manisar
DD-WRT Novice
Joined: 20 Feb 2020
Posts: 4
|
 Posted: Thu Feb 20, 2020 20:42 Post subject: |
 |
I was playing with PBR and OpenVPN client (on router) lately, and have been able to make things work for me.
Describing my findings here, these specifically deal with the problem of sending DNS requests over VPN (and thus avoiding DNS leaks).
The following takes care of the problem when using PBR, but will work when there is no PBR as well.
As has been stated in the thread above, with PBR, the router itself remains off the VPN (along with its dnsmasq daemon).
This means that any PBR client that was using dnsmasq as its DNS server will continue to have its DNS requests NOT going through VPN.
One way to deal with this is to use some other DNS servers (than dnsmasq) on the PBR clients.
This can be done by having these commands in Additional DNSMasq Options (for each of your PBR clients):
| Code: | dhcp-host=set:<any_Tag_Name>,<mac_of_your_PBR_client>
dhcp-option=tag:<any_Tag_Name>,6,<Public_DNS_Server_1>,<Optional_Public_DNS_Server_2> |
With these, irrespective of other dnsmasq settings, your PBR clients will always use these DNS servers.
If OpenVPN client is running on your router, DNS requests to these servers will be routed through the VPN (like every other request).
It's important to use only public DNS servers here so that even when OpenVPN client is not running, DNS lookups work.
With this, route command should not be needed but if needed, the following can be added to the OpenVPN client's config file:
| Code: | route <Public_DNS_Server_1>
route <Optional_Public_DNS_Server_2> |
Or the same can be added with "push" to the OpenVPN server's config file.
My problem was even bigger - my PBR clients were dynamic, i.e. I needed the ability to start and stop OpenVPN client on the router - at my wish - so that one or more of my LAN clients can connect to remote VPN server via the OpenVPN client running on the router.
How I did this is another story, but in this case - before starting OpenVPN client - I wanted my clients, like my any other LAN client, to use dnsmasq on the router as their DNS server - just so that local LAN resolution works and I've more control over my clients.
The problem is how to tell the PBR clients - just when the OpenVPN client starts - to now use different DNS servers (than dnsmasq)!
One way is to modify dnsmasq.conf (whenever OpenVPN client starts) with dhcp-host and dhcp-option statements like above - now having new DNS server(s), restart dnsmasq and force the PBR clients to flush dns.
Not a simple task (and all this needed to be undone every time OpenVPN client is shut down)!
I chose another simpler solution - just add iptables rules like the ones stated below through the route-up script (this script is fired whenever OpenVPN client starts and connects successfully the remote VPN server).
With these, any DNS lookup packets from the PBR clients will be intercepted and sent to the desired DNS server.
| Code: | iptables -t nat -A PREROUTING -s <PBR_client_IP> -p udp --dport 53 -j DNAT --to <public_or_private_DNS_Server_IP> # can even use the DNS server used by the remote VPN server!
iptables -t nat -A PREROUTING -s <PBR_client_IP> -p tcp --dport 53 -j DNAT --to <public_or_private_DNS_Server_IP> |
One big advantage is that these rules supersede other settings such as the DNS servers configured manually on the PBR clients or the ones set through Additional DNSMasq Options.
Remember to remove these rules using route-pre-down script (on shutting down OpenVPN client).
This works seamlessly and instantaneously, and furthermore we are saved from fiddling with dnsmasq and its options. |
|
