[SOLVED] OpenVPN, Policy Based Routing and DNS Leak

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
anthonyoc
DD-WRT Novice


Joined: 26 Apr 2022
Posts: 13

PostPosted: Tue Apr 26, 2022 8:22    Post subject: [SOLVED] OpenVPN, Policy Based Routing and DNS Leak Reply with quote
I'm hoping someone can help as I'm going round and round in circles trying to configure OpenVPN client to only send a specific range of IP addresses down the tunnel.

I have the OpenVPN client configured and connecting successfully to the NordVPN servers (using their instructions).

Without any IP addresses in the policy based routing field, the OpenVPN client connects to the NordVPN server and dnsleaktest.com reports the right NordVPN DNS servers.

Adding even one single IP address to the policy based routing seems to allow the OpenVPN client to connect to the NordVPN server but dnsleaktest.com reports a different DNS server - and it's not my ISP's server. Hence the DNS leak.

What I'm trying to achieve is:
> 192.168.x.2 - 192.168.x.120 should be routed down the tunnel for all traffic, including the Nord DNS
> 192.168.x.121 - 192.168.x.254 should be routed around the VPN to my ISP and use my ISP's DNS

Can anyone point me in the right direction?
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Apr 26, 2022 8:28    Post subject: Reply with quote
Start with telling us what router and buildnumber you are using.

See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

The Nord specific instructions are not the best, for proper instructions and setup guidance see the OpenVPN documentation which is a sticky (top most threads) in this forum

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
anthonyoc
DD-WRT Novice


Joined: 26 Apr 2022
Posts: 13

PostPosted: Tue Apr 26, 2022 9:10    Post subject: Reply with quote
Linksys WRT1900ACS router flashed with DD-WRT v3.0 (Build 44715). This router sits behind my ISP modem which does the connection. The ISP router has the public address and NATs to a private network. The VPN router has a fixed internal IP address on this address range on the WAN port and does DHCP to all the devices in the house. So ISP address <-> 192.168.3.x <-> 192.168.4.x (VPN router). What else can help?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Apr 26, 2022 9:31    Post subject: Reply with quote
What will help is reading the forum guidelines (link in previous post) which will show that you are running an old and outdated build.
Current is 48646 (but newer is coming but for now I would stick to 48646 but as always see the build threads)

Coming from such an old build a reset *after* upgrade is highly recommended and after reset put settings in manually, never restore from a backup (to a different build).

Then see the documentation (Client setup guide, see the sticky in this forum) how to properly setup for NordVPN and to do Policy based routing. Also DNS settings/leaks are discussed.

Hint: You need Split DNS Smile

If you have questions left feel free to ask, we are here to help

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
anthonyoc
DD-WRT Novice


Joined: 26 Apr 2022
Posts: 13

PostPosted: Tue Apr 26, 2022 9:39    Post subject: Reply with quote
Oh, cool. Thanks for the info. I went to the DD-WRT database and only saw the beta version I was already running. I found the 48646 version so will flash the router now. Would you also be so kind as to ping me the link to the client setup guide? Much appreciated, egc.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Apr 26, 2022 9:59    Post subject: Reply with quote
Unfortunately the router database is out of our control Sad

All OpenVPN guides:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

OpenVPN Client setup guide:
https://forum.dd-wrt.com/phpBB2/download.php?id=48550

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
anthonyoc
DD-WRT Novice


Joined: 26 Apr 2022
Posts: 13

PostPosted: Tue Apr 26, 2022 10:10    Post subject: Reply with quote
Good to know. It's quite a while since I spent time digging around in the database but now I know, I'll keep an eye on new releases. I went through all the config settings and now have a VPN router that splits the private address range into VPN and non-VPN traffic with split DNS and no leaks. I very much appreciate you pointing me in the right direction.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Apr 26, 2022 10:11    Post subject: Reply with quote
Glad to hear you solved it Smile
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
anthonyoc
DD-WRT Novice


Joined: 26 Apr 2022
Posts: 13

PostPosted: Thu Apr 28, 2022 5:55    Post subject: Reply with quote
I'm interested in your thoughts on Additional Config. You noted in the pinned post to include just 'verb 4' in Additional Config. I've left that out entirely so my Additional Config field is empty. What does that option do and in what situations would it be needed. I noticed the default is 'verb 3' in the config file on the router.

Also there are three other options you mention to include in rare circumstances. When would you include one or more of those options? Thanks for your advice.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Apr 28, 2022 6:08    Post subject: Reply with quote
verb (short for verbose) sets the log level so the amount of information which is given in the logs.

verb 3 is standard but when troubleshooting it is helpful if we get more information so for troubleshooting verb 5 is advised (it goes up to 11).

You can try for yourself increasing it and see the output of the log with: grep -i openvpn /var/log/messages

Options are explained in the man pages:
https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html

Have fun Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
anthonyoc
DD-WRT Novice


Joined: 26 Apr 2022
Posts: 13

PostPosted: Thu Apr 28, 2022 6:47    Post subject: Reply with quote
I noticed a bunch of warnings about mtu of 1435 with a limit set of 1400 so i added the following to the Additional Config which seems to have fixed that (or at least it's not complaining any more).

tun-mtu-extra 32
tun-mtu 1500
mssfix 1450
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Apr 28, 2022 7:04    Post subject: Reply with quote
Don't just keeping the MTU at 1400 is the better option, OpenVPN does not deal well with too high MTU (in theory it should but it does not)
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Apr 28, 2022 16:40    Post subject: Reply with quote
egc wrote:
Don't... just keeping the MTU at 1400 is the better option, OpenVPN does not deal well with too high MTU (in theory it should but it does not)


by default opvpncl (Open VPN client) mtu is set already to 1400...so you dont have to make any adjustments, unless VPN provider recommends you to do ...

root@T1043NDv2:~# nvram show | grep mtu

br0_mtu=1500
mtu_enable=0
eth1.3_mtu=1500
openvpn_mtu=1500
eth1_mtu=1500
oet1_mtu=1460
ipv6_mtu=1452
eth0_mtu=1500
size: 47755 bytes (17781 left)
pptpd_mtu=1436
wlan0_mtu=1500
pptpd_client_mtu=1436
pppoeserver_mtu=1492
pptpd_client_srvmtu=1436
wan_mtu=1500
br1_mtu=1500
eth0.3_mtu=1500
openvpncl_mtu=1400



as well some warning messages are just normal trivial complains, as long as it is working , its ok ...i guess Laughing Laughing

Apr 27 11:56:01 1043NDv2 daemon.err openvpn[1675]: tun packet too large on write (tried=1480,max=1400)
Apr 27 11:56:18 1043NDv2 daemon.err openvpn[1675]: tun packet too large on write (tried=1480,max=1400)
Apr 27 11:56:23 1043NDv2 daemon.err openvpn[1675]: tun packet too large on write (tried=1480,max=1400)
Apr 27 11:57:30 1043NDv2 daemon.notice openvpn[1675]: NOTE: --mute triggered...
Apr 27 12:04:02 1043NDv2 daemon.notice openvpn[1675]: 1 variation(s) on previous 3 message(s) suppressed by --mute
Apr 27 12:04:02 1043NDv2 daemon.notice openvpn[1675]: TLS: tls_process: killed expiring key
Apr 27 12:05:33 1043NDv2 daemon.err openvpn[1675]: tun packet too large on write (tried=1480,max=1400)
Apr 27 12:05:39 1043NDv2 daemon.err openvpn[1675]: tun packet too large on write (tried=1480,max=1400)
Apr 27 16:03:19 1043NDv2 daemon.err openvpn[1675]: tun packet too large on write (tried=1500,max=1400)

Apr 28 17:04:03 1043NDv2 daemon.warn openvpn[1675]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1435', remote='link-mtu 1554'
Apr 28 17:04:03 1043NDv2 daemon.warn openvpn[1675]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1400', remote='tun-mtu 1500'
Apr 28 17:04:03 1043NDv2 daemon.warn openvpn[1675]: WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA256'
Apr 28 17:04:03 1043NDv2 daemon.warn openvpn[1675]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Apr 28 17:04:03 1043NDv2 daemon.notice openvpn[1675]: Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
Apr 28 17:04:03 1043NDv2 daemon.notice openvpn[1675]: Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
anthonyoc
DD-WRT Novice


Joined: 26 Apr 2022
Posts: 13

PostPosted: Fri Apr 29, 2022 0:05    Post subject: Reply with quote
Here are my settings. Similar to yours, I think.

root@Boomgate:~# nvram show | grep mtu
size: 33952 bytes (97120 left)
mtu_enable=0
openvpn_mtu=1500
eth1_mtu=1500
ipv6_mtu=1452
pptpd_mtu=1436
pptpd_client_mtu=1436
pppoeserver_mtu=1492
openvpncl_config=tun-mtu-extra 32
pptpd_client_srvmtu=1436
wan_mtu=1500
openvpncl_mtu=1400
anthonyoc
DD-WRT Novice


Joined: 26 Apr 2022
Posts: 13

PostPosted: Fri Apr 29, 2022 0:09    Post subject: Reply with quote
I get this warning every hour though, which I why I was thinking to change the mtu in Additional Config.

20220429 07:06:08 8 variation(s) on previous 3 message(s) suppressed by --mute
20220429 07:06:08 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1534' remote='link-mtu 1634'
20220429 07:06:08 W WARNING: 'tun-mtu' is used inconsistently local='tun-mtu 1432' remote='tun-mtu 1532'
20220429 07:06:08 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20220429 07:06:08 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20220429 07:06:08 Control Channel: TLSv1.3 cipher TLSv1.3 TLS_AES_256_GCM_SHA384 peer certificate: 4096 bit RSA signature: RSA-SHA512
20220429 08:06:08 NOTE: --mute triggered...
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum