[wildcat2083]

I have a WRT32X running VPN, through openvpn, Ive subscribed to a vpn service (expressvpn) got everything working including Policy Based Routing, my last step is getting the dns to use the vpn's dns provided when the tunnel is created, If I do not use pbr, this function works but it breaks remote access to my router so its not a viable option at this time, does anyone know of a script that can obtain the VPN's DNS server when the connection is established and forward it to the the addresses used in PBR?

[scar1943]

[illuminati_tri]

[wildcat2083]

So unless I feel like writing a script that gets dnsmasq to use the defined DNS from expressvpn, Im pretty well forced to track them down manually and add it to the dns section on the setup page

[illuminati_tri]

[Monza]

I don't think this will help with your question but did you add the short code at the bottom of the setup page? Part of the process is also adding the code (interface=tun1) near the bottom of this page (see link) to the Services, Dnsmasq Options. I feel sure you did but thought I would mention it as it is sometimes overlooked.

https://www.expressvpn.com/support/vpn-setup/manual-config-for-dd-wrt-router-with-openvpn/

When I first signed up the code was "dhcp-option=6, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx , xxx.xxx.xxx.xxx" replacing the x's with the DNS server addresses. Finding the change to "interface=tun1" later I talked with ExVPN support and they verified I could use either. I found no difference regardless of which code I used. I still use the original code above but it is more trouble if I change DNS servers as I need to remember to change this input as well. Not sure it would work for you but you might try it?

Also, if you have not, try the DNS leak test under tools at the bottom of the site page. It should confirm if you are using ExpVPN DNS servers.

Edit: I should add that the servers I have entered are public DNS no-log servers not the ExpVPN DNS servers. The ExpVPN DNS leak test tells me I am using ExpVPN DNS servers regardless of what I have entered.

[scar1943]

[Monza]

[egc]

Most VPN providers push their DNS servers to you (if you are using PBR this might not be the case)

Until recently those pushed DNS servers were ignored.

Recent builds from BS (and some from Kong) add those pushed DNS servers at the top of /tmp/resolv.dnsmasq (where the DNS servers are stored)
Here an example of my /tmp/resolv.dnsmasq:

[Monza]

[wildcat2083]

my issue with this is I AM using PBR as i also run a vpn server as well, oddly enough tho when I connect to my router via my server I have the client IP block in the openvpn client PBR and only when i connect via my server as a client to my router then I will connect only to Expressvpn DNS and it bypasses the manual ones i have set which are google and opendns, but if I am attached locally either via wifi or Ethernet then my router will not assign my pbr clients to use the VPN (client) dns provided, its weird, I can't figure this out

i have tried to set my dns settings to match the openvpn client dns that's pushed but the problem with that is the DNS changes each time the client openvpn changes so if I make a change or reboot then that solution doesn't work, what I need is a script that reads the first line of /tmp/resolv.dnsmasq (as the DNS I need is on the first line) and have any of my dhcp clients that match PBR to use that ... then my devices assigned to PBR would route correctly and the non VPN devices would continue to use opendns or google, the odd part is seeing when i connect remotly via my server openvpn and it uses the Client vpn dns which is exactly what Im trying to get wifi or LAN (ethernet) to do, unfortunatly the only option is to NOT use PBR but then I can't access my vpn server

[SurprisedItWorks]

If you are using PBR to run clients on some interface athXXX (even a VAP) through the vpn and want to have clients on that interface in particular use the vpn provider's recommended DNS server (without forcing the entire router to use that server), go to GUI>Wireless>BasicSettings, find the section for athXXX, check the "Advanced Settings" box, scroll to the bottom of the material that then appears, and enter the vpn provider's DNS server in "Optional DNS Target." For an additional bridge beyond br0, see the GUI>Setup>Networking page instead. The "main bridge" br0 is handled by the basic dnsmasq setup.

Of note, however: Whether you use this method to deal with one interface or put the DNS-server IPs in Basic Settings for the whole router, the router's interactions with your specified DNS server do not go through the vpn. They go unencrypted through the wan interface.

If you want encrypted DNS, you can go with the modern approach, which is trickier to set up (requires using /jffs), and use DNS-over-TLS as outlined in tutorial https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1166512. Or you can use the venerable DNSCrypt system.

DNSCrypt uses encryption to/from your specified DNS provider, but there is no encryption further upstream, from your chosen DNS provider to/from authoritative DNS servers. Secure validation of DNS traffic, to prevent DNS spoofing, was apparently the major DNSCrypt design goal. It also appears that DNSCrypt is being phased out of dd-wrt, as the "Encrypt DNS" button no longer appears in the DNSMasq config section (GUI>Services>Services) in recent releases. However, the underlying DNSCrypt tools are still there (at least as of BS release r40784 for my WRT1900ACSv2) in the router and can be used.

See my Sun Jan 06, 2019 post at https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318094&start=6 for details of setting up DNSCrypt in the Startup commands in GUI>Administration>Commands. My setup is specific to IPv4, as I have IPv6 disabled in the router. To have this DNSCrypt setup be used for a subnet 192.168.Y.0/24 such as one set up for athXX as discussed above, enter 192.168.Y.1 as the "Optional DNS Target". It doesn't matter what you put for DNS servers in the Basic Setup, as the no-resolv line my post mentions putting in "Additional Dnsmasq Options" has dnsmasq ignore those Basic Setup entries and use the DNSCrypt system exclusively.

For the past eight months I have used that DNSCrypt approach using Quad9 DNS with Adguard DNS as backup, and it works great. I simply decided I felt safer with encrypted interactions with Quad9 than with unencrypted access to the VPN provider's DNS system. When I flash a new release, I always verify that Quad9 DNS is actually being accessed by going into the CLI and running the command tcpdump -i eth0 | grep -i quad9 and watching its output while I access websites on my phone or computer. Should be lots of packets going to and from dns9.quad9.net.8443. (Exit the tcpdump with control-C.) Here eth0 is my WAN interface. Change for your system as appropriate. Verify also by looking for ISP WoodyNet in the tests at https://www.dnsleaktest.com/. The test at https://ipleak.net/ is interesting but is harder to interpret, as it sends so many requests to Quad9 in a short time that it seems to trigger Quad9 to switch to different servers. Unless you know specifically what DNS servers your ISP uses, you won't know what to watch for to spot leaks. My ISP uses dozens of servers, so for me it's hopeless.

See https://quad9.net/ if you are not familiar with Quad9 and https://adguard.com/en/adguard-dns/overview.html for more on Adguard DNS. Both DNS providers screen out malware domains, claim reasonable privacy policies (i.e. not logging your IP), and have servers worldwide. Adguard DNS also filters out ad servers and trackers, but ad filtering will break some websites and streaming systems (e.g. hulu). Quad9 is by far the bigger system, has way more servers, is really fast, and provides DNSSEC validation as well when possible. Adguard also offers optional screening out of "adult" domains -- use "adguard-dns-family" instead of "adguard-dns" in the setup -- but it's not clear to me whether they offer DNSSEC. I have seen in the past that they intended to move to that. I don't know whether they are there. However, dd-wrt will not support DNSSEC unless you both configure it in dnsmasq and set up only DNSSEC-capable DNS servers. Test DNSSEC capability of your system at https://dnssec.vs.uni-due.de/. Don't obsess over DNSSEC though; it's only useful for domains that implement it on the other end, and very few banks or other important domains seem to have it set up. Test at https://dnssec-debugger.verisignlabs.com/.

[wildcat2083]

[anon_me]

Similar situation for me. Looking for some clarification or required config.

Have OpenVPN setup (Windscribe) and working as expected except the single ethernet LAN client is receiving the DNS servers from Setup > Basic Setup, which the other LAN clients require for content filtering (OpenDNS).

How can I push the VPN DNS client through to the single VPN LAN client without effecting the other non-VPN LAN clients?

I did see the comment about "Optional DNS Target" but this is an Ethernet client nor a Wireless client and I'm struggling to find the equivalent place for the Ethernet client.

Edit I do see mention of this in the OpenVPN UI page but unsure if it will do what I want.

[anon_me]