Posted: Tue Apr 26, 2022 8:22 Post subject: [SOLVED] OpenVPN, Policy Based Routing and DNS Leak
I'm hoping someone can help as I'm going round and round in circles trying to configure OpenVPN client to only send a specific range of IP addresses down the tunnel.
I have the OpenVPN client configured and connecting successfully to the NordVPN servers (using their instructions).
Without any IP addresses in the policy based routing field, the OpenVPN client connects to the NordVPN server and dnsleaktest.com reports the right NordVPN DNS servers.
Adding even one single IP address to the policy based routing seems to allow the OpenVPN client to connect to the NordVPN server but dnsleaktest.com reports a different DNS server - and it's not my ISP's server. Hence the DNS leak.
What I'm trying to achieve is:
> 192.168.x.2 - 192.168.x.120 should be routed down the tunnel for all traffic, including the Nord DNS
> 192.168.x.121 - 192.168.x.254 should be routed around the VPN to my ISP and use my ISP's DNS
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Tue Apr 26, 2022 8:28 Post subject:
Start with telling us what router and buildnumber you are using.
See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Linksys WRT1900ACS router flashed with DD-WRT v3.0 (Build 44715). This router sits behind my ISP modem which does the connection. The ISP router has the public address and NATs to a private network. The VPN router has a fixed internal IP address on this address range on the WAN port and does DHCP to all the devices in the house. So ISP address <-> 192.168.3.x <-> 192.168.4.x (VPN router). What else can help?
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Tue Apr 26, 2022 9:31 Post subject:
What will help is reading the forum guidelines (link in previous post) which will show that you are running an old and outdated build.
Current is 48646 (but newer is coming but for now I would stick to 48646 but as always see the build threads)
Coming from such an old build a reset *after* upgrade is highly recommended and after reset put settings in manually, never restore from a backup (to a different build).
Then see the documentation (Client setup guide, see the sticky in this forum) how to properly setup for NordVPN and to do Policy based routing. Also DNS settings/leaks are discussed.
Oh, cool. Thanks for the info. I went to the DD-WRT database and only saw the beta version I was already running. I found the 48646 version so will flash the router now. Would you also be so kind as to ping me the link to the client setup guide? Much appreciated, egc.
Good to know. It's quite a while since I spent time digging around in the database but now I know, I'll keep an eye on new releases. I went through all the config settings and now have a VPN router that splits the private address range into VPN and non-VPN traffic with split DNS and no leaks. I very much appreciate you pointing me in the right direction.
I'm interested in your thoughts on Additional Config. You noted in the pinned post to include just 'verb 4' in Additional Config. I've left that out entirely so my Additional Config field is empty. What does that option do and in what situations would it be needed. I noticed the default is 'verb 3' in the config file on the router.
Also there are three other options you mention to include in rare circumstances. When would you include one or more of those options? Thanks for your advice.
I noticed a bunch of warnings about mtu of 1435 with a limit set of 1400 so i added the following to the Additional Config which seems to have fixed that (or at least it's not complaining any more).
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Thu Apr 28, 2022 16:40 Post subject:
egc wrote:
Don't... just keeping the MTU at 1400 is the better option, OpenVPN does not deal well with too high MTU (in theory it should but it does not)
by default opvpncl (Open VPN client) mtu is set already to 1400...so you dont have to make any adjustments, unless VPN provider recommends you to do ...
as well some warning messages are just normal trivial complains, as long as it is working , its ok ...i guess
Apr 27 11:56:01 1043NDv2 daemon.err openvpn[1675]: tun packet too large on write (tried=1480,max=1400)
Apr 27 11:56:18 1043NDv2 daemon.err openvpn[1675]: tun packet too large on write (tried=1480,max=1400)
Apr 27 11:56:23 1043NDv2 daemon.err openvpn[1675]: tun packet too large on write (tried=1480,max=1400)
Apr 27 11:57:30 1043NDv2 daemon.notice openvpn[1675]: NOTE: --mute triggered...
Apr 27 12:04:02 1043NDv2 daemon.notice openvpn[1675]: 1 variation(s) on previous 3 message(s) suppressed by --mute
Apr 27 12:04:02 1043NDv2 daemon.notice openvpn[1675]: TLS: tls_process: killed expiring key
Apr 27 12:05:33 1043NDv2 daemon.err openvpn[1675]: tun packet too large on write (tried=1480,max=1400)
Apr 27 12:05:39 1043NDv2 daemon.err openvpn[1675]: tun packet too large on write (tried=1480,max=1400)
Apr 27 16:03:19 1043NDv2 daemon.err openvpn[1675]: tun packet too large on write (tried=1500,max=1400)
Apr 28 17:04:03 1043NDv2 daemon.warn openvpn[1675]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1435', remote='link-mtu 1554'
Apr 28 17:04:03 1043NDv2 daemon.warn openvpn[1675]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1400', remote='tun-mtu 1500'
Apr 28 17:04:03 1043NDv2 daemon.warn openvpn[1675]: WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA256'
Apr 28 17:04:03 1043NDv2 daemon.warn openvpn[1675]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Apr 28 17:04:03 1043NDv2 daemon.notice openvpn[1675]: Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
Apr 28 17:04:03 1043NDv2 daemon.notice openvpn[1675]: Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I get this warning every hour though, which I why I was thinking to change the mtu in Additional Config.
20220429 07:06:08 8 variation(s) on previous 3 message(s) suppressed by --mute
20220429 07:06:08 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1534' remote='link-mtu 1634'
20220429 07:06:08 W WARNING: 'tun-mtu' is used inconsistently local='tun-mtu 1432' remote='tun-mtu 1532'
20220429 07:06:08 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20220429 07:06:08 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20220429 07:06:08 Control Channel: TLSv1.3 cipher TLSv1.3 TLS_AES_256_GCM_SHA384 peer certificate: 4096 bit RSA signature: RSA-SHA512
20220429 08:06:08 NOTE: --mute triggered...