HOW-TO: configure the OpenVPN client for AirVPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Mon Dec 09, 2019 14:17    Post subject: Reply with quote
egc wrote:
SurprisedItWorks wrote:
pull-filter ignore "dhcp-option DNS6 "
pull-filter ignore "ifconfig-ipv6 "
pull-filter ignore "redirect-gateway ipv6 "


While this solution works great with openvpn 2.4.7, which I am on now, in OpenVPN 3 pull-filter will, per Air support staff, be deprecated.

Do they not mean it is not working in the older OpenVPN 2.3?
Because the pull filter option was only added starting with version 2.4?

No, they mean it will not work in versions 3.x of the OpenVPN library, either the main fork or their own branch, which they are using now in work on the next-gen Eddie clients.

Thanks for the heads up on pull-filter only appearing in 2.4. I'll tweak the post accordingly.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Sponsor
gunz1
DD-WRT Novice


Joined: 31 Aug 2019
Posts: 2

PostPosted: Mon Dec 23, 2019 17:57    Post subject: DNS questions with openVPN / airVPN Reply with quote
Firstly, this is an outstanding thread - best I've found to use airvpn with DDWRT. I have everything working, but I am finding an issue with DNS. Specifically, netflix doesn't like VPN usage, and it seems that DNS is the culprit. Netflix works fine in my config until I enable AirVPN client.

Now, in my config, I use VLANs and smart switches, so the network traffic is tagged. vlan1 is the home network, on br0, and vlan10 is the guest on br1. I am using PBR to route the guest network subnet out to AirVPN, while home network remains outside of the VPN. HOWEVER, it seems that DNS queries are all going to AirVPN even on the home network and this is causing a failure to connect to netflix. I can see in IPleak.net that no matter what settings I try, I only get airvpn DNS servers, regardless of which vlan I am on.

Is there a way, per br or vlan, to make DNS queries use the basic setup DNS server settings? I saw the note regarding forced DNS redirection on an unbridged interface, and while that might work for br1, I want to have br0 use the DNS in basic settings, not what is pushed from airvpn. Seems the dns address pushed from airvpn overrides everything.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Tue Dec 24, 2019 2:26    Post subject: Reply with quote
You are absolutely right. The entire router is using the VPN provider's pushed DNS server(s).

Here's the deal. Ordinarily the DNS servers used for the entire router are those listed in /tmp/resolv.dnsmasq (assuming you use DNSMasq for DNS, which is automatic in recent builds), and they are queried in the order listed. If there is no VPN client running and you don't supply values for "Static DNS X" in Basic Setup for X=1, 2, and 3, this file will contain only the IP addresses of DNS servers pushed to the router by your ISP. If you provide those static DNS servers in Basic Setup, you'll see your choices pushed onto the top if the list in the file, so your ISP's servers will be used only if your preferred ones are not responding (or responding quickly enough). When you run the VPN client on newer dd-wrt builds (late 2019), any DNS server pushed to the client by the VPN server will be pushed on top of the list after the other entries are present already, so in that file you'll see

your VPN provider's DNS server(s)
the DNS servers you configured in Basic Setup
your ISP's DNS servers


so your VPN provider's DNS server(s) will be tried first. Only if there is no response (in a reasonable amount of time) will the DNS servers you configured in Basic Setup be tried. And if none of those work, your ISP's servers will get used. And this applies to everything on your system, both those IPs routed through the VPN using PBR and those IPs not routed through the VPN.

To get the non-VPN part of your system to NOT use the VPN-provider's servers, you really have to reconfigure DNS for the whole router. Of course then you follow up by configuring DNS for the VPN subnet differently. To redo things for the whole router to not use the VPN provider's servers, you have two choices.

1. You can prevent the servers of your VPN provider, here AirVPN, from being pushed onto the list in /tmp/resolv.dnsmasq by including these lines in Additional Config in the OpenVPN Client area of GUI>Services>VPN:

pull-filter ignore "dhcp-option DNS "
pull-filter ignore "dhcp-option DNS6 "


These are the precise commands in the AirVPN case. For other VPN providers YMMV. Note though that the "pull-filter ignore" command used here will be deprecated in OpenVPN 2.5, which dd-wrt will move to eventually, likely in a year or so.

2. Or you can have DNSMasq simply ignore /tmp/resolv.dnsmasq altogether by including no-resolv in the DNSMasq Additional Config area of GUI>Services>Services. If you do this, you'll also need to include one or more lines there like server=1.1.1.1 to specify DNS servers to use instead. By default DNSMasq will treat all servers you specify in this way equally and will decide which to use at any time based on their response times, etc. If you want DNSMasq to always (for example) prefer 1.1.1.1 and to use 9.9.9.9 only when 1.1.1.1 is not responding quickly (or occasionally anyway just to get a sense of its response times), list them in Additional Config with the preferred server last:

server=9.9.9.9
server=1.1.1.1


and either enable the "Query DNS in Strict Order" option in the DNSMasq config section or also include strict-order in DNSMasq Additional Config.

