Noob needing help with openVPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Wheelz
DD-WRT Novice


Joined: 26 Jul 2007
Posts: 6

PostPosted: Fri Jun 11, 2021 17:12    Post subject: Noob needing help with openVPN Reply with quote
– r9000 running r46885
– ExpressVPN



So with my set up the goal is to have just a handful of clients use openVPN and everyone else go through WAN using my ISP

For a while I was using the current stable release of DD WRT for the r9000 (r44715) but I was getting DNS leaks through open VPN. Tried most of the fixes that are in the DNS leak guide but nothing seemed to work. So recently I updated to the latest beta builds that BS has been putting out. Currently using r46885 std (06/05/21)

I set up this new build just like I had the old build but now not only do PBR clients have DNS leaks but everyone else on the network that are NOT in the PBR are using the my ISP and VPN DNS servers which is causing issues for everyone. I can't seem to figure out what I'm doing wrong. I thought pull-filter ignore "redirect-gateway" would stop that but apparently not. Here's a screenshot of some of my settings.

TL:DR
PBR clients having DNS leaks
Everyone not on PBR using ISP and VPN DNS.

Any ideas?
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Fri Jun 11, 2021 18:34    Post subject: Reply with quote
FYI. You don't need any of those directives specified in Additional Config. In fact, the use of persist-tun can cause problems, and was recently removed from the default config file because of it.

https://svn.dd-wrt.com/ticket/7393

As far as DNS leaks, *how* are you making this determination? One of the most difficult things to do is accurately tell if you have a DNS leak, because unlike a device that is configured w/ public DNS servers directly on the client itself, those using the router are only *indirectly* configured w/ public DNS servers. By default, each client is configured w/ the router's DNS proxy (DNSMasq), which in turn is configured w/ the public DNS servers. And so many online DNS leak testing tools provide bogus information in this regard. The *only* means I've ever found to determine w/ 100% certainty if there's a DNS leak is to check where public DNS queries are being routed by dumping connection tracking on the router (cat /proc/net/nf_conntrack).

Coincidentally, I happen to be a user of ExpressVPN myself, and I know of a specific problem when it comes to this VPN provider. Many times the DNS server they push to the client (which the router uses to reconfigure DNSMasq) is NOT within the scope of the tunnel! But it shouldn't matter provided ExpressVPN also pushes a route directive that binds it to the VPN. And in most cases, it seems they do. And I believe dd-wrt router will honor that route directive. But I know some third-party firmware doesn't (e.g., AsusWRT-Merlin), and that can lead to DNS leaks, since then the VPN provider's DNS server is unreachable.

Given the uncertainty this creates, I personally do NOT use the push'd DNS server from ExpressVPN. Instead, I define 1.1.1.1 and 1.0.0.1 for the WAN DNS servers, then bind those to the VPN using static routes (in the form of route directives in Additional Config).

Code:
route 1.1.1.1 255.255.255.255 vpn_gateway
route 1.0.0.1 255.255.255.255 vpn_gateway


Note, since '255.255.255.255 vpn_gateway' is the default, this can be shortened to …

Code:
route 1.1.1.1
route 1.0.0.1


I also add the following to Additional Config to filter out the DNS server(s) pushed by ExpressVPN.

Code:
pull-filter ignore "dhcp-option DNS"


Now I know w/ certainty which DNS servers I'm using (they're always the same), with the only difference being where they are routed. When the VPN is NOT active, it's over the WAN. When the VPN *is* active, it's over the VPN. Simple. And a dump of connection tracking on the router proves it.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Jun 11, 2021 18:52    Post subject: Reply with quote
In addition, tick "Ignore WAN DNS" on Setup page.

You have to set Static DNS 1 and 2 e.g. use the servers @eibgrad mentioned.

It is described in the documentation see link in my signature

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Wheelz
DD-WRT Novice


Joined: 26 Jul 2007
Posts: 6

PostPosted: Fri Jun 11, 2021 21:05    Post subject: Reply with quote
Wow thanks for the in-depth replies. Like I said, I'm a noob so I understand some of what you just said. Smile

And yeah I was testing DNS leaks through Dnsleaktest.com and ExpressVPN's web test. I tried to use the script you wrote for testing leaks but was having problems trying to telnet into the router.

I'm really just trying to set up a handful of Roku and Roku TVs on my network to use the VPN so I can bypass sports blackouts. Do you think I'll have any problems not using the VPN DNS servers for some of these networks?

So I've set

Ignore WAN DNS


I set static DNS 1 and 2 to..

1.1.1.1
1.0.0.1


Removed these lines from additional config

persist-key
persist-tun
pull-filter ignore "redirect-gateway"


added these lines to additional config

route 1.1.1.1
route 1.0.0.1
pull-filter ignore "dhcp-option DNS"


Saved, rebooted..

Still every client that's NOT listed in the PBR cannot access sites like HBO, Amazon... Going to an online DNS leak test shows that I'm on express VPN servers. I'm so confused.

The Roku devices I have listed in the PBR have no problem accessing those sites.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Fri Jun 11, 2021 22:01    Post subject: Reply with quote
Again, do NOT rely on any online leak testing tools. These are very unreliable. The ExpressVPN tool is a joke. All it does it notice if your public IP is one *they* manage, and if so, assume you're using their DNS servers.

Quote:
Still every client that's NOT listed in the PBR cannot access sites like HBO, Amazon... Going to an online DNS leak test shows that I'm on express VPN servers.


I assume by HBO and Amazon, you're referring to their streaming services, and NOT just their respective websites in general.

Most likely the problem is that for those devices NOT bound to the VPN, they are still using the VPN (if only indirectly) for name resolution. And sometimes streaming services don't like this. They insist that if name resolution occurs over a given network interface, that same network interface needs to be used to access it. That's why those bound to VPN have no problem. They're always using the VPN for both DNS and subsequent access of the service. But those bound to the WAN are NOT.

IOW, the problem is NOT due to the network. The network couldn't care less about which network interfaces you use. It's the site itself that's refusing to allow the disparity.

The only solution I see is to either bind all devices to the VPN that require access to those services, or else configure those clients directly w/ public DNS servers which are accessed over the WAN, thus keeping name resolution and access of those sites over the same network interface.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Wheelz
DD-WRT Novice


Joined: 26 Jul 2007
Posts: 6

PostPosted: Sat Jun 12, 2021 2:22    Post subject: Reply with quote
eibgrad wrote:

I assume by HBO and Amazon, you're referring to their streaming services, and NOT just their respective websites in general.

Most likely the problem is that for those devices NOT bound to the VPN, they are still using the VPN (if only indirectly) for name resolution. And sometimes streaming services don't like this. They insist that if name resolution occurs over a given network interface, that same network interface needs to be used to access it. That's why those bound to VPN have no problem. They're always using the VPN for both DNS and subsequent access of the service. But those bound to the WAN are NOT.


No actually everything including Amazon/HBO websites, phone apps, video streaming will not work.

I actually didn't have this problem with r44715. Every client NOT listed on PBR would just use the ISP/WAN dns. These newer builds seem to be forcing every client on the router to use VPN DNS when ovpn client is enabled. (even when ignore wan dns is checked/unchecked and static DNS servers are set) I only updated to the latest beta builds to try and fix my ovpn clients not working with certain sites. I'll probably just revert back.

edit: I'm sure it's probably something I just haven't set up correctly. I've gone through the guides a million times. Like I said I'm a big noob when it comes to all this. :/
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Jun 12, 2021 6:38    Post subject: Reply with quote
You did not want a DNS leak and you do not have it any more because all DNS queries are going through the VPN.

But as said all DNS queries are going through the VPN also for non VPN/PBR users.

Some websites do not like that and will not work.

You can simply test this and instead of vpn_gateway use net_gateway i.e. add in the OpenVPN Additional config:
Code:
route 1.1.1.1 255.255.255.255 net_gateway
route 1.0.0.1 255.255.255.255 net_gateway


So all DNS queries will go through the WAN, you do have a DNS leak but the other sites should be working.

The only way out of this problem is to use different DNS servers for the VPN/PBR clients than for the non VPN clients and route the DNS servers accordingly.

All explained in the documentation, page 3 of the "DNS Problems with Policy Based Routing" guide

P.S. if you telnet to the router the username is always: root

P.P.S another build will not make this better older builds did simply not route DNS servers through the VPN so with older builds you will have a DNS leak for sure (unless the VPN provider specifically routes the DNS server via the VPN and of lately some started doing that)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Wheelz
DD-WRT Novice


Joined: 26 Jul 2007
Posts: 6

PostPosted: Sat Jun 12, 2021 9:03    Post subject: Reply with quote
Thanks EGC I think I got it now. I wasn't comprehending the guide correctly and your explanation helped.

I now seem to have it set up correctly. One question though, to have clients use the VPN DNS I use the address 10.0.0.241. I'm just curious how that equates to what the VPN DNS is?

And thanks for the Telnet tip. That indeed was my problem.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Jun 12, 2021 9:52    Post subject: Reply with quote
some providers use their own DNS servers on their private subnet.
According to @eibgrad (and when he speaks we listen Smile ) the ExpressVPN's DNS servers are not very reliable.

I use 8.8.8.8 and 8.8.4.4. for my non VPN users (those are in static DNS 1 and 2) and 1.1.1.1 for my VPN users
So I have tagged my VPN users with 1.1.1.1 in DNSMasq and routed that via the VPN.
So VPN users are using 1.1.1.1 as DNS server and the non VPN users 8.8.8.8/8.8.4.4

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum