Posted: Fri Jun 11, 2021 17:12 Post subject: Noob needing help with openVPN
– r9000 running r46885
– ExpressVPN
So with my set up the goal is to have just a handful of clients use openVPN and everyone else go through WAN using my ISP
For a while I was using the current stable release of DD WRT for the r9000 (r44715) but I was getting DNS leaks through open VPN. Tried most of the fixes that are in the DNS leak guide but nothing seemed to work. So recently I updated to the latest beta builds that BS has been putting out. Currently using r46885 std (06/05/21)
I set up this new build just like I had the old build but now not only do PBR clients have DNS leaks but everyone else on the network that are NOT in the PBR are using the my ISP and VPN DNS servers which is causing issues for everyone. I can't seem to figure out what I'm doing wrong. I thought pull-filter ignore "redirect-gateway" would stop that but apparently not. Here's a screenshot of some of my settings.
TL:DR
PBR clients having DNS leaks
Everyone not on PBR using ISP and VPN DNS.
FYI. You don't need any of those directives specified in Additional Config. In fact, the use of persist-tun can cause problems, and was recently removed from the default config file because of it.
As far as DNS leaks, *how* are you making this determination? One of the most difficult things to do is accurately tell if you have a DNS leak, because unlike a device that is configured w/ public DNS servers directly on the client itself, those using the router are only *indirectly* configured w/ public DNS servers. By default, each client is configured w/ the router's DNS proxy (DNSMasq), which in turn is configured w/ the public DNS servers. And so many online DNS leak testing tools provide bogus information in this regard. The *only* means I've ever found to determine w/ 100% certainty if there's a DNS leak is to check where public DNS queries are being routed by dumping connection tracking on the router (cat /proc/net/nf_conntrack).
Coincidentally, I happen to be a user of ExpressVPN myself, and I know of a specific problem when it comes to this VPN provider. Many times the DNS server they push to the client (which the router uses to reconfigure DNSMasq) is NOT within the scope of the tunnel! But it shouldn't matter provided ExpressVPN also pushes a route directive that binds it to the VPN. And in most cases, it seems they do. And I believe dd-wrt router will honor that route directive. But I know some third-party firmware doesn't (e.g., AsusWRT-Merlin), and that can lead to DNS leaks, since then the VPN provider's DNS server is unreachable.
Given the uncertainty this creates, I personally do NOT use the push'd DNS server from ExpressVPN. Instead, I define 1.1.1.1 and 1.0.0.1 for the WAN DNS servers, then bind those to the VPN using static routes (in the form of route directives in Additional Config).
Wow thanks for the in-depth replies. Like I said, I'm a noob so I understand some of what you just said.
And yeah I was testing DNS leaks through Dnsleaktest.com and ExpressVPN's web test. I tried to use the script you wrote for testing leaks but was having problems trying to telnet into the router.
I'm really just trying to set up a handful of Roku and Roku TVs on my network to use the VPN so I can bypass sports blackouts. Do you think I'll have any problems not using the VPN DNS servers for some of these networks?
added these lines to additional config
route 1.1.1.1
route 1.0.0.1
pull-filter ignore "dhcp-option DNS"
Saved, rebooted..
Still every client that's NOT listed in the PBR cannot access sites like HBO, Amazon... Going to an online DNS leak test shows that I'm on express VPN servers. I'm so confused.
The Roku devices I have listed in the PBR have no problem accessing those sites.
Again, do NOT rely on any online leak testing tools. These are very unreliable. The ExpressVPN tool is a joke. All it does it notice if your public IP is one *they* manage, and if so, assume you're using their DNS servers.
Quote:
Still every client that's NOT listed in the PBR cannot access sites like HBO, Amazon... Going to an online DNS leak test shows that I'm on express VPN servers.
I assume by HBO and Amazon, you're referring to their streaming services, and NOT just their respective websites in general.
Most likely the problem is that for those devices NOT bound to the VPN, they are still using the VPN (if only indirectly) for name resolution. And sometimes streaming services don't like this. They insist that if name resolution occurs over a given network interface, that same network interface needs to be used to access it. That's why those bound to VPN have no problem. They're always using the VPN for both DNS and subsequent access of the service. But those bound to the WAN are NOT.
IOW, the problem is NOT due to the network. The network couldn't care less about which network interfaces you use. It's the site itself that's refusing to allow the disparity.
I assume by HBO and Amazon, you're referring to their streaming services, and NOT just their respective websites in general.
Most likely the problem is that for those devices NOT bound to the VPN, they are still using the VPN (if only indirectly) for name resolution. And sometimes streaming services don't like this. They insist that if name resolution occurs over a given network interface, that same network interface needs to be used to access it. That's why those bound to VPN have no problem. They're always using the VPN for both DNS and subsequent access of the service. But those bound to the WAN are NOT.
No actually everything including Amazon/HBO websites, phone apps, video streaming will not work.
I actually didn't have this problem with r44715. Every client NOT listed on PBR would just use the ISP/WAN dns. These newer builds seem to be forcing every client on the router to use VPN DNS when ovpn client is enabled. (even when ignore wan dns is checked/unchecked and static DNS servers are set) I only updated to the latest beta builds to try and fix my ovpn clients not working with certain sites. I'll probably just revert back.
edit: I'm sure it's probably something I just haven't set up correctly. I've gone through the guides a million times. Like I said I'm a big noob when it comes to all this. :/
So all DNS queries will go through the WAN, you do have a DNS leak but the other sites should be working.
The only way out of this problem is to use different DNS servers for the VPN/PBR clients than for the non VPN clients and route the DNS servers accordingly.
All explained in the documentation, page 3 of the "DNS Problems with Policy Based Routing" guide
P.S. if you telnet to the router the username is always: root
Thanks EGC I think I got it now. I wasn't comprehending the guide correctly and your explanation helped.
I now seem to have it set up correctly. One question though, to have clients use the VPN DNS I use the address 10.0.0.241. I'm just curious how that equates to what the VPN DNS is?
And thanks for the Telnet tip. That indeed was my problem.
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Sat Jun 12, 2021 9:52 Post subject:
some providers use their own DNS servers on their private subnet.
According to @eibgrad (and when he speaks we listen ) the ExpressVPN's DNS servers are not very reliable.