There is one nice side benefit to method 2. If your ISP is grabbing your port-53 DNS queries and rerouting them to its own servers, with some DNS providers you can query on an alternate port that your ISP may not interfere with. For example, for Quad9 DNS and Adguard DNS you can specify

server=9.9.9.9#9953
server=176.103.130.130#5353


Here # introduces a port number (DON'T use a colon!) and not a comment, even though you can use # in DNSMasq Additional Config to make comments of entire lines. Which port to use? It depends on the DNS provider. Check its website.

Now, once you have the router as a whole ignoring the VPN provider's pushed DNS server(s), you are back to the PBR discussion in the original post above: If a bridge br1 is routed through the VPN, go to GUI>Setup>Networking, scroll way down to just before the DHCP section, and you'll see "Network Configuration br1." In that section you can set "Optional DNS Target" to the desired DNS server for br1. If you want to use an AirVPN DNS server (and this works ONLY if you are connected to an AirVPN VPN server), the classic solution is to use 10.4.0.1. I found that 10.5.0.1 worked equally well. Air accomodates this by keeping these IPs pointed at their DNS servers. It's not quite as ideal as using the one they pushed, but frankly I don't know how to grab and use the pushed ones for one subnet only. (In principle a script could grab it from the vpn log, but then what?)

If instead of a bridge you are routing traffic from a wifi interface through the VPN using PBR, go to GUI>Wireless>BasicSettings, find the config area for the interface in question, check "Advanced Settings," and enter the desired DNS server as the "Optional DNS Target."

For either a bridge or wifi interface, to use the router's DNS setup as configured above, set its Optional DNS Target to the IP address configured for that interface.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
gunz1
DD-WRT Novice


Joined: 31 Aug 2019
Posts: 2

PostPosted: Mon Dec 30, 2019 15:38    Post subject: Thanks again - works great Reply with quote
I used option 2 you provided and that does exactly what I was looking for.

If I wanted to provide multiple DNS servers to the br1 interface, I believe I could also add dhcp-option=br1,6,[DNS IP 1],[DNS IP 2] into the "additional dnsmasq options" to do this, rather than relying on the "Network Configuration br1" "Optional DNS Target" but I haven't tested it yet since its working as expected Very Happy
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Mon Dec 30, 2019 17:06    Post subject: Re: Thanks again - works great Reply with quote
gunz1 wrote:
I used option 2 you provided and that does exactly what I was looking for.

If I wanted to provide multiple DNS servers to the br1 interface, I believe I could also add dhcp-option=br1,6,[DNS IP 1],[DNS IP 2] into the "additional dnsmasq options" to do this, rather than relying on the "Network Configuration br1" "Optional DNS Target" but I haven't tested it yet since its working as expected Very Happy

I'm no expert on this, but I did experiment once with the feature you suggest, and what happened was that the dhcp-option=... command did not change the DNS behavior of dnsmasq in dd-wrt. Instead it changed what DNS servers were pushed to clients when they connected and were assigned IPs by DHCP. Here I have Forced DNS Redirection enabled on the GUI>Setup>BasicSetup page, so pushing a different DNS server to a client changed nothing, as a DNS query from a client then tried to access the pushed server on port 53, triggering dd-wrt's forced redirection of the query to the servers managed by the DNS part of dnsmasq.

If you don't used forced redirection, using your dhcp-option=br1,6,[DNS IP 1],[DNS IP 2] line would cause the DNS servers pushed to the client to be the two DNS servers you specify in this line rather than the router IP. This would remove dnsmasq from the DNS business (for clients) altogether.

It helps to think of the DHCP and DNS functions of dnsmasq separately. The "option 2" method I discussed and you used is a DNS thing. Your hyptothetical dhcp-option=br1,6,[DNS IP 1],[DNS IP 2] addition would be a DHCP thing that would not change dnsmasq's DNS behavior at all but that would cause it not to be used by the client at all (unless you use forced redirection).

Sometimes it's really surprising what a messy business DNS is! Shocked

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Rookie722
DD-WRT Novice


Joined: 30 Apr 2022
Posts: 1

PostPosted: Sat Apr 30, 2022 12:41    Post subject: Update Q2/2022 Reply with quote
Hello all,
First, I would like to say BIG THANK YOU to OP for the great guide and detailed explaination.

Second, this is my first post to this forum. I did sign-up to share my update to AirVPN setup. This is my 3rd day with DD-WRT router and I am loving it! This was done on Linksys WRT3200ACM on firmware: DD-WRT v3.0-r48741 std (04/26/22).


Now let's get down to buisness Smile

I have tried the procedures explained here but unfortunatly, it did not work for me, but it did lead me to the right one.

Go to Services, VPN, OpenVPN Client.

Below the configuration setup that worked:
Start OpenVPN Client Enable

CVE-2019-14899 Mitigation Enable

Server IP/Name : Port
gb3.vpn.airdns.org : 1194

Set Multiple Servers Disable

Tunnel Device
TUN

Tunnel Protocol
udp4

Encryption Cipher
AES-256-CBC

Hash Algorithm
Not set

First Data Cipher
AES-256-CBC

Second Data Cipher
AES-256-GCM

Third Data Cipher
AES-128-CBC

User Pass Authentication Disable

Advanced Options Enable

TLS Cipher
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Compression
Disabled

NAT Enable

Inbound Firewall on TUN (Check)

Killswitch (Unchecked)

Watchdog Disable

Source routing (PBR)
Route all sources via VPN

IP Address (BLANK)

Subnet Mask (BLANK)

Tunnel MTU setting
1400

Tunnel UDP Fragment (BLANK)

Tunnel UDP MSS-Fix Disable

Verify Server Cert. (Check)

TLS Key choice TLS Crypt

TLS Key (tls-crypt.key)

Additional Config:
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 3
explicit-exit-notify 5
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
auth SHA512

PKCS12 Key (BLANK)

Static Key (BLANK)

CA Cert (ca.crt)

Public Client Cert (user.crt)

Private Client Key (user.key)


Finally, going to Setup tab, Basic Setup, then, scroll down to Static DNS 1: 1.1.1.1, DNS 2: 8.8.8.8 or choose your preferred DNS.

It should work within 30 seconds tops.

For more info I highly encourage you to read the OP, even after it works.




Thank you all
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Sat Apr 30, 2022 18:31    Post subject: Reply with quote
Thank you for posting.

Unfortunately that is not the preferred way of setting up.

You should not use anything in the Additional config.

Have a look at the manuals:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

This is a sticky (first few threads) in this forum

You need the Client Setup guide which has a link to this thread which uses different settings then you are advocating.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
grc
DD-WRT User


Joined: 11 Jul 2018
Posts: 122

PostPosted: Sun May 01, 2022 20:45    Post subject: Re: DNS questions with openVPN / airVPN Reply with quote
gunz1 wrote:
Now, in my config, I use VLANs and smart switches, so the network traffic is tagged. vlan1 is the home network, on br0, and vlan10 is the guest on br1. I am using PBR to route the guest network subnet out to AirVPN, while home network remains outside of the VPN. HOWEVER, it seems that DNS queries are all going to AirVPN even on the home network and this is causing a failure to connect to netflix. I can see in IPleak.net that no matter what settings I try, I only get airvpn DNS servers, regardless of which vlan I am on.

Is there a way, per br or vlan, to make DNS queries use the basic setup DNS server settings? I saw the note regarding forced DNS redirection on an unbridged interface, and while that might work for br1, I want to have br0 use the DNS in basic settings, not what is pushed from airvpn. Seems the dns address pushed from airvpn overrides everything.


for years i use an another way to split DNS for AirVPN. It is a little bit complicated, but it fully isolate VPN-DNS-handling from primary router-DNS-server (Dnsmasq).

For example VPN on br1 with policy based routing (PBR):

First create another instance of Dnsmasq as a DNS-server only for VPN - in Administration/Commands/Startup:

Code:
DNSMASQ2_CONF="/tmp/dnsmasq2.conf"
echo -e 'interface=br1
no-dhcp-interface=br1
domain-needed
bogus-priv
cache-size=1500
resolv-file=/tmp/resolv.vpn
stop-dns-rebind' > $DNSMASQ2_CONF

ln -s $(which dnsmasq) /tmp/dnsmasq2

(
while ! pidof dnsmasq > /dev/null 2>&1; do sleep 10; done
$(which nohup) /tmp/dnsmasq2 -p 5353 -u root -g root --conf-file=$DNSMASQ2_CONF > /dev/null 2>&1
) &


Second redirect DNS queries for br1 to created DNS-server - in Administration/Commands/Firewall:

Code:
iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 192.168.1.1:5353
iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 192.168.1.1:5353


Third you have to create an up-script - create a file "up.sh" and put this in:

Code:
#!/bin/sh

echo "nameserver $route_vpn_gateway" > /tmp/resolv.vpn


save the file in /jffs. Then put up /jffs/up.sh and pull-filter ignore "dhcp-option DNS" in Additional Config of OpenVPN Client configuration. This extract the DNS-IP from AirVPN-server on each VPN-client-restart. Reboot.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Sun Jun 19, 2022 11:49    Post subject: Reply with quote
Split DNS is now part of the GUI Smile
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum