RT-AC5300 r36596 / DNS Leak PBR eibgrad / OpenVPN VPN Guest

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
elsuva
DD-WRT Novice


Joined: 20 Aug 2018
Posts: 9
Location: Buenos Aires, Argentina

PostPosted: Sat May 11, 2019 20:12    Post subject: Reply with quote
Hello everybody!
We still do not have news with this issue fixed in a newer firmware version... ¿don't we?
Thank you and regards!
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3654
Location: Netherlands

PostPosted: Sat May 11, 2019 20:36    Post subject: Reply with quote
You can use my simple PBR script, which gives
you the ability for destination based routing, so that you can route the DNS server via the VPN
See my signature at the bottom.
In that thread see the notes about DNS leaks and how to mitigate that.

At the moment @eibgrad is also working on some really nice things regarding DNS leaks.

Stay tuned

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
elsuva
DD-WRT Novice


Joined: 20 Aug 2018
Posts: 9
Location: Buenos Aires, Argentina

PostPosted: Sat May 11, 2019 21:15    Post subject: Reply with quote
Thank you egc!
SurprisedItWorks
DD-WRT User


Joined: 04 Aug 2018
Posts: 288
Location: Appalachian mountains, USA

PostPosted: Sun May 12, 2019 18:29    Post subject: Reply with quote
Fascinating discussion, but I am finding myself confused on the question of whether DNS queries go out via the WAN or the VPN. That seems central enough to this discussion that I hope I'm not guilty of hijacking a thread here as I look for more clarity.

On BS builds, I have always had a VAP with internet routed through the VPN using PBR (with SFE disabled). I have operated it two different ways.

Current approach: In the Wireless Basic Settings, I set the VAP's "Optional DNS Target" to 192.168.X.1, the VAP gateway, so that DNS service is provided by DNSMasq using my global setup, which uses DNSCrypt and Quad9 (see link at end). The usual leak tests show Quad9 servers, and I have verified with nf_conntrack that DNS requests and replies go through 127.0.0.1:30 as specified in the DNSMasq config's server= line. Using Quad9 and DNSCrypt feels reasonably secure though not as much so as using the VPN provider's DNS servers, and it is way, way faster. (I am not paranoid about Quad9's partial government sponsorship. My government is too capable to thwart with a simple VPN anyway. I'm more interested in thwarting advertising networks, etc.) I get that these DNSCrypt DNS requests are going out via the WAN.

More basic approach, which I have not used in a while: In the VAP setup set "Optional DNS Target" set to the IP of the VPN provider's DNS server. With this setup, the usual DNS leak-test websites never show the server IP address I configured. Instead, they always show a single DNS server with the same IP (or occasionaly off by one) as the other, public end of the VPN tunnel. I always assumed this meant I was obtaining DNS service through the VPN and that the server showing as the tunnel's IP was just some VPN-provider cleverness. True? Not? Could I really have been going through the WAN? If so, how would it be possible to have my remote IP and my DNS server showing as the same IP?

_________________
Six of the Linksys WRT1900ACSv2 on r38159 and r40009.
On various: VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, OpenVPN client/PBR (random NordVPN server).

VLANs on the WRT1900ACSv2 and other two-CPU Linksys/Marvell routers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317199

DNSCrypt for Quad9 DNS and/or multiple servers and/or missing DNSCrypt enable button: Sun Jan 06, 2019 post at
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318094

Restarting OpenVPN from the CLI or script or SES button:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1172761
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum