[egc]

You can use my simple PBR script, which gives
you the ability for destination based routing, so that you can route the DNS server via the VPN
See my signature at the bottom.
In that thread see the notes about DNS leaks and how to mitigate that.

At the moment @eibgrad is also working on some really nice things regarding DNS leaks.

Stay tuned

[elsuva]

Thank you egc!

[SurprisedItWorks]

Fascinating discussion, but I am finding myself confused on the question of whether DNS queries go out via the WAN or the VPN. That seems central enough to this discussion that I hope I'm not guilty of hijacking a thread here as I look for more clarity.

On BS builds, I have always had a VAP with internet routed through the VPN using PBR (with SFE disabled). I have operated it two different ways.

Current approach: In the Wireless Basic Settings, I set the VAP's "Optional DNS Target" to 192.168.X.1, the VAP gateway, so that DNS service is provided by DNSMasq using my global setup, which uses DNSCrypt and Quad9 (see link at end). The usual leak tests show Quad9 servers, and I have verified with nf_conntrack that DNS requests and replies go through 127.0.0.1:30 as specified in the DNSMasq config's server= line. Using Quad9 and DNSCrypt feels reasonably secure though not as much so as using the VPN provider's DNS servers, and it is way, way faster. (I am not paranoid about Quad9's partial government sponsorship. My government is too capable to thwart with a simple VPN anyway. I'm more interested in thwarting advertising networks, etc.) I get that these DNSCrypt DNS requests are going out via the WAN.

More basic approach, which I have not used in a while: In the VAP setup set "Optional DNS Target" set to the IP of the VPN provider's DNS server. With this setup, the usual DNS leak-test websites never show the server IP address I configured. Instead, they always show a single DNS server with the same IP (or occasionaly off by one) as the other, public end of the VPN tunnel. I always assumed this meant I was obtaining DNS service through the VPN and that the server showing as the tunnel's IP was just some VPN-provider cleverness. True? Not? Could I really have been going through the WAN? If so, how would it be possible to have my remote IP and my DNS server showing as the same IP?

[anon_me]

Trying to get some clarity on how I should fix my VPN / DNS issue and I'm unclear on a couple things.

My setup / scenario is:

* 1 client connected via VPN
* The VPN client needs to get the VPN DNS servers otherwise certain services won't function correctly
* The non-VPN clients use OpenVPN servers (defined on Setup > Basic Setup > Static DNS) for filtering certain content
* The VPN DNS servers are not publicly accessible so I don't want the non-VPN clients to use them (if possible) though maybe this won't interfere if they just fail to connect and fall back to the OpenVPN servers?

I'd prefer to keep the setup as simple as possible. On my current firmware version the push "dhcp-option DNS xxx.xxx.xxx.xxx" is known not to work. Seemingly if I upgrade to BS r40459 or later that will fix the push feature (mentioned here https://svn.dd-wrt.com/changeset/40444) and seemingly fix the DNS issues for the VPN client. However, based on earlier comments in this thread I'm not 100% sure if that will function as I desire for the non-VPN clients and thus if I would need more advanced / complicated solutions mentioned in this thread.

Clarification before I dive down a rabbit whole would be greatly appreciated.

Side note: My router is not supported by Kong builds so that is not an option.

[Per Yngve Berg]

Don't you set the clients to use your router as DNS?

[anon_me]

[Per Yngve Berg]

Set the VPN DNS server statically on the router. Even if the client does not use the VPN, the router is able to resolve over the VPN tunnel.