[Foxgoku]

Hi all,

Apologies if this IS somewhere, but I searched and couldn't find this specific issue.

I have a vpn client (windscribe) that I have set up on a router so we can watch content to our subscribed online platform. However, when I use the connection through the router, we can't watch as it says we are restricted due to location. The vpn is working and running speedtest, whatsmyip, etc. show we are in the correct location, Latvia. However, using the vpn through the router does not work. If I use the Windscribe app or browser extension, it appears to work, at least most of the time with the browser, and almost always with the app. I did notice that the app seems to prefer IKEv2. I really would like to get this to work on the router, as it would allow us to use it as intended, and be able to watch on our TVs. Let me know what info you need and I can provide it. The router is currently running udp for the tunnel.

[Foxgoku]

Current Setup:

Router: R7000P
dd-wrt: v3.0-r4728 std (10/10/21)
VPN: OpenVPN through Windscribe
PBR: for only dhcp subnet to use tunnel

I have an separate router that connects to this via static IP to provide VPN free traffic and keep some of the load off this router. In general it appears that both the VPN and VPN free work as intended, except for this issue...which is the main reason for the VPN.


Additionally: the service we are subscribed to for the media mentioned that, 'some people use vpn to use the service'. But of course that is as far as the 'help' goes on his end.

The error that occurs when I can stream from the site is that the service is restricted, due to access restrictions. So I'd assume that would be referencing a type of geolocation restriction occurring.

[egc]

Streaming media actively seek to block VPN providers.

But if you use the same settings for your desktop VPN and it is working then I suspect a DNS leak.

Streaming media services not only check your IP address but also the DNS server which is used and if this comes from another geolocation then you are also blocked.

Usually the VPN provider pushes its DNS server and if you have enabled "Query DNS in strict order" then that DNS server should be used.

However lately the new DNSMasq version seems to give up rather quickly on strict-order and you can still end up with a DNS leak.

In your case using Split DNS tunnel by iptables could be the solution.

All described in the DNS problems guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

On page 4 is the split DNS tunnel by iptables rule.
If you do not always use your VPN you can place it in the route up script

[Foxgoku]

So this is great info. It does appear that I am pulling outside DNS info in addition to my VPN setup. Using ipleak.net, I can see the expected DNS server in Latvia as well as about 6-14 DNS servers from my ISP, which I would assume come from the WAN and the non VPNed side. As I'm trying to make these changes, it has typically just been breaking my VPN connection. I essentially, just want to have a manually specified VPN server address pulled from the VPN server, and nothing else for the VPN traffic. Not sure if this helps.

-When I selected 'Ignore WAN DNS' from the setup, it broke my VPN.


-When I select the below options in dnsmasq area, and change to the PBR network and the VPN DNS server, the VPN hangs at reconnecting.
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.32/27 --dport 53 -j DNAT --to 9.9.9.9
iptables -t nat -I PREROUTING -p udp -s 192.168.1.32/27 --dport 53 -j DNAT --to 9.9.9.9

-Using, pull-filter ignore "dhcp-option DNS" , only allows the ISP DNS servers, while using the same with the 'accept' command essentially kept it in it's original condition with both ISP and VPN DNS.

-I also tried, route <VPN DNS Server> 255.255.255.255 vpn_gateway which was also, no change from the standard result.

I really just want to get a way to only allow the one, maybe two vpn dns servers with the PBR network, 192.168.1.64/26, and the other traffic remain as it is, since that is what most of the traffic will be...non vpn.

If you need screenshots let me know, and I can try to attach the correct ones.

[egc]

First remove everything you have been tinkering with

On setup page under static DNS 1 and 2 you need to set a reliable DNS server, I use for
Static DNS 1: 9.9.9.9
Static DNS 2: 1.0.0.1

You should tick/enable "Ignore WAN DNS" on that same page.

On VPN page
Remove everything form the PBR field or insert # as first character (which is also disabling the PBR)

Reboot the router, now all clients should be on the VPN and your DNS is also via the VPN and you should use the pushed DNS server from the VPN provider as should be shown by ipleak.net

Now check if you can watch TV if so you know that the VPN can /will work

One complicating factor is that "Query DNS in strict order" seems to misbehave lately
So ipleak.net which should show only your VPN's DNS server might show others too (the ones from Static DNS 1 and 2), but in this case it does not matter as those other DNS servers are also routed via the VPN

Let me know if this works and we will take it from there.

(One thing I am not sure about is this, you wrote:

[Foxgoku]

So,to double ensure, I ran a default settings on the router, to start from square one. The ISP address given is through Auto-DHCP with the 'ignore WAN DNS checked. Additionally, the setting are default for the rest of setup.
-Use DNSmasq for DNS is checked
-Authoratative-DNS is checked
-Recursive DNS resolving (unbound) is NOT checked
-Forced DNS redirection is not checked

I have both the 2 dns servers you mentioned listed in the static dns settings in the basic setup DHCP 'network address server settings window. Local DNS is set to the default of 0.0.0.0 at this time. I have saved, applied, and then rebooted the router after. No VPN has been setup at this time, and the resulting DNS servers through ipleak.net provide the DNS servers in the screenshot attached. I wanted to provide a base DNS result using static DNS settings you mentioned and no VPN to provide a benchmark for further troubleshooting.

[Foxgoku]

After setting up the VPN, I can now see the added VPN in Latvia, however, it appears that I am still seeing the additional DNS US servers. I have attached the results here. Currently there is no PBR added to the VPN. I was also wondering if maybe that I need to set the local DNS server on the basic setup to something? Currently it is as default of 0.0.0.0.

The 96.114.123.x DNS servers appear to be from my ISP. At least it is the same company as my ISP.

Also, I am currently using udp4 for the vpn, would wireguard be an better option for this, or should it matter?

[egc]

Is 'Query DNS in strict order' checked?

Please send output of:

[Foxgoku]

No luck with TV yet.

Yes strict DNS query is selected.

Below is the output of commands requested. I changed the cat from /temp, to /tmp as /temp had not results.

root@ddwrt:~# ip route show
0.0.0.0/1 via 10.124.174.1 dev tun1
default via 174.51.64.1 dev vlan2
10.124.174.0/23 dev tun1 scope link src 10.124.174.8
10.255.255.2 via 10.124.174.1 dev tun1
127.0.0.0/8 dev lo scope link
128.0.0.0/1 via 10.124.174.1 dev tun1
159.148.186.68 via 174.51.64.1 dev vlan2
174.51.64.0/22 dev vlan2 scope link src 174.51.64.82
192.168.1.0/24 dev br0 scope link src 192.168.1.1
root@ddwrt:~# cat /temp/resolv.dnsmaq
cat: can't open '/temp/resolv.dnsmaq': No such file or directory
root@ddwrt:~# cat /temp/resolv.dnsmasq
cat: can't open '/temp/resolv.dnsmasq': No such file or directory
root@ddwrt:~# cat /tmp/resolv.dnsmasq
nameserver 10.255.255.2
nameserver 192.168.1.1
nameserver 9.9.9.9
nameserver 1.0.0.1
root@ddwrt:~#

[egc]

OK everything including your dns servers are routed via the vpn.

If the TV is not working you are out of luck.

Content providers try to block vpn and this seems the case here.

Strange is that the routers address is in the resolv.dnsmasq that should not be there.
But as the vpn dns server is first it has no consequences.

[kernel-panic69]

[egc]

[Foxgoku]

[kernel-panic69]

[egc]

You are routing everything via the wg tunnel including DNS, so I do not see how that can be hijacked.

Forced DNS redirection will not make any difference