RT-AC5300 r36596 / DNS Leak PBR eibgrad / OpenVPN VPN Guest

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message

Joined: 18 Mar 2014
Posts: 5785
Location: Netherlands

PostPosted: Sat May 11, 2019 20:36    Post subject: Reply with quote
You can use my simple PBR script, which gives
you the ability for destination based routing, so that you can route the DNS server via the VPN
See my signature at the bottom.
In that thread see the notes about DNS leaks and how to mitigate that.

At the moment @eibgrad is also working on some really nice things regarding DNS leaks.

Stay tuned

Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
DD-WRT Novice

Joined: 20 Aug 2018
Posts: 9
Location: Buenos Aires, Argentina

PostPosted: Sat May 11, 2019 21:15    Post subject: Reply with quote
Thank you egc!

Joined: 04 Aug 2018
Posts: 794
Location: Appalachian mountains, USA

PostPosted: Sun May 12, 2019 18:29    Post subject: Reply with quote
Fascinating discussion, but I am finding myself confused on the question of whether DNS queries go out via the WAN or the VPN. That seems central enough to this discussion that I hope I'm not guilty of hijacking a thread here as I look for more clarity.

On BS builds, I have always had a VAP with internet routed through the VPN using PBR (with SFE disabled). I have operated it two different ways.

Current approach: In the Wireless Basic Settings, I set the VAP's "Optional DNS Target" to 192.168.X.1, the VAP gateway, so that DNS service is provided by DNSMasq using my global setup, which uses DNSCrypt and Quad9 (see link at end). The usual leak tests show Quad9 servers, and I have verified with nf_conntrack that DNS requests and replies go through as specified in the DNSMasq config's server= line. Using Quad9 and DNSCrypt feels reasonably secure though not as much so as using the VPN provider's DNS servers, and it is way, way faster. (I am not paranoid about Quad9's partial government sponsorship. My government is too capable to thwart with a simple VPN anyway. I'm more interested in thwarting advertising networks, etc.) I get that these DNSCrypt DNS requests are going out via the WAN.

More basic approach, which I have not used in a while: In the VAP setup set "Optional DNS Target" set to the IP of the VPN provider's DNS server. With this setup, the usual DNS leak-test websites never show the server IP address I configured. Instead, they always show a single DNS server with the same IP (or occasionaly off by one) as the other, public end of the VPN tunnel. I always assumed this meant I was obtaining DNS service through the VPN and that the server showing as the tunnel's IP was just some VPN-provider cleverness. True? Not? Could I really have been going through the WAN? If so, how would it be possible to have my remote IP and my DNS server showing as the same IP?

Five Linksys WRT1900ACSv2 routers on BS 42926:
VLANs, multiple VAPs, NAS, QoS, client-mode travel router, OpenVPN client/PBR (AirVPN), two DNSCrypt servers (incl Quad9) routed through vpn.
DD-WRT Novice

Joined: 20 Mar 2019
Posts: 16

PostPosted: Sun Sep 08, 2019 19:49    Post subject: Reply with quote
Trying to get some clarity on how I should fix my VPN / DNS issue and I'm unclear on a couple things.

My setup / scenario is:

* 1 client connected via VPN
* The VPN client needs to get the VPN DNS servers otherwise certain services won't function correctly
* The non-VPN clients use OpenVPN servers (defined on Setup > Basic Setup > Static DNS) for filtering certain content
* The VPN DNS servers are not publicly accessible so I don't want the non-VPN clients to use them (if possible) though maybe this won't interfere if they just fail to connect and fall back to the OpenVPN servers?

I'd prefer to keep the setup as simple as possible. On my current firmware version the push "dhcp-option DNS xxx.xxx.xxx.xxx" is known not to work. Seemingly if I upgrade to BS r40459 or later that will fix the push feature (mentioned here https://svn.dd-wrt.com/changeset/40444) and seemingly fix the DNS issues for the VPN client. However, based on earlier comments in this thread I'm not 100% sure if that will function as I desire for the non-VPN clients and thus if I would need more advanced / complicated solutions mentioned in this thread.

Clarification before I dive down a rabbit whole would be greatly appreciated. Smile

Side note: My router is not supported by Kong builds so that is not an option.
Per Yngve Berg

Joined: 13 Aug 2013
Posts: 5635
Location: Akershus, Norway

PostPosted: Sun Sep 08, 2019 20:02    Post subject: Reply with quote
Don't you set the clients to use your router as DNS?
DD-WRT Novice

Joined: 20 Mar 2019
Posts: 16

PostPosted: Sun Sep 08, 2019 20:06    Post subject: Reply with quote
Per Yngve Berg wrote:
Don't you set the clients to use your router as DNS?

Yes, which works as expected for everything except the VPN as per earlier comments in this thread. Earlier BS builds completely ignore VPN DNS servers even when using the push command. Seemingly only builds from around July 30th onward will actually push VPN DNS servers through, via the push command. That's my current understanding anyway but looking for clarification before I start messing with configs and/or firmware upgrades again.
Per Yngve Berg

Joined: 13 Aug 2013
Posts: 5635
Location: Akershus, Norway

PostPosted: Mon Sep 09, 2019 18:48    Post subject: Reply with quote
Set the VPN DNS server statically on the router. Even if the client does not use the VPN, the router is able to resolve over the VPN tunnel.
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT


Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum