[Release] Asuswrt-Merlin 384.6 is now available

[john9527]

I always had these questions and I do not know if you or someone can help me.

1. If I am using DNSCrypt, which is more secure the DNS servers of DNSCrypt or the DNS servers of my VPN Client?
2. If I am using DNSCrypt, is it better to disable the DNS servers of my VPN Client and only use the DNS servers of DNSCrypt?

• VPN -> VPN Client -> Accept DNS Configuration: Disabled

3. Or What do you recommend?

Wish there was a simple answer....it all depends on who you trust/distrust the most....

A couple of things to consider....

• DNSCrypt has been around the longest. It is a user open spec, but has never been submitted (or planned to be submitted) as a formal RFC.
• How much do you know about the folks running the DNSCrypt servers? Most (all?) of the DNSCrypt servers run by the 'big' providers are logging servers, so that needs to be considered as well.
• DNSCrypt can hide your DNS traffic from both your ISP and VPN provider.
• The VPN provider DNS will hide your DNS traffic from your ISP (if you have your router participating in the VPN), but if you exclude the router the DNS traffic is not VPN encrypted (see above about some potential problems with including the router in the VPN). Your VPN provider technically can see your DNS traffic as it exits the VPN on to the internet.
• Most big VPN providers advertise as non-logging. Where the provider is incorporated may influence how much they can follow their non-logging claim.
• You should also use DNSSEC to validate the server actually being used.
  
• I'm sure there are other consideration I could come up with

So for me, I made the decision to use DNSCrypt (now moving to DoT), router outside of VPN for all my traffic, both VPN and WAN. DNSCrypt enabled, VPN Accept DNS config Disabled.

• Neither my ISP or VPN can monitor my DNS traffic.
• Performance probably near the best from an encryption viewpoint. The routing to the servers contribution to performance???? Need to test. I personally don't linger over DNS performance as long as it's reasonable....most accesses are cached anyway.
• I'm trusting my selected DNSCrypt server to be non-logging as they say it is and that they are following the DNSCrypt user spec (There's that trust thing).
• I say moving to DoT since that has a formal RFC. In the future, I think DoH will become more wide spread after its RFC is finalized (it's currently in draft mode and has some advantages over DoT).
• Side benefit is that things like ABSolution work for both VPN and WAN.

As with many things....intelligent people can have differing opinions....

 

[john9527]

Thank you @john9527!

Couple more questions on the “Strict” vs “Exclusive” DNS choices. How do these two options work with WAN DNS settings (Connect automatically or not)? I was always taught that when you select Exclusive as an option you should leave the WAN DNS option as Yes. However, others have stated that this doesn’t make any difference. However I have noticed that this does make any difference in VPN speeds.

When you selected 'Exclusive', your WAN clients continue to use the WAN DNS settings with dnsmasq, and your VPN clients use your VPN DNS without dnsmasq. The DNS servers used by your WAN clients are either those provided by your ISP (Connect automatically) or those you specify (don't connect automatically).

BTW....for those using my fork, Exclusive mode works differently....basically things are 'reversed' in that VPN will use dnsmasq, and WAN will go direct to the WAN DNS servers.

Also, some VPN’s state in their setup tutorials that you must select No in the WAN DNS settings and enter their server IP addresses there. According to them (NordVPN, for example) you should then proceed to choose “Strict” in the VPN client settings. However, this option again doesn’t always give the best speeds.

This is a way to force the VPN to use dnsmasq and prevent DNS leaks. It should actually be faster than using 'Exclusive' mode since you now have dnsmasq caching available. But now, your WAN clients are also using your VPN DNS servers, and this may make it appear as if your WAN clients are slower. In most cases, your ISP servers will give the best overall performance.

Some users have stated in other threads that another option would be to select “No” under the WAN DNS settings but leave the IP spaces blank. If you do this, what do you pick for configuration on the VPN client side? Exclusive or strict?

My first though here is that this would completely break DNS for WAN....wouldn't go there (in fact, I'm surprised the gui would let you do this).

 

[D_Day]

I no longer have any DNS leaks from my VPN client using exclusive but only because I have had to turn off ipv6! I’m happy with it working for now and not having to use DNS filters but I still lose wan access to the device when I turn off the VPN client.

 

[Marin]

When you selected 'Exclusive', your WAN clients continue to use the WAN DNS settings with dnsmasq, and your VPN clients use your VPN DNS without dnsmasq. The DNS servers used by your WAN clients are either those provided by your ISP (Connect automatically) or those you specify (don't connect automatically).

BTW....for those using my fork, Exclusive mode works differently....basically things are 'reversed' in that VPN will use dnsmasq, and WAN will go direct to the WAN DNS servers.


This is a way to force the VPN to use dnsmasq and prevent DNS leaks. It should actually be faster than using 'Exclusive' mode since you now have dnsmasq caching available. But now, your WAN clients are also using your VPN DNS servers, and this may make it appear as if your WAN clients are slower. In most cases, your ISP servers will give the best overall performance.


My first though here is that this would completely break DNS for WAN....wouldn't go there (in fact, I'm surprised the gui would let you do this).

Thank you as always for your thorough explanations!

Marin


Sent from my iPhone using Tapatalk

 

[HowIFix]

Wish there was a simple answer....it all depends on who you trust/distrust the most....

A couple of things to consider....

• DNSCrypt has been around the longest. It is a user open spec, but has never been submitted (or planned to be submitted) as a formal RFC.
• How much do you know about the folks running the DNSCrypt servers? Most (all?) of the DNSCrypt servers run by the 'big' providers are logging servers, so that needs to be considered as well.
• DNSCrypt can hide your DNS traffic from both your ISP and VPN provider.
• The VPN provider DNS will hide your DNS traffic from your ISP (if you have your router participating in the VPN), but if you exclude the router the DNS traffic is not VPN encrypted (see above about some potential problems with including the router in the VPN). Your VPN provider technically can see your DNS traffic as it exits the VPN on to the internet.
• Most big VPN providers advertise as non-logging. Where the provider is incorporated may influence how much they can follow their non-logging claim.
• You should also use DNSSEC to validate the server actually being used.
  
• I'm sure there are other consideration I could come up with

So for me, I made the decision to use DNSCrypt (now moving to DoT), router outside of VPN for all my traffic, both VPN and WAN. DNSCrypt enabled, VPN Accept DNS config Disabled.

• Neither my ISP or VPN can monitor my DNS traffic.
• Performance probably near the best from an encryption viewpoint. The routing to the servers contribution to performance???? Need to test. I personally don't linger over DNS performance as long as it's reasonable....most accesses are cached anyway.
• I'm trusting my selected DNSCrypt server to be non-logging as they say it is and that they are following the DNSCrypt user spec (There's that trust thing).
• I say moving to DoT since that has a formal RFC. In the future, I think DoH will become more wide spread after its RFC is finalized (it's currently in draft mode and has some advantages over DoT).
• Side benefit is that things like ABSolution work for both VPN and WAN.

As with many things....intelligent people can have differing opinions....

OMG! is the best answer I've read, no matter how hard I search in Google or in this forum there was no answer, so detailed and good.

Thank you for sharing your wisdom. (I'll take a screenshot )

 

[Zastoff]

I use my vpn providers dns servers that support dnscrypt v2 and dnssec(no logging)
Set my vpn client dns setting to strict since I use ab-solutions and installed dnscrypt v2.016 added same dns servers and use dnssec, i hope that my vpn devices use tunnel with dnscrypt and dnssec and that my other (wan) devices make use of dnscrypt dnssec but not through tunnel
Not really sure..

 

[Marin]

OMG! is the best answer I've read, no matter how hard I search in Google or in this forum there was no answer, so detailed and good.

Thank you for sharing your wisdom. (I'll take a screenshot )

I couldn’t agree more!! And I so wish that there was a setting next to each post that all of us could click and save in various customized folders for future reference!!! I like saving/watching threads but I am thinking having quicker access to some of these great posts would definitely be useful not only to those who are new at networking but everyone.

@thiggins—would this be possible in the future?

Thank you for considering![emoji120]


Sent from my iPhone using Tapatalk

 

[pusb87]

Rules for routing client traffic through the tunnel
If you use the All clients (192.168.1.0/24 VPN) make sure you put Router 192.168.1.1 on WAN
@D_Day @pusb87

It is !!

 

[Zastoff]

It is !!

Dont understand
You posted this https://www.snbforums.com/attachments/capture-jpg.13912/
Add This [Router---192.168.1.1---0.0.0.0---WAN] in those settings

 

[pusb87]

Dont understand
You posted this https://www.snbforums.com/attachments/capture-jpg.13912/
Add This Router---192.168.1.1---0.0.0.0---WAN in those settings

sorry...i only meant i have All clients (192.168.1.0/24 VPN)

will try 192.168.1.1 WAN but this makes me think that my router will no longer be "protected" by the VPN, ie DNS traffic is not VPN encrypted...
wrt to ports i am following the guide provided by Merlin for PIA and dont wish to lose speed by using 1197, or no encryption with 1195
Its all starting to get a bit above me !!

UDP ports for PIA:

port 1194: This port uses Blowfish-CBC encryption and Auth digest to SHA1
No longer supported by PIA but you are free to try it
Speed: 30-35 mb/s

port 1195: For no encryption use with encryption type set to none and Auth digest set to none and in custom configuration add auth none. this method is the fastest and full speed but without encryption. Not very safe.
Speed: full bandwidth of your ISP

port 1197: For stronger encryption use with AES-256-CBC encryption and Auth digest sha256 speeds 20-30 mb/s

port 1198: Use the preferred encryption method which is AES-128-CBC encryption with Auth digest to SHA1
This encrytpion method delivers the fastest speeds compared to the other methods.
Speeds 50-60 mb/s

 

[MarkyPancake]

I couldn’t agree more!! And I so wish that there was a setting next to each post that all of us could click and save in various customized folders for future reference!!! I like saving/watching threads but I am thinking having quicker access to some of these great posts would definitely be useful not only to those who are new at networking but everyone.

Some forum software lets you bookmark individual posts, such as Xenforo, but I've only seen this feature in the browser version, not in Tapatalk.

 

[pusb87]

Dont understand
You posted this https://www.snbforums.com/attachments/capture-jpg.13912/
Add This [Router---192.168.1.1---0.0.0.0---WAN] in those settings

OK so I just added this extra rule for the router

but unfortunately if i stop the VPN service i still have to reboot the router to regain an internet connection...im pretty sure i read somewhere on this forum that this is how its supposed to work anyway if you choose "Block routed clients if tunnel goes down" ??

so its weird if i force the VPN cleint to stop then it does what i expect but if the VPN just "loses" connection it doesnt, again im pretty sure it worked OK with earlier firmwares and has only recently started with 384.6 ( and probably 384.5)

 

[Zastoff]

OK so I just added this extra rule for the router
View attachment 13938

but unfortunately if i stop the VPN service i still have to reboot the router to regain an internet connection...im pretty sure i read somewhere on this forum that this is how its supposed to work anyway if you choose "Block routed clients if tunnel goes down" ??

so its weird if i force the VPN cleint to stop then it does what i expect but if the VPN just "loses" connection it doesnt, again im pretty sure it worked OK with earlier firmwares and has only recently started with 384.6 ( and probably 384.5)

No you should not need to reboot the router to regain internet when you stop your vpn client (you turn it back on yourself) or tunnel goes down so killswitch block client on vpn.. it should reconnect and make a new tunnel and restore internet to your vpn clients
and the router need to be on your ISP WAN and the devices behind it can be on VPN, it will not be more insecure with the line i gave you
The Problem is when you dident have 192.168.1.1 on wan in that list..Killswitch also killed your ISP internet connection to the router then the only solution was a reboot since vpn client start much later in the boot process

 

[ajp2k14]

I use my vpn providers dns servers that support dnscrypt v2 and dnssec(no logging)
Set my vpn client dns setting to strict since I use ab-solutions and installed dnscrypt v2.016 added same dns servers and use dnssec, i hope that my vpn devices use tunnel with dnscrypt and dnssec and that my other (wan) devices make use of dnscrypt dnssec but not through tunnel
Not really sure..

Would you mind sharing which vpn provider? You can DM me if you like...

Tack!

 

[D_Day]

OK so I just added this extra rule for the router
View attachment 13938

but unfortunately if i stop the VPN service i still have to reboot the router to regain an internet connection...im pretty sure i read somewhere on this forum that this is how its supposed to work anyway if you choose "Block routed clients if tunnel goes down" ??

so its weird if i force the VPN cleint to stop then it does what i expect but if the VPN just "loses" connection it doesnt, again im pretty sure it worked OK with earlier firmwares and has only recently started with 384.6 ( and probably 384.5)

That is exactly what happens with my setup! I only have one device and when the VPN client is switched off the device is unreachable yet if I switch it back on the VPN is re-established, turn it off and it’s unreachable until VPN is switched back on or the router is rebooted.

 

[HowIFix]

@D_Day @pusb87

Try to change:

• Redirect Internet Traffic: Policy Rules (strict) to only Policy Rules
• Block routed clients if tunnels goes down: Yes

Policy based routing in Asuswrt-Merlin

On the OpenVPN Clients page, set "Redirect Internet traffic" to either "Policy Rules" or "Policy Rules (strict)". Strict mode will take additional steps to ensure that there aren't any extra routes that could potentially bypass your tunnel, by only allowing routes that specifically target the tunnel's network interface. This is usually preferred, however this will interfere with any route you might have manually configured on your WAN interface, which is why it is a separate option.

Once you enable Policy Rules, a new section will appear below, where you can add routing rules. The "Source IP" is your local client (computer, mobile, etc...), while "Destination" is the remote server on the Internet. The field can be left empty (or set to 0.0.0.0) to signify "any IP". You can also specify a whole subnet, in CIDR notation (for example, 74.125.226.112/30).

Another setting exposed when enabling Policy routing is to prevent your routed clients from accessing the Internet if the VPN tunnel goes down. To do so, enable "Block routed clients if tunnel goes down".

 

[D_Day]

@D_Day @pusb87

Try to change:

• Redirect Internet Traffic: Policy Rules (strict) to only Policy Rules
• Block routed clients if tunnels goes down: Yes

Policy based routing

The same result, sites are unreachable until I turn the VPN back on or reboot the router.
I never had this problem until 384.5 final and it’s been the same ever since.
I do full factory resets with every update and manually input my configuration which is very basic, no qos, no analysis, nothing except for firewall and VPN.
I have around 15 clients 4 of which are wired and everything is running smooth except for the no wan to my one device when the VPN is switched off.

 

[Zastoff]

The same result, sites are unreachable until I turn the VPN back on or reboot the router.
I never had this problem until 384.5 final and it’s been the same ever since.
I do full factory resets with every update and manually input my configuration which is very basic, no qos, no analysis, nothing except for firewall and VPN.
I have around 15 clients 4 of which are wired and everything is running smooth except for the no wan to my one device when the VPN is switched off.

Can post a screenshot of your vpn client settings? just remove username and password before you take it

 

[D_Day]

Can post a screenshot of your vpn client settings? just remove username and password before you take it

 

[Zastoff]

@D_Day From what I can see you only routed 1 device to vpn
I would try to add after that 1device
Wan devices--192.168.1.0/24--0.0.0.0--WAN
To ensure all your other devices goes through wan and don't lose Internet if tunnel goes down
Apply settings
Reboot and test again