[SOLVED]OpenVPN Server IP and DNS Leaks

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
SunSkyPi
DD-WRT Novice


Joined: 14 Sep 2021
Posts: 21
Location: Western Hemisphere

PostPosted: Tue Dec 06, 2022 4:06    Post subject: [SOLVED]OpenVPN Server IP and DNS Leaks Reply with quote
I have used OpenVPN Servers with ddwrt clients for a few years, but wanted to try ddwrt as OpenVPN server.

I have IP and DNS Leaks when using ddwrt as OpenVPN Server, I can connect to my other self setup OpenVPN servers I have with all clients with no issues, but for some reason with ddwrt as OpenVPN Server get these leaks:

1) On S10 cell client it reports correct VPN server IP as expected, but DNS leaks to client ISP
2) Win laptop client, it does not report VPN Server IP, but instead the client IP, and DNS leaks to client ISP.

Everything seems to connect fine on both Client and OpenVPN server end via Android and Win OpenVPN Connect.

It’s odd that both clients are using the same config file but yet the S10 cell reports the correct VPN IP, whereas the win laptop does not, but both have DNS Leaks.

I can switch the clients to my other OpenVPN servers I have (mainly ASUS-Merlin routers) and all is good.

Here is my setup, same on both the ddwrt and other OpenVPN Servers I have:

Client (OpenVPN connect) -> Internet -> Main Router-> OpenVPN Server (ddwrt and ASUS Merlin)

The ddwrt OpenVPN server is Netgear R7000, with r50927 std (11/21/22), I have followed the DDWRT OpenVPN Server Setup guide v28 (Great guide, thank you egc!) for the OpenVPN Server setup with the same settings as in the guide.

When I look at the client files for the ddwrt and Merlin OpenVPN setups, almost identical config, but for some reason have IP leaks with ddwrt.

It just seems like am I missing some setting on ddwrt?

Thank you for any advice anyone may have.

Sample ASUS-Merlin client config:
client
dev tun
proto udp
remote XXXXXXXXXXXXXX
resolv-retry infinite
nobind
float
ncp-ciphers CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
keepalive 15 60
auth-user-pass
remote-cert-tls server

Sample ddwrt client config:
client
dev tun
#windows-driver wintun # only for Windows 10 OpenVPN 2.5.x
proto udp4
remote XXXXXXXXXXXXXXXXXX
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
#tun-mtu 1400 # lowered default can be commented to let OpenVPN decide
auth none #For use with GCM or Chacha ciphers and not using tls-auth otherwise remove
#cipher AES-256-CBC #use AES-256-CBC for older (android) clients
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC

Edit: I noticed both Android and the win OpenVPN Connect Client do show the correct Server Public IP displayed, but on laptop when do IP check it incorrectly reports the Clients ISP, and both DNS Leak to Client ISP.

tracert 8.8.8.8 indicates it is going through VPN Server. When I disconnect the internet from Server to test kill switch, the win laptop can still access the internet so am thinking this is how it might be leaking. The s10 cell has no internet access so kill switch seems to be working on s10.

IPv6 is disabled

Thank you again

_________________
ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Dec 06, 2022 8:29    Post subject: Reply with quote
In the server setup guide on page 20 is described how you can push DNS servers to your clients.
It is assuming that you have enabled on the OpenVPN Server "Push Client Route: Default Gateway"!

It is up to your clients to use those pushed DNS servers, see also page 25, Windows needs an extra setting otherwise you will have DNS leaks on Windows.

A kill switch is something the Client has to set and is not related to the Server.

On my Android phone (you need at least Android 8 ) it is under Settings > Network & Internet > Advanced > VPN > OpenVPN for Android > Enable Always ON VPN, Enable Block Connections without VPN

Testing for DNS leaks via a website does not always give you the actual result, tracert is more reliable.
I use ipleak.net and dnsleaktest.com, when you test clear browser cache (CTRL+F5)

P.S. You can also consider using WireGuard, three times as fast as OpenVPN and easy to setup, documentation is also a sticky in this forum, there are also clients for all major platforms.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
SunSkyPi
DD-WRT Novice


Joined: 14 Sep 2021
Posts: 21
Location: Western Hemisphere

PostPosted: Wed Dec 07, 2022 2:47    Post subject: Reply with quote
egc wrote:
In the server setup guide on page 20 is described how you can push DNS servers to your clients.
It is assuming that you have enabled on the OpenVPN Server "Push Client Route: Default Gateway"!


Yes, that was checked in initial setup.

egc wrote:
It is up to your clients to use those pushed DNS servers, see also page 25, Windows needs an extra setting otherwise you will have DNS leaks on Windows.


Since windows is working fine with my other OpenVPN servers (ASUS-Merlin), with similar looking client config files, I was thinking I was missing a setting on server side. I am new and just learning, I added "block-outside-dns" to windows client config, as on p.24 of guide, but no change, I do see where the guide says "This option should of course be used in conjunction with the dhcp-option DNS command described earlier" but I am confused on that part, not sure how to do that?

egc wrote:
A kill switch is something the Client has to set and is not related to the Server.

Yes, I should have know that, newbie I am, but hope to get my skill level up soon so I can help contribute back in near future.

egc wrote:
On my Android phone (you need at least Android 8 ) it is under Settings > Network & Internet > Advanced > VPN > OpenVPN for Android > Enable Always ON VPN, Enable Block Connections without VPN


Since Android, like windows, is working fine with all my other OpenVPN servers with no additional settings wonder why have to do this with ddwt? I did try it but same result, no change. I am on Android 12.

egc wrote:
Testing for DNS leaks via a website does not always give you the actual result, tracert is more reliable.

I use ipleak.net and dnsleaktest.com, when you test clear browser cache (CTRL+F5)


Yes, I have been using nordvpn.com/ip-lookup/ and dnsleaktest.com. I tried ipleak.net it is giving same results.

egc wrote:
P.S. You can also consider using WireGuard, three times as fast as OpenVPN and easy to setup, documentation is also a sticky in this forum, there are also clients for all major platforms.


Yes, I love Wireguard! Especially after all this time on OpenVPN with slower speeds. I actually set wg up on my router first. I did see your note in wg server setup guide v45, p.22, about running concurrent with OpenVPN, about adding OpenVPN Server Additional Config:"redirect-private local", but when I did that, it did not work so I took it out of server config. I have been sure to keep the wg tunnels disabled as I work on OpenVPN setup.

I was hoping to get OpenVPN running as a backup to wg, in case I mess something up on one of the remote servers in wireguard, I could come in through OpenVPN to repair. It seems like so close to getting OpenVPN server working, any other ideas?

Thank you again so much for your advice!
SSP

_________________
ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Dec 07, 2022 7:33    Post subject: Reply with quote
You can run an OpenVPN Server and a WireGuard server just fine side by side as long as you give them a different subnet, I am actually doing that right now.

The Redirect private-local is sometimes necessary if you are running an OpenVPN Client not for an OpenVPN server.

DDWRT uses the same OpenVPN server as other third party firmware so perhaps you are overcomplicating things.

Pushing a DNS server to your clients is as simple as adding the following to the OpenVPN Servers Additional configuration:
Code:
push "dhcp-option DNS 8.8.8.8"


If you can send a screenshot of the OpenVPN Server setup page, with content of the Additional configuration, a screenshot of the OpenVPN Status page (whole page) when connected and the clients log, then we can have a look what is happening.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
SunSkyPi
DD-WRT Novice


Joined: 14 Sep 2021
Posts: 21
Location: Western Hemisphere

PostPosted: Thu Dec 08, 2022 5:33    Post subject: Reply with quote
Here is the server info attached.
_________________
ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.
SunSkyPi
DD-WRT Novice


Joined: 14 Sep 2021
Posts: 21
Location: Western Hemisphere

PostPosted: Thu Dec 08, 2022 5:46    Post subject: Reply with quote
Thank you in advance.
Android 12, and Windows Client log below

Android client log:
20:23:56.225 -- ----- OpenVPN Start -----


20:23:56.226 -- EVENT: CORE_THREAD_ACTIVE


20:23:56.229 -- OpenVPN core 3.git::d3f8b18b:Release android arm64 64-bit PT_PROXY


20:23:56.230 -- Frame=512/2048/512 mssfix-ctrl=1250


20:23:56.235 -- UNUSED OPTIONS
4 [nobind]
5 [persist-key]
6 [persist-tun]
8 [auth-nocache]
9 [verb] [4]
12 [data-ciphers] [CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC]


20:23:56.247 -- EVENT: RESOLVE


20:23:56.457 -- Contacting [2607:7700:0:19::3223:6cc4]:17811 via UDP


20:23:56.458 -- EVENT: WAIT


20:23:56.467 -- Connecting to [MyDDNS]:17811 (2607:7700:0:19::3223:6cc4) via UDPv6


20:23:56.521 -- EVENT: CONNECTING


20:23:56.523 -- Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth [null-digest],keysize 128,key-method 2,tls-client


20:23:56.524 -- Creds: UsernameEmpty/PasswordEmpty


20:23:56.524 -- Peer Info:
IV_VER=3.git::d3f8b18b:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.3.0-8367
IV_SSO=webauth,openurl
IV_BS64DL=1




20:23:56.736 -- VERIFY OK: depth=1, /CN=MyServer-ca, signature: RSA-SHA256


20:23:56.736 -- VERIFY OK: depth=0, /CN=MyServer-server, signature: RSA-SHA256


20:23:56.924 -- SSL Handshake: peer certificate: CN=MyServer-server, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD




20:23:56.926 -- Session is ACTIVE


20:23:56.927 -- EVENT: GET_CONFIG


20:23:56.936 -- Sending PUSH_REQUEST to server...


20:23:56.978 -- OPTIONS:
0 [redirect-gateway] [def1]
1 [route-gateway] [10.8.0.1]
2 [topology] [subnet]
3 [ping] [10]
4 [ping-restart] [120]
5 [ifconfig] [10.8.0.2] [255.255.255.0]
6 [peer-id] [0]
7 [cipher] [CHACHA20-POLY1305]




20:23:56.979 -- PROTOCOL OPTIONS:
cipher: CHACHA20-POLY1305
digest: NONE
key-derivation: OpenVPN PRF
compress: NONE
peer ID: 0


20:23:56.980 -- EVENT: ASSIGN_IP


20:23:57.029 -- Connected via tun


20:23:57.030 -- EVENT: CONNECTED info='MyDDNS-17811’ (2607:7700:0:19::3223:6cc4) via /UDPv6 on tun/10.8.0.2/ gw=[10.8.0.1/]'



Windows OpenVPN Client log
[Dec 7, 2022, 20:26:35] OpenVPN core 3.git::d3f8b18b win x86_64 64-bit built on Mar 17 2022 11:42:02
⏎[Dec 7, 2022, 20:26:35] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Dec 7, 2022, 20:26:35] UNUSED OPTIONS
4 [nobind]
5 [persist-key]
6 [persist-tun]
8 [auth-nocache]
9 [verb] [4]
12 [data-ciphers] [CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC]
13 [block-outside-dns]
⏎[Dec 7, 2022, 20:26:35] EVENT: RESOLVE ⏎[Dec 7, 2022, 20:26:35] Contacting 50.35.108.196:17811 via UDP
⏎[Dec 7, 2022, 20:26:35] EVENT: WAIT ⏎[Dec 7, 2022, 20:26:35] WinCommandAgent: transmitting bypass route to 50.35.108.196
{
"host" : "50.35.108.196",
"ipv6" : false
}

⏎[Dec 7, 2022, 20:26:35] Connecting to [MyDDNS]:17811 (50.35.108.196) via UDPv4
⏎[Dec 7, 2022, 20:26:36] EVENT: CONNECTING ⏎[Dec 7, 2022, 20:26:36] Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth [null-digest],keysize 128,key-method 2,tls-client
⏎[Dec 7, 2022, 20:26:36] Creds: UsernameEmpty/PasswordEmpty
⏎[Dec 7, 2022, 20:26:36] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_AUTO_SESS=1
IV_GUI_VER=OCWindows_3.3.6-2752
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1

⏎[Dec 7, 2022, 20:26:38] SSL Handshake: peer certificate: CN=MyServer-server, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD

⏎[Dec 7, 2022, 20:26:38] Session is ACTIVE
⏎[Dec 7, 2022, 20:26:38] EVENT: GET_CONFIG ⏎[Dec 7, 2022, 20:26:38] Sending PUSH_REQUEST to server...
⏎[Dec 7, 2022, 20:26:39] OPTIONS:
0 [redirect-gateway] [def1]
1 [route-gateway] [10.8.0.1]
2 [topology] [subnet]
3 [ping] [10]
4 [ping-restart] [120]
5 [ifconfig] [10.8.0.3] [255.255.255.0]
6 [peer-id] [1]
7 [cipher] [CHACHA20-POLY1305]

⏎[Dec 7, 2022, 20:26:39] PROTOCOL OPTIONS:
cipher: CHACHA20-POLY1305
digest: NONE
key-derivation: OpenVPN PRF
compress: NONE
peer ID: 1
⏎[Dec 7, 2022, 20:26:39] EVENT: ASSIGN_IP ⏎[Dec 7, 2022, 20:26:39] CAPTURED OPTIONS:
Session Name: MyDDNS
Layer: OSI_LAYER_3
Remote Address: 50.35.108.196
Tunnel Addresses:
10.8.0.3/24 -> 10.8.0.1
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
Block IPv6: no
Add Routes:
Exclude Routes:
DNS Servers:
Search Domains:

⏎[Dec 7, 2022, 20:26:39] SetupClient: transmitting tun setup list to \\.\pipe\agent_ovpnconnect
{
"allow_local_dns_resolvers" : false,
"confirm_event" : "640b000000000000",
"destroy_event" : "7812000000000000",
"tun" :
{
"adapter_domain_suffix" : "",
"block_ipv6" : false,
"layer" : 3,
"mtu" : 0,
"remote_address" :
{
"address" : "50.35.108.196",
"ipv6" : false
},
"reroute_gw" :
{
"flags" : 275,
"ipv4" : true,
"ipv6" : false
},
"route_metric_default" : -1,
"session_name" : "MyDDNS",
"tunnel_address_index_ipv4" : 0,
"tunnel_address_index_ipv6" : -1,
"tunnel_addresses" :
[
{
"address" : "10.8.0.3",
"gateway" : "10.8.0.1",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 24
}
]
},
"wintun" : false
}
POST np://[\\.\pipe\agent_ovpnconnect]/tun-setup : 200 OK
TAP ADAPTERS:
guid='{BFACC560-1EC5-46AD-AC6B-9720428E8035}' index=2 name='Local Area Connection'
Open TAP device "Local Area Connection" PATH="\\.\Global\{BFACC560-1EC5-46AD-AC6B-9720428E8035}.tap" SUCCEEDED
TAP-Windows Driver Version 9.24
ActionDeleteAllRoutesOnInterface iface_index=2
netsh interface ip set interface 2 metric=1
Ok.
netsh interface ip set address 2 static 10.8.0.3 255.255.255.0 gateway=10.8.0.1 store=active
netsh interface ip add route 50.35.108.196/32 21 192.168.123.13 store=active
The object already exists.
netsh interface ip add route 0.0.0.0/1 2 10.8.0.1 store=active
Ok.
netsh interface ip add route 128.0.0.0/1 2 10.8.0.1 store=active
Ok.
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
TAP: ARP flush succeeded
TAP handle: e80a000000000000
⏎[Dec 7, 2022, 20:26:39] Connected via TUN_WIN
⏎[Dec 7, 2022, 20:26:39] EVENT: CONNECTED MyDDNS:17811 (50.35.108.196) via /UDPv4 on TUN_WIN/10.8.0.3/ gw=[10.8.0.1/]⏎

_________________
ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Dec 08, 2022 8:24    Post subject: Reply with quote
I will look at it into more detail but are you connecting via cellular T-Mobile?
(you can check if you only have an IPv6 address on your phone/laptop)

T-Mobile is an IPv6 provider only, the latest version of OpenVPN 2.5.8 (we recently upgraded to that) does not work with IPv6 only providers and we actually are downgrading OpenVPN in the next public build

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Dec 08, 2022 12:58    Post subject: Reply with quote
First you do not seem to push a DNS server yet, I highly recommend you do

Regarding your phone, it looks like your phone is using IPv6 only.
The latest OpenVPN update seems to break things regarding NAT64 which is used to translate IPv6 into IPv4.
Because of that we decided already to go back to OpenVPN 2.5.7 (I am certain other third party firmwares are not using OpenVPN 2.5.8 yet so those are not affected.)
As a test can you add to the openvpn config file on your phone: block-ipv6
I do not think it will work but worth a try.

Your windows setup seems to use IPv4 but you are using the OpenVPN Connect V3 app which is a bit buggy regarding DNS (the older OpenVPN Client as referenced in the OpenVPN Server setup guide is more mature)
For the connect app, to stop DNS leaks you really have to push a DNS server.
The Connect app has advanced settings to tweak your DNS and it also supports a kind of a kill switch which is called Seamless Tunnel Smile.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
SunSkyPi
DD-WRT Novice


Joined: 14 Sep 2021
Posts: 21
Location: Western Hemisphere

PostPosted: Fri Dec 09, 2022 5:10    Post subject: Reply with quote
egc wrote:
I will look at it into more detail but are you connecting via cellular T-Mobile?
(you can check if you only have an IPv6 address on your phone/laptop)

T-Mobile is an IPv6 provider only, the latest version of OpenVPN 2.5.8 (we recently upgraded to that) does not work with IPv6 only providers and we actually are downgrading OpenVPN in the next public build


yes, T-Mobile and also as hotspot to test windows. Oddly, on phone IP shows as both ipv4 and ipv6.

egc wrote:
First you do not seem to push a DNS server yet, I highly recommend you do


Summary of OpenVPN Server tests:

Reference Baseline: OpenVPN 2.5.7 Servers on ASUS-Merlin v386.7
All clients connect perfect: windows, android T-mobile, via OpenVPN Connect v.3.3.0 android, v3.3.6 win; including Win via TM hotspot; AND multiple ddwrt OpenVPN client routers with 2022 versions of ddwrt; kill switch works, clients use VPN DNS Servers, no additional config needed on either Server or Client side

Test Case1 (previous): OpenVPN 2.5.8 Server on DDWRT r50927 std (11/21/22)
Android Clients: via T-Mobile, OpenVPN Connect v.3.3.0, VPN IP is shown correct, but DNS Leaks, kill switch works
Windows Clients: testing via Android Hotspot TM, OpenVPN Connect v.3.3.6, exposes client IP, DNS Leaks and kill switch not working

Test Case2: adding "dhcp-option DNS 8.8.8.8" to ddwrt server config results:

With android Success! I added "dhcp-option DNS 8.8.8.8" now no DNS leaks on Android cell. However, on ipleak.net it shows “Your IP addresses WebRTC detection 10.8.0.2, Private use [RFC-1918]”, is this something I need to worry about?

With Win also Success! Unexpectedly now Win is working fine, both in identifying correct VPN Server IP, and no DNS leaks–all google. How is pushing the DNS server fixing the identifying IP address in Win case? I thought it would just affect the DNS requests? Interesting, on win client, there is no WebRTC detection.

I am still a little nervous, but at least according to ipleak.net and dnsleaktest.com it appears all well with the clients (except the WebRTC detection on Android as mentioned above).

But is it possible to use the VPN Servers DNS? And not have to push "dhcp-option DNS 8.8.8.8"? I say this b/c it has given me an added sense of security over the years as another check the VPN is working when I see the VPNs DNS servers instead of the clients.

egc wrote:
As a test can you add to the openvpn config file on your phone: block-ipv6
I do not think it will work but worth a try.


I then added block-ipv6 on cell client, no difference, it still works as in test results above, except on client OVPN Connect screen, the Server Public IP is identified with ipv6 (unexpected since we just asked to block it) and says UDPv6, whereas without it, Server Public IP is shown as ipv4 and says UDPv4 (it seems to do the opposite of what I would expect, odd).

egc wrote:
Your windows setup seems to use IPv4 but you are using the OpenVPN Connect V3 app which is a bit buggy regarding DNS (the older OpenVPN Client as referenced in the OpenVPN Server setup guide is more mature)
For the connect app, to stop DNS leaks you really have to push a DNS server.


I originally downloaded OpenVPN 2.5, but it conflicted with existing OpenVPN Connect 3, and ended up having to uninstall both, I just reinstalled Connect 3 since that is what have been using up to now with no issues, will try to test 2.5 when get a chance.

egc wrote:
The Connect app has advanced settings to tweak your DNS and it also supports a kind of a kill switch which is called Seamless Tunnel.


Tested OpenVPN Connect kill switch with Test Case2, adding "dhcp-option DNS 8.8.8.8" now kill switch works on Windows! (Android was already working in first case). However, after about 2 minutes OpenVPN Connect disconnects then client falls back to its ISP after about another few minutes on both android and win. Since the final goal is running ddwrt as client and server, in my experience the ddwrt client kill switch stays on indefinitely--which is critical for safety--hopefully this will always be the case, otherwise danger will robinson. Why does pushing DNS server correct Win kill switch (as well as IP, and DNS leaks, it seemed to fix everything with Win)?

Will the Seamless Tunnel kill switch in OpenVPN 2.5 protect indefinitely, i.e. block local ISP access as long as VPN client turned on?

Thank you so much egc for all your help and guidance for this novice!
Very Happy

_________________
ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Dec 09, 2022 11:26    Post subject: Reply with quote
Progress Smile

About WebRTC that is a serious and underestimated problem actually not related to the VPN.
It is caused by your webbrowser and if you are prudent you should disable it on your browser:
https://dataprot.net/guides/webrtc-leak/

About Killswitch, most are poorly implemented also the ones on Merlin (multiple reports about that)
You should really test the killswitch thoroughly. The DDWRT killswitch is designed by @eibgrad so I am certain it will work (if you have the Client enabled!)
The DDWRT OpenVPN Client setup guide has a paragraph about it and how to test.

The Windows OpenVPN connect app is not using the newer wintun driver as opposed to the community app, you should be able to use them both if you enable the wintun driver for the community app.
Remove the # at the beginning in the community app configuration file:
Quote:
#windows-driver wintun # Use for Windows 10/11 and OpenVPN 2.5.x

To be honest, both OpenVPN for Windows apps can use an overhaul.
The WireGuard app is better, but that is just my personal opinion Smile

For Android I use Arne Schwabs app far superior to the Connect app.

About pushing your own router as DNS server that is certainly possible, if your routers IP address is 192.168.1.1 do the following (it is explained also in the OpenVPN server setup guide on page 20):
If you want to resolve DNS names over the VPN you will need to add the below lines to "Additional Configuration of the OpenVPN server."
Code:
push "dhcp-option DNS 192.168.1.1"


The next thing is to tell DNSMasq to listen to your OpenVPN servers interface which usually is tun2.
Navigate to "Services" > "Services." Scroll down to "Additional DNSMasq Options" and enter there:
Code:
interface=tun2


All explained in detail in the OpenVPN Server setup guide page 20/21

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
SunSkyPi
DD-WRT Novice


Joined: 14 Sep 2021
Posts: 21
Location: Western Hemisphere

PostPosted: Sun Dec 18, 2022 5:20    Post subject: Reply with quote
Thank egc for all your help!

Now have OpenVPN and WG up and running on several Netgear R7000’s as both server and clients. But the more I learn, the more I realize I don’t know, still a novice, thank you again for your wisdom and patience!

Was able to get clients to use Server DNS per your guidance above (push "dhcp-option DNS 192.168.1.1" and interface=tun2). I think Merlin has this option as the equivalent: “Advertise DNS to clients”. I also think I read you might be considering user/password auth for OpenVPN I think that would be a great idea, it seems like one more layer of protection.

Also got all the clients to work, even over TM hotspot, for Win clients just needed to add “block-ipv6” to prevent ipv6 leak from TM. Thanks for sharing ipleak.net, I am now using that along with dnsleaktest.com for testing.

On Chromebook with Android app OpenVPN Connect v3.3.0 (8367) via TM hotspot, all good with or without “block-ipv6” but either case TM introduces an ipv6 DNS hit but it is from the VPN Server so it is okay. OpenVPN Connect will report Server Public IP and VPN protocol as ipv4/UDPv4 regardless whether block-ipv6 is included or not on Chromebook.

When use OpenVPN Connect v3.3.0 (8367) via s10 Android 12, on TM, block-ipv6, like Chromebook, does not seem to do anything. On cell s10, it seems like it is a 50/50 chance when connecting that OpenVPN Connect will report Server Public IP and VPN protocol as either ipv4/UDPv4 or ipv6/UDPv6. Could not ascertain any pattern. But it passes ipleak.net and dnsleaktest.com either case so all good.

Only Android via S10 Cell had the WebRTC detection, but just the private connecting IP to OpenVPN like 10.8.0.2, so that seems okay, no location data given out.

The primary configuration I will be running is ddwrt router Client OpenVPN / WG to ddwrt router Server OpenVPN / WG over non-hotspot internet connection. Both Client and Server routers are in 2nd position behind a main router. The other clients above for testing.

Yes, kill switch is in my opinion the most important thing, it is like brakes in a car. I am not going to be comfortable riding in or trusting a car with the safety of my friends and family if the brakes are unreliable. Early on found in testing that the ASUS-Merlin kill switch was not dependable, thus only use ddwrt routers as clients. I remember discussing the ASUS-Merlin KS with @eibgrad and he had some ideas on how to make it better but I did not have the time to test and just stuck with ddwrt router as clients. So far all ddwrt kill switches have been fully reliable through all testing and in service, safety depends on it! I would not trust anything else at this point. Thank you again @eibgrad if you're out there somewhere for a safe and dependable kill switch!

Summary OpenVPN all good, even over TM ipv6 only hotspot when using ddwrt r50927 std (11/21/22) as server and client with OpenVPN 2.5.8.

Question regarding firewall setting on OpenVPN Server: I am using ddwrt OpenVPN/WG server as 2nd router behind main router, main router port forward to ddwrt router. Don’t I still need to have some sort of firewall for protection and safety? Currently “Inbound Firewall on TUN” is Off per guide. I do want clients to have access to outside/internet to the Servers ISP, as that is the primary use, so I do have “Allow Clients WAN Access”. I think I should be okay per the guide on step 8a below, but just want to make sure.

OpenVPN Server Setup guide v28, p.8, Step 8a, Setting up the Firewall says:

“A lot of guides have redundant firewall rules, in case of firewall rules less is more.
Actually you do not need any rules to make a connection, but if you want to have an outside/internet connection for
your client when "Redirect Default Gateway" is enabled then you have to add the rule described below, the rule is
necessary to NAT the traffic from the VPN out onto the internet via the WAN interface.
Note: builds from 46681 have a GUI button which does that for you, just Enable: Allow Clients WAN access (internet)
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE
Click on the "Administration" tab in the DD-WRT GUI, and then on the "Commands" tab. Copy the above code, and
paste the contents into the "Commands" window.
Then click "Save Firewall".
Sometimes the $(get_wanface) does not always identifies the name of your WAN interface correctly (on older
Broadcom routers the WAN interface is vlan0, on newer Broadcom it is vlan2, on Atheros it is eth0 or sometimes also
vlan2) this has been reported for Marvell based routers, in this case try this rule:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE”

Question regarding safest firewall setting on WG client:
Similar question on WG clients firewall I have:
NAT via Tunnel = Enabled
Firewall Inbond = Enabled
Are these the best settings for maximum safety and firewall protection for WG?

I know for WG Server your guide says:
10. Firewall Inbound: Disabled (unchecked), as this is the server the tunnel has to accept incoming (new)
connections.

Thank you again for all your help!
SSP
Very Happy

_________________
ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sun Dec 18, 2022 7:28    Post subject: Reply with quote
Yep egc/eibgrad kill-switch is working as it should...either on policy-based routing or single source...you can add your iptables lines instead, but it not advisable...and yes the
kill-switch is using WAN name detection so nothing to bother with...
and yes as you noticed on server you don't need the inbound firewall as it doesn't make sense... Laughing
To be honest, i still don't use policy based routing...and prefer VPN client to be on a separate router /subnet(vlan), not very rational..but it works...

for VPN DNS leak's concerns or IPv6
-use your DNSmasq inside the VPN (it goes by default)
-use DNS encryption...(SmartDNS has this easy option) for smart dns there is a messy thread, but you can ask me Smile Embarassed

to prevent DNS or any router ipv6 offered by the VPN provider...
add those lines to advance VPN box

pull-filter ignore "dhcp-option DNS"
pull-filter ignore "dhcp-option DNS6"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"

although block-ipv6 should be working as more general cut...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Dec 18, 2022 8:57    Post subject: Reply with quote
The Kill switch in AsusWRT-Merlin is not reliable as you already noted.
There are threads about with comment from @eibgrad.
@eibgrad was involved in overhauling and redesigning OpenVPN for DDWRT, he actually was my consultant/mentor when I started working on it Smile
It is a pity he is no longer active, I miss him.

About your question regarding "firewall setting on OpenVPN Server: I am using ddwrt OpenVPN/WG server as 2nd router behind main router": the main router will take care of the normal firewalling so no sweat about that but even if it was an internet connected router it is no problem.

About your question regarding safest firewall setting on WG client: if you just follow the guide and have the Inbound firewall enabled you have the normal protection so you should be safe there also.

Rule of thumb, for the Client you have the Inbound Firewall on TUN/Firewall Inbound enabled for the Server you have it Disabled.
For the Server it does not mean it has no firewall only that it opens specific ports and settings for having inbound traffic on the tun/wg interface, and that interface is protected by your keys so not a big problem either (btw keys are far,far safer than username/password, with OpenVPN you can use them both but that is a bit redundant in my opinion).

The code for adding OpenVPN username/password is feature complete and tested, the problem is it really is adding a lot of code and the head honcho wants everything to fit into 8 MB builds, I have attached the patch for the interested reader.
So the jury is still out on it and I can give no ETA on it, I have it running Smile ).

About IPv6, although we always specify UDP4 as protocol, which should mean use only IPv4, but OpenVPN is buggy and depending on the client it still wants IPv6 unless you add:
# to block IPv6, necessary on newer clients which otherwise default to IPv6
Quote:
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"
block-ipv6
The newer guides have this already standard, the import utility already adds this (I think, as that was one of the things @eibgrad and I have been discussing), and I recently added it to the client config utility.

OpenVPN is unfortunately not free from bugs and has a myriad of poorly documented and overlapping settings that is the reason (and the fact it is lacking in kernel executing but that will come) that WireGuard has taken the VPN community by storm, WireGuard is very fast and very simple and very easy to setup.

It seems like a true learning experience for you, nice job Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
SunSkyPi
DD-WRT Novice


Joined: 14 Sep 2021
Posts: 21
Location: Western Hemisphere

PostPosted: Fri Dec 30, 2022 4:05    Post subject: Reply with quote
Thank you @alozaros and @egc!

@alozaros
Yes, I prefer using 2nd VPN router behind main for all VPN vs. PBR, especially since I am still learning, one complexity at a time.

@egc
Re: <8MB builds, can understand that since I primarily use E2500s and E3000s as OVPN clients (and hopefully soon WG Clients). They are small and easy to transport, have been dependable and boot up fast and so far seem almost bulletproof.

I wonder if ddwrt could consider a larger build that would be used for bigger routers that would be more likely be used as server, just an idea.

One thing that is nice about OVPN is no need to get to Server to add more clients vs WG where need to access server to add new Peer, not a big deal just another step.

WG is fast and hope to slowly transition family and friends clients to WG, but still need to do more testing since safety is paramount. And even though OVPN slow, it is plenty fast for basic communication.

Thanks to all ddwrt team!
Help making the world a little safer one connection at a time!

_________________
ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.
SunSkyPi
DD-WRT Novice


Joined: 14 Sep 2021
Posts: 21
Location: Western Hemisphere

PostPosted: Sat Dec 31, 2022 1:56    Post subject: Reply with quote
An observation in doing the OpenVPN testing just to pass on if anyone else runs into this. My setup is:

Main Router -> OVPN Server router repeater

I noted if you try to connect an OVPN client also served by main router, like laptop, on same band as the Server was running as repeater it would not work. As long on different bands, worked fine, ie have server on 2.4 GHz and Client on 5GHz.

_________________
ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum