OpenVPN, PBR and DNS leaks

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
bryanh99
DD-WRT Novice


Joined: 30 Aug 2018
Posts: 20

PostPosted: Thu Jul 22, 2021 21:18    Post subject: OpenVPN, PBR and DNS leaks Reply with quote
All,

I have read every thread and documents posted on them (thank you egc) but still cannot make this work. I feel this is a very simple problem but obviously I am wrong or I am missing something as I have been working this for over 16 hours).

I have OpenPVN client running on my R7800 (dd-wrt 47040). I have PBR set up as 192.168.115.1/25 to cover 192.168.115.1-192.168.115.127.

This works perfectly. The problem is that EVERY client, even those NOT on the VPN use the VPN DNS servers causing problems.


I went down a rabbit hole with DNSMasq settings and no matter what I do I cannot get the VPN clients to use the VPN DNS and all the others to use the non-vpn DNS. I am open to all help, I can post as many settings as needed (I followed the doc in this thread https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686, I searched for more options for dnsmasq, nothing works)

Thank you
Sponsor
bryanh99
DD-WRT Novice


Joined: 30 Aug 2018
Posts: 20

PostPosted: Thu Jul 22, 2021 21:57    Post subject: Reply with quote
Addition:

if I do NOT add

pull-filter ignore "dhcp-option DNS"

Then the VPN clients work great but the non-VPN clients get the VPN DNS. IF I do add it then the VPN clients do not use the VPN DNS....
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Fri Jul 23, 2021 1:23    Post subject: Reply with quote
This is normal behavior (even if you don't prefer it).

By default, all clients use DNSMasq as a local DNS proxy. It's actually the proxy that gets configured w/ the public DNS servers, and overridden w/ the VPN's DNS servers if you so choose. But that proxy can only be configured to access any given public DNS server over one or the other network interface, WAN or VPN, not both. Which one depends on other configuration settings.

If we assume you prefer to have VPN clients use the VPN provider's DNS servers, one way to have non VPN clients use the WAN is to bind them directly to a public DNS server bound to the WAN. IOW, bypass DNSMasq.

Code:
iptables -t nat -I PREROUTING -p tcp ! -s 192.168.115.1/25 --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -I PREROUTING -p udp ! -s 192.168.115.1/25 --dport 53 -j DNAT --to 8.8.8.8


I chose 8.8.8.8 (Google DNS) arbitrarily. Use whatever DNS you prefer, as long as it's NOT bound to the VPN.

Of course, you could reverse things and have DNSMasq support the WAN clients, and use PREROUTING rules for VPN clients. Just a matter of preference.

Just beware. Using the above technique, since some clients are NOT using DNSMasq anymore, they obviously lose any benefits it offers, such as local name resolution, caching, ad blocking, etc. That may or may NOT be an issue for some ppl, and impact your decision about which clients should remain bound to DNSMasq.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 11238
Location: Netherlands

PostPosted: Fri Jul 23, 2021 15:38    Post subject: Reply with quote
A very elegant solution.

the only thing you have to do is to place 192.168.115.1/25 in the PBR field and add the rules from @eibgrad to Administration/Commands Save firewall.

Those will set all clients except the PBR clients to use 8.8.8.8.
The VPN clients will use DNSMasq via 192.168.115.1 which should use the VPN Smile

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum