Posted: Thu Jan 04, 2018 15:07 Post subject: Policy based routing via VPN client = DNS leak :cry:
I currently have my router behind my IPS modem. VPN client is running fine for all traffic.
My issue is that Amazon Prime won’t work through the VPN (Having tied all locations and variations) so whenever I want to watch Prime Video I have to manually disable VPN client via DD-WRT settings through 92.168.1.1
This is a problem especially when my wife attempts to watch Prime while I’m out of the house.
The simple solution I feel is to use the basic IP based routing but while this solves the problem I ten get DNS leaks on all IP address regardless of running through the VPN or not.
Any ideas
Joined: 18 Mar 2014 Posts: 12885 Location: Netherlands
Posted: Thu Jan 04, 2018 16:45 Post subject:
Yes Policy based routing is the way to go.
Regarding DNS leak:
The easiest solution is to Set the VPN DNS servers in Static DNS 1,2,3 , or use Open DNS servers.
However if your WAN Connection type is automatic then the DNS server coming from WAN is also added to the DNS server list, and if that is your ISP DNS then that can be used.
To mitigate this problem do not use Wan connection type Automatic but set a static addres, or make sure the DNS server from the router higher up is not your ISP or you can enable "Query DNS in strict order" on Services/Services page under DNS masq settings, although that has its own problems.
You can also leave WAN connection type set to automatic and tell DNS masq not to use the DNS server list: in DNSMASQ addtional config add (not 100% sure about the syntax):
You can als use @Eibgrad's advanced script for Policy Based routing which also routes DNS (I have no link at hand but @Eibgrad will probably also chime in, if not I will look for a link)
Many thanks to your both for taking the time to help me out.
I’m struggling to get my head around it all to be honest, I took me some time to eventually get my VP client setup and running initially so I’m half reluctant to start tinkering and potentially undoing to progress I’ve made thus far by my wrong doings. It certainly seems doable for those like yourself with the expertise but I’m not there yet. This is protably a dumb question buy would setting up a guest network or connecting to 5Hz help? For example having the TV connect to guest or 5hz network and the rest as normal through the VPN? If not I fear I might have to continue with the arguments with the Mrs as to why she can’t watch Amazon Prime while I’m at work haha
How about this for an alternative solution: run your own DNS server on a machine on your LAN (eg BIND on a Ubuntu box or a Pi), have that machine going through the VPN using PBR, point the router DNS server settings to the ip of the LAN machine running BIND, and configure BIND to use any public DNS servers you like ( eg those of VPN provider if available but google DNS fine too since queries will go via VPN so you won’t care if logged). I haven’t set trahis up yet myself but interested to know what others think?
Thanks. I read the thread twice but I must be too dumb to understand how it addresses DNS link using PBR. It seems to be more about kill switches or scans for leaks but not fixing them. Sorry if I miss-understood. My aim is to get DNS requests to go via VPN when using PBR as that is my understanding of why the leaks happen (because they go via WAN/ISP instead of VPN when PBR is used). I have a recent build 41380 and still see leaks.
This routes the PIA DNS servers through the the VPN instead of via the WAN.
Now there can also be an other kind of DNS leak and that is the use of your ISP's DNS server. To make sure the router is only using the DNS servers you want, add the following in DNSMASQ Additional Config:
Thanks heaps egc that worked perfectly!! Such an elegant solution well done and many thanks really appreciated. So nice to have PBR running so well!!
I have re-read your document and it is excellent!