Accessing local resources behind expressvpn tunnel from openvpn server

[macster2075]

I can't do anything about the VPN not working w/ specific websites. You may have to dedicate a device that's off the VPN for those purposes. Or else identify the public IP(s) of those institutions and route them (as remote IPs) over the WAN using routing policy.

As far as DNS leaks, the better option these days is probably to configure DoT on the WAN and set Tools > Other Settings > "Wan: Use local caching DNS server as system resolver (default: No)" to Yes. This will encrypt all your DNS and route it over the WAN while preserving access to DNSMasq. Just be sure to set Accept DNS Configuration on the VPN to Disabled.

I can't find where in the router gui is this section " Tools > Other Settings > "Wan: Use local caching DNS server as system resolver (default: No)" to Yes"

 

[macster2075]

OK I found it!
So is there a side effect for setting that to Yes?

 

[eibgrad]

OK I found it!
So is there a side effect for setting that to Yes?

You might want to take a look at the following thread since it discusses this and *many* other DNS related issues.

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...

www.snbforums.com

And the following is specifically where I discuss the effect of that one setting.

Tutorial - How to monitor DNS traffic in real-time

Been following this thread. I recall many questions about leaving DNS Server 1/DNS Server 2 blank was answered moons ago. @RMerlin 's guidance was: "do not leave'm blank or NTP and other time dependent services (VPNs, ...) cannot start properly." What did I miss? We are concerned that the...

www.snbforums.com

 

[macster2075]

You might want to take a look at the following thread since it discusses this and *many* other DNS related issues.

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...

www.snbforums.com

And the following is specifically where I discuss the effect of that one setting.

Tutorial - How to monitor DNS traffic in real-time

Been following this thread. I recall many questions about leaving DNS Server 1/DNS Server 2 blank was answered moons ago. @RMerlin 's guidance was: "do not leave'm blank or NTP and other time dependent services (VPNs, ...) cannot start properly." What did I miss? We are concerned that the...

www.snbforums.com

Thanks for that.. being doing some reading, but most of this stuff is way over my head. Like I said, I recently bought a vpn for security, but now knowing is not as "plug n play" as I thought it was going to be.
Not sure if I want to spend money on something that may not be 100% secure (nothing really is), or at least that doesn't have a dns leak issue.

So, by making those changes you mentioned...will that take care of the DNS leak issue you're referring to?
If not, then I guess I will just get my money back from the vpn service as I have 30 days money back guarantee.

 

[Tech Junky]

Security and privacy is a layered approach.

Routers and clients need a good foundation to build off of. Browser headers leak a lot of info but there are plugins to help mitigate that.

Once you harden the PC/browser then layering on a VPN anonymizes you from the world. Closing ports on the router level helps remove sources of leaks. Using a provider like Nord though will help as well with a proven record.

 

[eibgrad]

Thanks for that.. being doing some reading, but most of this stuff is way over my head. Like I said, I recently bought a vpn for security, but now knowing is not as "plug n play" as I thought it was going to be.
Not sure if I want to spend money on something that may not be 100% secure (nothing really is), or at least that doesn't have a dns leak issue.

So, by making those changes you mentioned...will that take care of the DNS leak issue you're referring to?
If not, then I guess I will just get my money back from the vpn service as I have 30 days money back guarantee.

Using the technique I suggested will prevent DNS leaks in the sense that ALL your DNS will be encrypted as it's routed over the WAN, and DNSMasq access will be preserved. And how you configure the VPN, or what reasons you have for using a VPN, or if you even decide to use a VPN at all, are now irrelevant. You're securing DNS traffic for any and all possible configurations!

All that said, if you're using DoT but NOT using a VPN, the value of DoT is significantly diminished since you no longer have a secure zone for the rest of your NON DNS traffic anyway. So 99% of users would probably only implement DoT if they were also using a VPN. But the point I'm trying to make w/ DoT is that the DNS handling itself works completely independent of the VPN. And thus you don't end up w/ all the "quirks" related to Exclusive, Strict, etc.

 

[macster2075]

Hmm.. why not always have this enabled then since "ALL your DNS will be encrypted as it's routed over the WAN"
Or does this mean that when not using a vpn, all dns is encrypted and because I am using a vpn, then this setting will help with that?
Also, trying to find what you mean by DoT.

 

[Tech Junky]

DNS over TLS

If you push all traffic through a VPN you're encrypted in sending / receiving.

DoT / DoH - https://blog.cloudflare.com/dns-encryption-explained/

 

[eibgrad]

Hmm.. why not always have this enabled then since "ALL your DNS will be encrypted as it's routed over the WAN"
Or does this mean that when not using a vpn, all dns is encrypted and because I am using a vpn, then this setting will help with that?
Also, trying to find what you mean by DoT.

At least to my mind, DoT implies that you already have a "secure zone" for your NON DNS traffic. But many times your DNS will "leak" outside that secure zone unless you take steps to prevent it. One such method is to route your DNS over the VPN like everything else. Another is to use DoT. But once you do NOT have a secure zone AT ALL, hiding your DNS is sort of pointless. All your NON DNS traffic is still visible, at least in terms of destination IPs. The very thing you're trying hide w/ DoT!

I suppose there are other reasons for using DoT that would still make it useful, such as DNSSEC, parental filtering, etc. That's why knowing your intentions matters.

 

[macster2075]

Just would like to have all devices connected to my router be anonymous while surfing and doing banking. Basically not allowing any website know my location or who I am.

 

[eibgrad]

Just would like to have all devices connected to my router be anonymous while surfing and doing banking. Basically not allowing any website know my location or who I am.

Well now you've come full circle. You need a VPN. And you need to hide your DNS. But using Exclusive or Strict each comes w/ its own limitations. So you have the option to use DoT instead. IOW, VPN + DoT probably does what you need.

 

[Tech Junky]

Just would like to have all devices connected to my router be anonymous while surfing and doing banking. Basically not allowing any website know my location or who I am.

That's what I'm doing and it works perfectly.

I'm using "webrtc control" on chrome which kills the leaks from the browser.

If you want your max speed though you'll want to use wire guard based VPN's as OVPN is ancient / 50% reduction in speed in comparison.

 

[macster2075]

Im getting pretty good speeds with nord..basically not seeing a drop at all..maybe 1 Mpbs difference in the upload at most.
I have contacted Nord and they had me run a test and they told me that the are seeing DNS leaks even with the settings I just made.

I think this is a bit more complicated and more work than I anticipated haha. I thought it was just having to add the vpn to the router and I was done...not the case lol.
If will have to go to every device and make sure to add some plugin or something to their browser to prevent leaks...then, that's just not gonna work me.

 

[macster2075]

Well now you've come full circle. You need a VPN. And you need to hide your DNS. But using Exclusive or Strict each comes w/ its own limitations. So you have the option to use DoT instead. IOW, VPN + DoT probably does what you need.

They had me change the setting from Disabled to Exclusive and now they don't see any leaks.

 

[macster2075]

So do I leave it as Exclusive or how you suggest which was Disabled?

 

[eibgrad]

So do I leave it as Exclusive or how you suggest which was Disabled?

But you claimed previously that you needed access to DNSMasq, which Exclusive doesn't provide? At least for those WLAN/LAN clients bound to the VPN.

 

[macster2075]

Yes.. I remembered that after I posted that. So what a predicament eh?
So is this one of those things that it's either one or the other?

 

[eibgrad]

Yes.. I remembered that after I posted that. So what a predicament eh?
So is this one of those things that it's either one or the other?

FWIW, I did recently help another user w/ a slightly different solution.

Use VPN Exclusive DNS and Local DNS

I have a question related to https://www.snbforums.com/threads/local-dns-and-vpn-issue.55312/#post-468948, but thought I'd post a separate question since my setup is slightly different than what is described there. I have an Asus RC-AC86U router running Merlin v386.4. Its relevant...

www.snbforums.com

 

[macster2075]

Thanks for the info.. I decided this is way our of my league and cancelled my vpn sub.!
Maybe in the future when it's less of a headache to configure and get it working properly...maybe...then maybe I can give it shot...thanks anyway for all your help!

 

[macster2075]

one of the "issues" they were seeing is this.. See pictures of the DNS leak test. It shows the IP address of the server I was connected to..but on the results, it would show completely different IP addresses...and nordvpn support said it's leaks.

At some point it was working properly but then it just stopped and I started getting those results.
I tried Disabled, Relaxed, Strict and Exclusive.. all rendered the same results and was driving them crazy and they could not find a solution so that's why I cancelled it.
These are the results I had sent them when I was on their vpn.