protection yellow ExpressVPN Connected
You’re connected to: USA - New Jersey - 3
DNS requests exposed! Whoever runs your DNS servers can log every website you visit.
IP address: 172.98.193.42 (THIS IS THE IP # OF MY FIRST OpenNIC DNS SERVER!!!) Provider: Centrilogic Country: United States".

"WebRTC Leak Test
Protection green ExpressVPN Connected
You’re connected to: USA - New Jersey - 3
Your browser is not leaking your IP address to the websites you visit. No WebRTC leak detected. ExpressVPN is protecting you from WebRTC leaks.
IP address: 192.168.11.100 Type: Local Status: No leak
IP address: zzz.zzz.zzz.zzz (Sorry, I do not want to make public the IP #) Type: Public IPv4 (ExpressVPN) Status: No leak".

For me... it is clear that my DNS requests are being routing to my first OpenNIC DNS Server and not to an ExpressVPN’s secure DNS Server when I use PBR!!!

I think that the correct DD-WRT firmware behaviour should be that the VPN traffic should use the ExpressVPN's secure DNS Server with or without using the PBR.

The Kongac builds (in particular the v3.0-r36070 kongac (Kong) build (2018-05-31)), how do they behave with the PBR filled?

Regards,
Ernesto.

[egc]

What you are experiencing has been extensively documented by @Eibgrad et al.

There are basically two prombless:
1. Which DNS server is used:
ExpressVPN pushes its DNS servers to you, but firmware from BS does not use them, Kong's firmware does use them those pushed DNS servers are set on the top of the list before the statically set DNS servers.
(you can use Winscp or telnet to go to your router and look in the /tmp directory for resolv.dnsmasq where the DNS servers are stored)

But as DNSMasq normally takes the DNS server which is the quickest it can use the ones from your static DNS unless you enable strict order (this is not a full proof solution). Furthermore if you are using a dynamically configured WAN the ISP DNS server is added to the list of DNS servers and that would be your ISP's (a bug). So even with strict order set eventually, (if all DNS servers before that fail) your ISP's DNS server can be used.

To counter that use the no-resolv directive and set the express VPN servers (they have to be publicly available) see my earlier posting.

The second problem is that the DNS query uses the WAN interface and not the VPN if PBR is active, so with no-resolv etc, DNS queries are send to the right DNS server but over the internet so can theoretically be intercepted, and if you are a high level target by the government I would consider that a DNS leak.

If you do not want that then use one of @eibgrad's advanced PBR scripts, that can route DNS queries via the VPN.

This has all been extensively researched and documented by @Eibgrad, so you should not have to do all that testing (although it can be fun )

[elsuva]

Thank you!

Anyway I have tried the v3.0-r36070 kongac (Kong) build (2018-05-31)) before reading your reply...

For the record...The behaviour is exactly the same...

"When I have up and running an OpenVPN without using any PBR, my VPN traffic (only) use one of the DNS Servers from my VPN provider (ExpressVPN in my case)… BUT… when I use the PBR… it starts to use one of the static DNS Servers I filled on the Setup -> Basic Setup of the Web GUI! Not a DNS server from my VPN provider!"

Nevertheless, the Kong version do not need the Startup Script written by eibgrad (ticket #5690).

Regards,
Ernesto.

[egc]

That is possible if the Express VPN servers are not publicly available, but only through the tunnel
Or you do not have "strict order" enabled

After changing anything be sure to reboot.

The DNS servers can be found in /tmp/resolv.dnsmasq, use winscp or telnet to your router and do
cat /tmp/resolv.dnsmasq

But as said the following added to the DNSMasq options will not read the resolv.dnsmasq and use only the server=

[grc]

do you have something in "additional dnsmasq options" field on Services page?

[elsuva]

interface=tun1

[elsuva]

Answering egc...

The ExpressVPN DNS servers are not publicly available.
I do have "strict order" enabled.
I always reboot everything after changes.
I do not have higher up routers.
I do not know if eibgrad has an advanced script to achieve similar DNS traffic with and without using PBR. If he has one, I am ready to try it.

Regards,
Ernesto.

[egc]

Well the fact that Express VPN servers are not publicly available means that you can not use them when using PBR.
So either use other DNS servers you trust and set them in static DNS with Enable "Query DNS in strict order" or better use the following in DNSMAsq options

[elsuva]

Thank you egc!

[elsuva]

Hello everybody!
We still do not have news with this issue fixed in a newer firmware version... ¿don't we?
Thank you and regards!