Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Sat May 11, 2019 20:36 Post subject:
You can use my simple PBR script, which gives
you the ability for destination based routing, so that you can route the DNS server via the VPN
See my signature at the bottom.
In that thread see the notes about DNS leaks and how to mitigate that.
At the moment @eibgrad is also working on some really nice things regarding DNS leaks.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun May 12, 2019 18:29 Post subject:
Fascinating discussion, but I am finding myself confused on the question of whether DNS queries go out via the WAN or the VPN. That seems central enough to this discussion that I hope I'm not guilty of hijacking a thread here as I look for more clarity.
On BS builds, I have always had a VAP with internet routed through the VPN using PBR (with SFE disabled). I have operated it two different ways.
Current approach: In the Wireless Basic Settings, I set the VAP's "Optional DNS Target" to 192.168.X.1, the VAP gateway, so that DNS service is provided by DNSMasq using my global setup, which uses DNSCrypt and Quad9 (see link at end). The usual leak tests show Quad9 servers, and I have verified with nf_conntrack that DNS requests and replies go through 127.0.0.1:30 as specified in the DNSMasq config's server= line. Using Quad9 and DNSCrypt feels reasonably secure though not as much so as using the VPN provider's DNS servers, and it is way, way faster. (I am not paranoid about Quad9's partial government sponsorship. My government is too capable to thwart with a simple VPN anyway. I'm more interested in thwarting advertising networks, etc.) I get that these DNSCrypt DNS requests are going out via the WAN.
More basic approach, which I have not used in a while: In the VAP setup set "Optional DNS Target" set to the IP of the VPN provider's DNS server. With this setup, the usual DNS leak-test websites never show the server IP address I configured. Instead, they always show a single DNS server with the same IP (or occasionaly off by one) as the other, public end of the VPN tunnel. I always assumed this meant I was obtaining DNS service through the VPN and that the server showing as the tunnel's IP was just some VPN-provider cleverness. True? Not? Could I really have been going through the WAN? If so, how would it be possible to have my remote IP and my DNS server showing as the same IP? _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Trying to get some clarity on how I should fix my VPN / DNS issue and I'm unclear on a couple things.
My setup / scenario is:
* 1 client connected via VPN
* The VPN client needs to get the VPN DNS servers otherwise certain services won't function correctly
* The non-VPN clients use OpenVPN servers (defined on Setup > Basic Setup > Static DNS) for filtering certain content
* The VPN DNS servers are not publicly accessible so I don't want the non-VPN clients to use them (if possible) though maybe this won't interfere if they just fail to connect and fall back to the OpenVPN servers?
I'd prefer to keep the setup as simple as possible. On my current firmware version the push "dhcp-option DNS xxx.xxx.xxx.xxx" is known not to work. Seemingly if I upgrade to BS r40459 or later that will fix the push feature (mentioned here https://svn.dd-wrt.com/changeset/40444) and seemingly fix the DNS issues for the VPN client. However, based on earlier comments in this thread I'm not 100% sure if that will function as I desire for the non-VPN clients and thus if I would need more advanced / complicated solutions mentioned in this thread.
Clarification before I dive down a rabbit whole would be greatly appreciated.
Side note: My router is not supported by Kong builds so that is not an option.
Don't you set the clients to use your router as DNS?
Yes, which works as expected for everything except the VPN as per earlier comments in this thread. Earlier BS builds completely ignore VPN DNS servers even when using the push command. Seemingly only builds from around July 30th onward will actually push VPN DNS servers through, via the push command. That's my current understanding anyway but looking for clarification before I start messing with configs and/or firmware upgrades again.