What I suspect is that when you specified the NordVPN DNS servers on the WAN, you did NOT also check the "Ignore WAN DNS" option.
If that's the case, that means the NordVPN DNS servers will be combined with those of the ISP. But if the ISP reserves those DNS servers for the exclusive use of its own customers over the WAN (i.e., they are effectively *private*), then when the OpenVPN client gets connected, access to the ISP's DNS servers will fail, since the VPN requires *public* access! That might explain why some DNS queries work and other do NOT.
As I explained in the prior post, leave the WAN configuration alone. Let it default to the ISP's DNS servers. It doesn't matter because we're *overriding* those DNS servers anyway w/ server directives in DNSMasq, then binding those same DNS servers to the OpenVPN client.
IOW, before the OpenVPN client is connected, 1.1.1.1 and 1.0.0.1 are accessed over the WAN. Once the OpenVPN client is connected, they're access over the VPN. Simple.
Of course, you can use *any* DNS servers you want, it doesn't matter. Just so long as they are *publicly* accessible, even those from NordVPN. We're just trying to avoid the use of those from the ISP, which are probably only *privately* accessible.
I thought I posted the "it works" message.... lol maybe in my excitement I forgot to click post... lol
But yes, It is working now. I tried my idea of putting the CloudFlare DNS server addresses in the WAN DNS fields, that didn't work.
I then did your method by adding the additional configs and without any issue, the websites that were not working, they now are loading without issue.
Thanks again!
By the way, do you have any suggestion for a tutorial on how to secure a DD-WRT router from external threats? Searching Google, it seems everyone has their own opinion on "How To" but I'd also like to know the "Why"
Aw heck, Just when I thought I got the VPN set up to work with everything... Amazon Prime on the TV is angry that its on a VPN ...
Well that's a completely different kind of problem. It's technically NOT a configuration error. It's just the content provider preventing unauthorized access by detecting your usage of a VPN, be it the VPN server itself (which is usually well-known) and/or the use of DNS over the VPN.
Just the total opposite of what a conquered a few years ago... I travel out of the USA for the winter months, my wife wants to watch NASCAR so I needed a VPN so she could watch the races.
Currently, being Stateside, simply centrally securing my internet with a VPN that I've had, now my wife cannot watch Amazon Prime Video with the VPN active on the router...
GAD! Technology is a headache!
Well, I guess I could:
A: DMZ a LAN port of the DD-WRT VPN router and put another DD-WRT router - non-VPN, on that DMZ port, put all the IoT junk on a managed switch connected to the non-VPN router as well as the WiFi devices.
or
B: Have a DD-WRT Non-VPN router first in the LAN chain after the modem, plug in the managed switch and IoT devices, also use this non-vpn router for WiFi.
Plug in the DD-WRT VPN router into one of the non-vpn LAN ports and disable the wifi.
If a device in my house has a LAN port, its using wired. The only things that are wifi are the phones and tablets... so no biggie...
I'm still NOT clear here what the VPN is intended for.
If you can live w/ having Amazon Prime routed over the WAN, then you can simply use PBR (policy based routing) to route all the traffic over the VPN, except for the TV. You can also use Split DNS so the WAN and VPN use different DNS servers (as I said, sometimes the content providers can detect the use of a VPN for DNS, even if the content itself is being routed over the WAN).
However, if you need to route Amazon Prime over the VPN to circumvent region restrictions, then obviously the above doesn't solve that problem. You need to resolve that w/ the choice of VPN provider, one who offers specific servers to circumvent region restrictions. In some cases, that might require a static IP w/ the VPN provider ($$) because it's far less likely to be KNOWN as coming from a VPN provider.
Then there's the issue of needing to route only *some* of the content from the TV, and not the internet generally, such as things like YT (YouTube). That's another configuration entirely.
Then there's users who want nothing more than to obscure their public IP, like me! I couldn't care less about content issues since I don't watch any of it anyway!
IOW, ppl are using VPNs for a variety of reasons, and each requires fine tuning to meet those needs. But the devil is in the details, in knowing *precisely* what you want the VPN to do. Right now, the process has been rather piecemeal; we only find out what you need when something doesn't work as expected.
There is no real definite reason to use the VPN here, Stateside other than ... because I already have NordVPN and because I would like to simply obfuscate my connection to the internet for privacy... because I can. ( Great minds think alike )
When I'm traveling, using public WiFi, sharing private WiFi or plugging into a network at a hotel or AirBnB, this is why I have NordVPN but I have only been using the NordVPN app on each device. I'll take what I've learned today to make a "travel router" ... specifically on hardware that I can tether to my cell phone to have a secondary internet connection.
Where I typically travel, electricity can drop out unexpected, water can shut off while you are taking a sun warmed water shower, the CATV / internet can go poof in an instant... the one service that is typically resilient is cellular / cellular data but that too could be shut off if the government wanted to do so. Last resort is to tether to my satellite phone if the shizzle really hit the fan but at that point I'd probably be on the move and using the VPN as a mobile app.
With all that said...
It sounds like from what you are saying, I can use this router ( Netgear R7000P ) with the VPN set up on it, but yet have non-VPN connections. I doubt I'm using the appropriate terminology. I remember seeing certain features in the WiFi settings and in the routing or NAT or something... while playing with DD-WRT.
It's called PBR (policy based routing), aka split tunneling.
By default, when you connect to a commercial OpenVPN provider, ALL your devices, router and WLAN/LAN, are then routed over the VPN. And in many cases, such as on the road, that makes the most sense.
However, sometimes you don't want ALL your devices routed over the VPN, only some. The others should continue to be routed over the WAN, exactly as it was before the VPN was running. Sometimes it's just a preference, other times it's a necessity (e.g., your Amazon Prime is complaining because it KNOWS you're using a VPN and refuses to stream).
The OpenVPN client is a powerful tool that is more than just a simple "route it all over the VPN" solution. You can control precisely what uses the VPN vs. the WAN. You can even split DNS, so those devices bound to the WAN use a DNS server likewise bound to the WAN, while those bound to the VPN use a DNS server likewise bound to the VPN.
You can even chose the default behavior of split tunneling, i.e., what is the default routing to the internet, VPN or WAN, and what are the exceptions to that default.
There's also a killswitch to block access to the WAN for those bound to the VPN (should the VPN fail for any reason), and a watchdog to restart failed connections.
I'm reading on Split Tunneling right now... if I have a question that I cannot figure out, I'll use the search feature of the forum... if I'm still stumped, I'll start a new thread.