(OLD) DD-WRT (Openvpn client) DNS Leak help

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
wildcat2083
DD-WRT Novice


Joined: 10 Apr 2016
Posts: 24

PostPosted: Wed Mar 29, 2017 3:48    Post subject: (OLD) DD-WRT (Openvpn client) DNS Leak help Reply with quote
Here is the issue I am facing
I currently have static address assigned to dd-wrt
8.8.8.8
8.8.4.4
and 10.0.0.0 <<< thats just a dummy one
I have both a VPN server and client setup through DD-wrt
got the proper rules firewall etc all setup and it all works
except one thing, due to having web servers and such running I was forced to use policy based routing for my local clients and my vpn clients so all the internet traffic would pass properly through the VPN (the client - paid service) and I could still use things like ssh and whatever without the vpn breaking it, the problem is the DNS that the VPN pushes, again from the paid service (not my server) the router uses the static assigned google DNS setting supplied in the main page instead, how do I make any ip in the policy based routing use ONLY the DNS provided by the Paid VPN service, ive tried iptables the route command and nothing aside from manually changing the clients individually works, that can be cumbersome as everytime the vpn reconnects its DNS changes

any logs or configuration needed please tell me i will copy and paste any additional info
netstat
route commands etc

Startup Box
Code:
#!/bin/sh
export DEBUG= # uncomment/comment to enable/disable debugging mode
# ---------------------------------------------------------------------------- #
# ddwrt-ovpn-table-10-fix.sh: v2.0.0, 28 February 2017, by eibgrad
# bug report: http://svn.dd-wrt.com/ticket/5690
# install this script in the dd-wrt startup script
# ---------------------------------------------------------------------------- #

SCRIPT_DIR="/tmp"
SCRIPT="$SCRIPT_DIR/ddwrt-ovpn-table-10-fix.sh"
mkdir -p $SCRIPT_DIR

cat << "EOF" > $SCRIPT
#!/bin/sh
(
[ "${DEBUG+x}" ] && set -x

MAX_PASS=0 # max number of passes through routing tables (0=infinite)
SLEEP=60 # time (in secs) between each pass

# ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #

TID="10"
ROUTES="/tmp/tmp.$$.routes"

# initialize this run
pass_count=0

while :; do
    # initialize this pass
    pass_count=$((pass_count + 1))
    table_changed=false

    # wait for creation of OpenVPN client alternate routing table
    while [ ! "$(ip route show table $TID)" ]; do sleep 10; done; sleep 3

    echo "$(ip route show | \
        grep -Ev '^default|^0.0.0.0/1|^128.0.0.0/1')" > $ROUTES

    # add routes to pbr found in main routing table
    while read route; do
        if ! ip route show table $TID | grep -q "$route"; then
            ip route add $route table $TID && table_changed=true
        fi
    done < $ROUTES

    echo "$(ip route show table $TID | grep -Ev '^default')" > $ROUTES

    # remove routes from pbr not found in main routing table
    while read route; do
        if ! ip route show | grep -q "$route"; then
            ip route del $route table $TID && table_changed=true
        fi
    done < $ROUTES

    # force routing system to recognize our changes
    [[ $table_changed == true ]] && ip route flush cache

    # quit if we've reached any execution limits
    [ $MAX_PASS -gt 0 ] && [ $pass_count -ge $MAX_PASS ] && break

    # put it bed for a while
    [ $SLEEP -gt 0 ] && sleep $SLEEP
done

# cleanup
rm -f $ROUTES

echo "done"
exit 0

) 2>&1 | logger -t $(basename $0)[$$]
EOF

chmod +x $SCRIPT
nohup $SCRIPT > /dev/null 2>&1 &


Firewall Box
Code:
#!/bin/sh
#         name: ddwrt-ovpn-pbr-block-wan.sh
#      version: 2.0.2, 12-Feb-2016, by eibgrad
#      purpose: block access LAN->WAN for IPs in OpenVPN client policy based routing
#  script type: firewall
#   dd-wrt ref: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=288852
# instructions:
#   1. set VPN_ENABLED_ONLY to your preference
#   2. set FW_STATE to your preference
#   3. install this script in the router's firewall script
#   4. reboot router

VPN_ENABLED_ONLY="1" # (0 = apply rules 24/7, 1 = apply rules only if VPN enabled)

# state checking: "state NEW" vs. no state
#   state NEW (default):
#     * any pre-existing LAN->WAN connections persist until/unless they timeout/close
#     * remote access (WAN->LAN) is allowed (provided port forwarding is enabled)
#     * more efficient (only LAN->WAN packets used to establish NEW connections are inspected)
#   no state:
#     * any pre-existing LAN->WAN connections are stopped/blocked
#     * remote access (WAN->LAN) is denied (even if port forwarding is enabled)
#     * less efficient (every LAN->WAN packet is inspected)

FW_STATE="-m state --state NEW"
#FW_STATE="" # uncomment/comment to disable/enable state checking

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
FW_CHAIN="blocked-ips"

# cleanup from possible prior execution
(
iptables -D FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN
iptables -F $FW_CHAIN
iptables -X $FW_CHAIN
) > /dev/null 2>&1

# quit if no IPs in policy based routing
[ -z "$(nvram get openvpncl_route)" ] && exit

# quit if vpn disabled (unless firewall rules still need to be enforced)
[[ "$(nvram get openvpncl_enable)" == "0" && "$VPN_ENABLED_ONLY" != "0" ]] && exit

# create firewall chain for blocked IPs
iptables -N $FW_CHAIN

# read IP addresses from OpenVPN client policy based routing
echo -e "$(nvram get openvpncl_route)" | \
    while read ip; do
        ip=${ip//$'\r'} # remove carriage returns

        [ -z "$ip" ] && continue # skip blank lines

        # block access LAN->WAN for this IP address
        iptables -A $FW_CHAIN -p tcp -s $ip -j REJECT --reject-with tcp-reset
        iptables -A $FW_CHAIN -s $ip -j REJECT --reject-with icmp-host-prohibited
    done

# begin blocking: force LAN->WAN traffic thru firewall chain for inspection
iptables -I FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN
iptables -I INPUT -p tcp --dport 81 -j ACCEPT
iptables -I INPUT -p udp --dport 81 -j ACCEPT


route -n


Code:
root@DD-WRT:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         75.111.156.x    0.0.0.0         UG    0      0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun2
10.86.1.201     0.0.0.0         255.255.255.255 UH    0      0        0 tun1
75.111.15x.0    0.0.0.0         255.255.252.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0


netstat -r
Code:
 netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         75-111-15x-x.lb 0.0.0.0         UG        0 0          0 eth0
10.8.0.0        *               255.255.255.0   U         0 0          0 tun2
10.86.1.201     *               255.255.255.255 UH        0 0          0 tun1
75.111.156.0    *               255.255.252.0   U         0 0          0 eth0
127.0.0.0       *               255.0.0.0       U         0 0          0 lo
169.254.0.0     *               255.255.0.0     U         0 0          0 br0
192.168.1.0     *               255.255.255.0   U         0 0          0 br0


Policy Based Routing

Code:
192.168.1.15/32
192.168.1.100/30
192.168.1.104/29
192.168.1.112/28
192.168.1.128/28
192.168.1.144/30
192.168.1.148/31
10.8.0.0/24


openvpn logs (server and client)
Code:
Serverlog:
19691231 18:00:38 W WARNING: file '/tmp/openvpn/ta.key' is group or others accessible
19691231 18:00:38 I OpenVPN 2.4.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 8 2017
19691231 18:00:38 I library versions: OpenSSL 1.0.2h 3 May 2016 LZO 2.09
19691231 18:00:38 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
19691231 18:00:38 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 18:00:38 Diffie-Hellman initialized with 2048 bit key
19691231 18:00:38 W WARNING: Your certificate is not yet valid!
19691231 18:00:38 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
19691231 18:00:38 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
19691231 18:00:38 I TUN/TAP device tun2 opened
19691231 18:00:38 TUN/TAP TX queue length set to 100
19691231 18:00:38 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
19691231 18:00:38 I /sbin/ifconfig tun2 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
19691231 18:00:38 Socket Buffers: R=[180224->180224] S=[180224->180224]
19691231 18:00:38 I UDPv4 link local (bound): [AF_INET][undef]:1194
19691231 18:00:38 I UDPv4 link remote: [AF_UNSPEC]
19691231 18:00:38 MULTI: multi_init called r=256 v=256
19691231 18:00:38 IFCONFIG POOL: base=10.8.0.2 size=252 ipv6=0
19691231 18:00:38 IFCONFIG POOL LIST
19691231 18:00:38 I Initialization Sequence Completed
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170328 22:36:02 D MANAGEMENT: CMD 'state'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170328 22:36:02 D MANAGEMENT: CMD 'state'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170328 22:36:02 D MANAGEMENT: CMD 'state'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 NOTE: --mute triggered...
20170328 22:36:02 1 variation(s) on previous 3 message(s) suppressed by --mute
20170328 22:36:02 D MANAGEMENT: CMD 'status 2'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170328 22:36:02 D MANAGEMENT: CMD 'status 2'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170328 22:36:02 D MANAGEMENT: CMD 'log 500'
19691231 18:00:00

dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem keepalive 10 120 verb 3 mute 3 syslog writepid /var/run/openvpnd.pid management 127.0.0.1 14 management-log-cache 100 topology subnet script-security 2 port 1194 proto udp4 cipher aes-256-cbc auth sha512 client-connect /tmp/openvpn/clcon.sh client-disconnect /tmp/openvpn/cldiscon.sh client-config-dir /jffs/etc/openvpn/ccd comp-lzo yes tls-server ifconfig-pool-persist /tmp/openvpn/ip-pool 86400 push "redirect-gateway def1" tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 fast-io tun-mtu 1500 mtu-disc yes server 10.8.0.0 255.255.255.0 dev tun2 tls-auth /tmp/openvpn/ta.key 0 push "route 192.168.1.0 255.255.255.0" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "dhcp-option DNS 192.168.1.1"


Clientlog:
19691231 18:00:38 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
19691231 18:00:38 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
19691231 18:00:38 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
19691231 18:00:38 I OpenVPN 2.4.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 8 2017
19691231 18:00:38 I library versions: OpenSSL 1.0.2h 3 May 2016 LZO 2.09
19691231 18:00:38 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
19691231 18:00:38 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 18:00:38 W WARNING: Your certificate is not yet valid!
19691231 18:00:38 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
19691231 18:00:38 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
19691231 18:00:38 I TCP/UDP: Preserving recently used remote address: [AF_INET]147.255.39.xxx:1195
19691231 18:00:38 Socket Buffers: R=[180224->180224] S=[180224->180224]
19691231 18:00:38 I UDPv4 link local: (not bound)
19691231 18:00:38 I UDPv4 link remote: [AF_INET]147.255.39.250:1195
19691231 18:00:38 TLS: Initial packet from [AF_INET]147.255.39.xxx:1195 sid=7608d596 a390a426
19691231 18:00:38 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
19691231 18:00:38 N VERIFY ERROR: depth=1 error=certificate is not yet valid: C=VG ST=BVI O=ExpressVPN OU=ExpressVPN CN=ExpressVPN CA emailAddress=support@expressvpn.com
19691231 18:00:38 N OpenSSL: error:14090086:lib(20):func(144):reason(134)
19691231 18:00:38 N TLS_ERROR: BIO read tls_read_plaintext error
19691231 18:00:38 NOTE: --mute triggered...
19691231 18:00:38 2 variation(s) on previous 3 message(s) suppressed by --mute
19691231 18:00:38 I SIGUSR1[soft tls-error] received process restarting
19691231 18:00:38 Restart pause 5 second(s)
20170328 22:15:46 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170328 22:15:46 I TCP/UDP: Preserving recently used remote address: [AF_INET]104.238.32.xxx:1195
20170328 22:15:46 Socket Buffers: R=[180224->180224] S=[180224->180224]
20170328 22:15:46 I UDPv4 link local: (not bound)
20170328 22:15:46 I UDPv4 link remote: [AF_INET]104.238.32.105:1195
20170328 22:15:46 TLS: Initial packet from [AF_INET]104.238.32.xxx:1195 sid=45c1cec4 66bbcd49
20170328 22:15:46 VERIFY OK: depth=1 C=VG ST=BVI O=ExpressVPN OU=ExpressVPN CN=ExpressVPN CA emailAddress=support@expressvpn.com
20170328 22:15:46 VERIFY OK: nsCertType=SERVER
20170328 22:15:46 NOTE: --mute triggered...
20170328 22:15:46 2 variation(s) on previous 3 message(s) suppressed by --mute
20170328 22:15:46 I [Server-927-1a] Peer Connection Initiated with [AF_INET]104.238.32.xxx:1195
20170328 22:15:46 Key [AF_INET]104.238.32.xxx:1195 [0] not initialized (yet) dropping packet.
20170328 22:15:46 Key [AF_INET]104.238.32.xxx:1195 [0] not initialized (yet) dropping packet.
20170328 22:15:46 Key [AF_INET]104.238.32.xxx:1195 [0] not initialized (yet) dropping packet.
20170328 22:15:46 NOTE: --mute triggered...
20170328 22:15:47 1 variation(s) on previous 3 message(s) suppressed by --mute
20170328 22:15:47 SENT CONTROL [Server-927-1a]: 'PUSH_REQUEST' (status=1)
20170328 22:15:47 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 10.86.0.1 route 10.86.0.1 topology net30 ping 10 ping-restart 60 ifconfig 10.86.1.202 10.86.1.201'
20170328 22:15:47 OPTIONS IMPORT: timers and/or timeouts modified
20170328 22:15:47 NOTE: --mute triggered...
20170328 22:15:47 3 variation(s) on previous 3 message(s) suppressed by --mute
20170328 22:15:47 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20170328 22:15:47 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
20170328 22:15:47 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20170328 22:15:47 NOTE: --mute triggered...
20170328 22:15:47 1 variation(s) on previous 3 message(s) suppressed by --mute
20170328 22:15:47 I TUN/TAP device tun1 opened
20170328 22:15:47 TUN/TAP TX queue length set to 100
20170328 22:15:47 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20170328 22:15:47 I /sbin/ifconfig tun1 10.86.1.202 pointopoint 10.86.1.201 mtu 1500
20170328 22:15:48 I Initialization Sequence Completed
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170328 22:36:02 D MANAGEMENT: CMD 'state'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170328 22:36:02 D MANAGEMENT: CMD 'state'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170328 22:36:02 D MANAGEMENT: CMD 'state'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170328 22:36:02 D MANAGEMENT: CMD 'status 2'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170328 22:36:02 D MANAGEMENT: CMD 'log 500'
19691231 18:00:00

ca /tmp/openvpncl/ca.crt cert /tmp/openvpncl/client.crt key /tmp/openvpncl/client.key management 127.0.0.1 16 management-log-cache 100 verb 3 mute 3 syslog writepid /var/run/openvpncl.pid client resolv-retry infinite nobind persist-key persist-tun script-security 2 dev tun1 proto udp4 cipher aes-256-cbc auth sha512 auth-user-pass /tmp/openvpncl/credentials remote usa-losangeles-ca-version-2.expressnetw.com 1195 comp-lzo yes redirect-private def1 route-noexec tun-mtu 1500 fragment 1300 mssfix ns-cert-type server fast-io tls-auth /tmp/openvpncl/ta.key 1


In this case
dhcp-option DNS 10.86.0.1 route 10.86.0.1
I want the clients in PBR to go through the DNS 10.86.0.1
without having to manually edit the client dns everytime the router changes its VPN dns address


Last edited by wildcat2083 on Sat Aug 31, 2019 4:26; edited 1 time in total
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Mar 29, 2017 16:01    Post subject: Reply with quote
How do you know the router is NOT using the DNS servers pushed by the VPN provider?

I'm asking because it's actually not that easy to tell given that all your clients on the local IP network are using the router's DNS server (DNSMasq), and it's the router's DNS server that in turn is using either the ISP's or VPN's DNS servers. That why you can't rely on websites and browser based tools/utilities to determine what DNS server(s) you're using. Most likely all those tools/utilities can see is the local IP config, which as I said, only points to the router.

AFAIK, as long as the VPN pushes one or more DNS servers to the OpenVPN client, the router will detect it, place those DNS servers at the head of all existing DNS servers, process them in strict-order, and restart DNSMasq, effectively making the VPN provider's DNS server(s) the default.

The only reliable means to know which DNS servers are in use by the router is to dump connection tracking and literally see what connections the router is making for destination port 53.

Code:
watch -tn3 "cat /proc/net/ip_conntrack | egrep '^.*dport=53 ' | sort -k3,3rn"


Of course, you have to stir the pot a little by visiting some websites and forcing name resolution before you'll see anything.
wildcat2083
DD-WRT Novice


Joined: 10 Apr 2016
Posts: 24

PostPosted: Thu Mar 30, 2017 5:26    Post subject: DNS More info/Reply Reply with quote
In reply to that, the reason im thinking the VPN DNS isn't even being used is because as an example the expressvpn dns leak test from their page only shows google ip address, the dns provided by the VPN Push (which dont work due to pbr) doesnt even show up in the list at all, unless I manuall force the client itself to use that DNS, then I get no leaks, of course leak is a loose term as its "leaking" to google as I told the router to do so, but in this instance the router isnt even using the dns from the vpn at all, the only instance ive ever gotten it to work is totally disable use of PBR :/ ill copy and paste some info from the command you gave me and tell you what the DNS should be
I could be wrong but im cofused on how to read this commands output anyhow

DNS needed (at least until reboot)
10.70.0.1

the ipaddress of the client should be 192.168.1.145


Code:
udp      17 1 src=75.111.158.52 dst=8.8.8.8 sport=33106 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=33106 packets=1 bytes=232 mark=0 use=2
udp      17 1 src=75.111.158.52 dst=8.8.8.8 sport=39572 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=39572 packets=1 bytes=232 mark=0 use=2
udp      17 1 src=75.111.158.52 dst=8.8.8.8 sport=5609 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=5609 packets=1 bytes=232 mark=0 use=2
udp      17 1 src=75.111.158.52 dst=8.8.8.8 sport=56762 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=56762 packets=1 bytes=232 mark=0 use=2
udp      17 1 src=75.111.158.52 dst=8.8.8.8 sport=59635 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=59635 packets=1 bytes=232 mark=0 use=2
udp      17 1 src=75.111.158.52 dst=8.8.8.8 sport=60787 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=60787 packets=1 bytes=232 mark=0 use=2
udp      17 1 src=75.111.158.52 dst=8.8.8.8 sport=60967 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=60967 packets=1 bytes=232 mark=0 use=2
udp      17 1 src=75.111.158.52 dst=8.8.8.8 sport=8118 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=8118 packets=1 bytes=232 mark=0 use=2
udp      17 0 src=75.111.158.52 dst=10.70.0.1 sport=14167 dport=53 packets=1 bytes=63 [UNREPLIED] src=10.70.0.1 dst=75.111.158.52 sport=53 dport=14167 packets=0 bytes=0 mark=0 use=2
udp      17 0 src=75.111.158.52 dst=10.70.0.1 sport=41504 dport=53 packets=1 bytes=65 [UNREPLIED] src=10.70.0.1 dst=75.111.158.52 sport=53 dport=41504 packets=0 bytes=0 mark=0 use=2
udp      17 0 src=75.111.158.52 dst=10.70.0.1 sport=65214 dport=53 packets=1 bytes=62 [UNREPLIED] src=10.70.0.1 dst=75.111.158.52 sport=53 dport=65214 packets=0 bytes=0 mark=0 use=2
udp      17 0 src=75.111.158.52 dst=8.8.8.8 sport=14167 dport=53 packets=1 bytes=63 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=14167 packets=1 bytes=128 mark=0 use=2
udp      17 0 src=75.111.158.52 dst=8.8.8.8 sport=41504 dport=53 packets=1 bytes=65 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=41504 packets=1 bytes=217 mark=0 use=2
udp      17 0 src=75.111.158.52 dst=8.8.8.8 sport=65214 dport=53 packets=1 bytes=62 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=65214 packets=1 bytes=107 mark=0 use=2


every instance where the DNSS I need shows unreplied, only 8.8.8.8 and 8.8.4.4 seem to work

logfile from VPN "Client"
Clientlog:
20170329 22:29:56 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20170329 22:29:56 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
20170329 22:29:56 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20170329 22:29:56 I OpenVPN 2.4.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 8 2017
20170329 22:29:56 I library versions: OpenSSL 1.0.2h 3 May 2016 LZO 2.09
20170329 22:29:56 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20170329 22:29:56 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170329 22:29:56 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20170329 22:29:56 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20170329 22:29:56 I TCP/UDP: Preserving recently used remote address: [AF_INET]104.238.32.99:1195
20170329 22:29:56 Socket Buffers: R=[180224->180224] S=[180224->180224]
20170329 22:29:56 I UDPv4 link local: (not bound)
20170329 22:29:56 I UDPv4 link remote: [AF_INET]104.238.32.99:1195
20170329 22:29:56 TLS: Initial packet from [AF_INET]104.238.32.99:1195 sid=2f76cc7e 4d6f4c15
20170329 22:29:56 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20170329 22:29:56 VERIFY OK: depth=1 C=VG ST=BVI O=ExpressVPN OU=ExpressVPN CN=ExpressVPN CA emailAddress=support@expressvpn.com
20170329 22:29:56 VERIFY OK: nsCertType=SERVER
20170329 22:29:56 VERIFY OK: depth=0 C=VG ST=BVI O=ExpressVPN OU=ExpressVPN CN=Server-926-1a emailAddress=support@expressvpn.com
20170329 22:29:56 NOTE: --mute triggered...
20170329 22:29:56 1 variation(s) on previous 3 message(s) suppressed by --mute
20170329 22:29:56 I [Server-926-1a] Peer Connection Initiated with [AF_INET]104.238.32.99:1195
20170329 22:29:57 SENT CONTROL [Server-926-1a]: 'PUSH_REQUEST' (status=1)
20170329 22:29:58 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 10.70.0.1 route 10.70.0.1 topology net30 ping 10 ping-restart 60 ifconfig 10.70.1.130 10.70.1.129'
20170329 22:29:58 OPTIONS IMPORT: timers and/or timeouts modified
20170329 22:29:58 NOTE: --mute triggered...
20170329 22:29:58 3 variation(s) on previous 3 message(s) suppressed by --mute
20170329 22:29:58 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20170329 22:29:58 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
20170329 22:29:58 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20170329 22:29:58 NOTE: --mute triggered...
20170329 22:29:58 1 variation(s) on previous 3 message(s) suppressed by --mute
20170329 22:29:58 I TUN/TAP device tun1 opened
20170329 22:29:58 TUN/TAP TX queue length set to 100
20170329 22:29:58 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20170329 22:29:58 I /sbin/ifconfig tun1 10.70.1.130 pointopoint 10.70.1.129 mtu 1500
20170329 22:29:59 I Initialization Sequence Completed
20170329 23:29:56 TLS: soft reset sec=0 bytes=130832989/-1 pkts=146701/0
20170329 23:29:56 VERIFY OK: depth=1 C=VG ST=BVI O=ExpressVPN OU=ExpressVPN CN=ExpressVPN CA emailAddress=support@expressvpn.com
20170329 23:29:56 VERIFY OK: nsCertType=SERVER
20170329 23:29:56 NOTE: --mute triggered...
20170330 00:05:00 6 variation(s) on previous 3 message(s) suppressed by --mute
20170330 00:05:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:05:00 D MANAGEMENT: CMD 'state'
20170330 00:05:00 MANAGEMENT: Client disconnected
20170330 00:05:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:05:00 D MANAGEMENT: CMD 'state'
20170330 00:05:00 MANAGEMENT: Client disconnected
20170330 00:05:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:05:00 D MANAGEMENT: CMD 'state'
20170330 00:05:00 MANAGEMENT: Client disconnected
20170330 00:05:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:05:00 D MANAGEMENT: CMD 'status 2'
20170330 00:05:00 MANAGEMENT: Client disconnected
20170330 00:05:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:05:00 D MANAGEMENT: CMD 'log 500'
20170330 00:05:00 MANAGEMENT: Client disconnected
20170330 00:20:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:20:35 D MANAGEMENT: CMD 'state'
20170330 00:20:35 MANAGEMENT: Client disconnected
20170330 00:20:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:20:35 D MANAGEMENT: CMD 'state'
20170330 00:20:35 MANAGEMENT: Client disconnected
20170330 00:20:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:20:35 D MANAGEMENT: CMD 'state'
20170330 00:20:35 MANAGEMENT: Client disconnected
20170330 00:20:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:20:35 D MANAGEMENT: CMD 'status 2'
20170330 00:20:35 MANAGEMENT: Client disconnected
20170330 00:20:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:20:35 D MANAGEMENT: CMD 'log 500'
19691231 18:00:00

ca /tmp/openvpncl/ca.crt cert /tmp/openvpncl/client.crt key /tmp/openvpncl/client.key management 127.0.0.1 16 management-log-cache 100 verb 3 mute 3 syslog writepid /var/run/openvpncl.pid client resolv-retry infinite nobind persist-key persist-tun script-security 2 dev tun1 proto udp4 cipher aes-256-cbc auth sha512 auth-user-pass /tmp/openvpncl/credentials remote usa-losangeles-ca-version-2.expressnetw.com 1195 comp-lzo yes redirect-private def1 route-noexec tun-mtu 1500 fragment 1300 mssfix ns-cert-type server fast-io tls-auth /tmp/openvpncl/ta.key 1
wildcat2083
DD-WRT Novice


Joined: 10 Apr 2016
Posts: 24

PostPosted: Thu Mar 30, 2017 5:31    Post subject: Reply with quote
Ideally Id like to route ONLY the DNS provided by the VPN to the address in the PBR, the rest of the router I dont really care
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu Mar 30, 2017 15:21    Post subject: Reply with quote
Just remembered, there is a known bug (and I reported it!, the brain is going) regarding possible DNS leaks.

http://svn.dd-wrt.com/ticket/5697

It might explain your problem.
neerav
DD-WRT Novice


Joined: 08 Jul 2010
Posts: 44

PostPosted: Fri Jun 16, 2017 19:27    Post subject: Reply with quote
wildcat2083, this is 3 months later, but if you haven't found a solution, I think I have a suggestion, despite the VPN DNS bug.

I recently wrote a script to remove the VPN DNS servers. What if instead you forced the removal of the Static DNS addresses? My script searches the logs to find the VPN DNS addresses and remove them. Instead, yours could save those addresses as a new resolv.dnsmasq file. If those are the only DNS servers in resolv.dnsmasq, you'll force all DNS lookups through them.

_________________
LinkSys E1000 ...... DD-WRT
LinkSys E2000 ...... DD-WRT
Netgear R8000 ...... Finally DD-WRT
TP-Link WR710N ..... Stock (considering DD-WRT)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3781
Location: Netherlands

PostPosted: Sun Jun 18, 2017 8:02    Post subject: Reply with quote
The DNS bug is resolved, at least in the latest Kong builds. So probably also in the latest BS builds but I have not tested that
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
wildcat2083
DD-WRT Novice


Joined: 10 Apr 2016
Posts: 24

PostPosted: Sat Aug 31, 2019 3:55    Post subject: Reply with quote
neerav wrote:
wildcat2083, this is 3 months later, but if you haven't found a solution, I think I have a suggestion, despite the VPN DNS bug.

I recently wrote a script to remove the VPN DNS servers. What if instead you forced the removal of the Static DNS addresses? My script searches the logs to find the VPN DNS addresses and remove them. Instead, yours could save those addresses as a new resolv.dnsmasq file. If those are the only DNS servers in resolv.dnsmasq, you'll force all DNS lookups through them.


I know this is old but I reopened the same issue being I still can't find a suitable solution, the script might work
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3781
Location: Netherlands

PostPosted: Sat Aug 31, 2019 8:46    Post subject: Reply with quote
In the second posting of this thread is a file which details some things you can do about DNS leaks
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum