Bypassing VPN Accept DNS Configuration = Exclusive for one client

[rob-tech]

Hi,

I recently subscribed to VPN and set up an OpenVPN client on Merlin 384.9, I configured the Accept DNS setting to exclusive, and verified that there are no leaks (the ip address of the dns is the same as the main ip and they both belong to the VPN provider). I also forced all clients to exclusively use the VPN tunnel via Policy Rules Strict.

While everything is working perfectly through VPN, I do have a problem with one Roku 3 media streaming box, specifically the Netflix program on it as other functionality on the box works (Netflix also runs properly on all other computers and tablets via VPN). I think the problem is that the Netflix app forces the use of Google DNS 8.8.8.8 and 8.8.4.4, but Exclusive DNS mode prohibits this, therefore it doesn't work and displays the proxy error message.

Is there a way I can use routing rules to allow this Roku 3 to access Google DNS so that Netflix will work, while keeping the Roku 3 on VPN?

 

[Zastoff]

You can try putting your Roku 3 in the LAN/DNSFilter and set 8.8.8.8 for that device only and test if that works
(Have not tried it myself)
Otherwise you may have to change Accept DNS setting to Strict and then you can set your vpn DNS servers in LAN and use DNSFilter for roku 3
Or maybe have a look at Stubby installer(DoT) or DNSCrypt-Proxy installer(DoH & dnscrypt v1/v2) to handle your DNS encryption

 

[rob-tech]

Thank You for your reply, I tried to use the DNSFilter and this did not work with the Exclusive DNS policy. You see, the issue with using DNS Strict is that it then breaks Netflix streaming on other devices as it uses the VPN's dns servers directly, which are based in Australia and Singapore. The programs see that the DNS requests are being resolved in these countries while the actual VPN connection is based in a US datacenter, this causes a proxy error, whereas using Exclusive means that the actual VPN server is doing the DNS resolving, and since it is the same ip address everything works.

Is this behaviour even expected, as my VPN appears to have two dedicated dns servers for the entire world and regardless of where you are connected these are pushed to the router in Strict mode, shouldn't the provider assign local DNS resolvers so it works like Exclusive mode?

 

[Zastoff]

Thank You for your reply, I tried to use the DNSFilter and this did not work with the Exclusive DNS policy. You see, the issue with using DNS Strict is that it then breaks Netflix streaming on other devices as it uses the VPN's dns servers directly, which are based in Australia and Singapore. The programs see that the DNS requests are being resolved in these countries while the actual VPN connection is based in a US datacenter, this causes a proxy error, whereas using Exclusive means that the actual VPN server is doing the DNS resolving, and since it is the same ip address everything works.

Is this behaviour even expected, as my VPN appears to have two dedicated dns servers for the entire world and regardless of where you are connected these are pushed to the router in Strict mode, shouldn't the provider assign local DNS resolvers so it works like Exclusive mode?

Hmm i am no expert but i think "Exclusive" forces your DNS requests thru the tunnel so it looks like they are coming from the end point of the tunnel.
One more thing you can try/test (also i have not tried this) is to add to custom config in your vpn client (with Accept DNS Configuration set to Exclusive)
dhcp-option DNS 8.8.8.8
dhcp-option DNS 8.8.4.4
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
If you have no problem using google DNS for all devices routed thru vpn.
(Option is maybe to use more then one vpn client if google dns is not ok for all vpn devices)

edit:
Tried it in my own vpn client and it used 8.8.8.8 for all vpn clients in Exclusive mode

 

[Xentrk]

Hi,

I recently subscribed to VPN and set up an OpenVPN client on Merlin 384.9, I configured the Accept DNS setting to exclusive, and verified that there are no leaks (the ip address of the dns is the same as the main ip and they both belong to the VPN provider). I also forced all clients to exclusively use the VPN tunnel via Policy Rules Strict.

While everything is working perfectly through VPN, I do have a problem with one Roku 3 media streaming box, specifically the Netflix program on it as other functionality on the box works (Netflix also runs properly on all other computers and tablets via VPN). I think the problem is that the Netflix app forces the use of Google DNS 8.8.8.8 and 8.8.4.4, but Exclusive DNS mode prohibits this, therefore it doesn't work and displays the proxy error message.

Is there a way I can use routing rules to allow this Roku 3 to access Google DNS so that Netflix will work, while keeping the Roku 3 on VPN?

You get the Proxy error message because you are using a "shared" VPN server. Netflix, Hulu, Amazon Prime and BBC block these servers. It has nothing to do with your DNS. The streaming media providers look at you WAN ip address and don't care about the location of the DNS. You can read more about the issue in this blog post.

If you don't want to change to a provider that will allow you to stream NF, you can select the Policy Rule Routing option. Then, install the script below to route Netflix traffic to the WAN interface.

https://github.com/Xentrk/netflix-vpn-bypass

If you use Accept DNS Configuration = Exclusive when using Policy Rules, dnsmasq is bypassed and the netflix-vpn-bypass script will not work. The work around is to set Accept DNS Configuration = Disabled. The VPN will use the DNS specified on the WAN menu. For DNS, I highly recommend Stubby. You can read more about it at the links below.

https://x3mtek.com/dns-over-tls-with-dnsmasq-and-stubby-on-asuswrt-merlin/

In the install script, there is an option to force all client DNS traffic to use Stubby. This will fix the issue with LAN clients that have hard coded DNS.
https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin

You will need to install entware for all of the scripts to work. I recommend you look at the Asuswrt-Merlin-Terminal-Menu to install entware along with some of the other scripts such as Diversion and Stubby. See the AMTM thread for more info.

 

[rob-tech]

Hmm i am no expert but i think "Exclusive" forces your DNS requests thru the tunnel so it looks like they are coming from the end point of the tunnel.
One more thing you can try/test (also i have not tried this) is to add to custom config in your vpn client (with Accept DNS Configuration set to Exclusive)
dhcp-option DNS 8.8.8.8
dhcp-option DNS 8.8.4.4
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
If you have no problem using google DNS for all devices routed thru vpn.
(Option is maybe to use more then one vpn client if google dns is not ok for all vpn devices)

edit:
Tried it in my own vpn client and it used 8.8.8.8 for all vpn clients in Exclusive mode

Thank You for posting this, I may try this solution with 2 VPN clients and only use the Google DNS for the Roku to see if that fixes my issue, I'm worried about the CPU burden of two encryptions on my RT-AC87U which already has a high load encrypting/decrypting a single tunnel.

You get the Proxy error message because you are using a "shared" VPN server. Netflix, Hulu, Amazon Prime and BBC block these servers. It has nothing to do with your DNS. The streaming media providers look at you WAN ip address and don't care about the location of the DNS. You can read more about the issue in this blog post.

If you don't want to change to a provider that will allow you to stream NF, you can select the Policy Rule Routing option. Then, install the script below to route Netflix traffic to the WAN interface.

https://github.com/Xentrk/netflix-vpn-bypass

If you use Accept DNS Configuration = Exclusive when using Policy Rules, dnsmasq is bypassed and the netflix-vpn-bypass script will not work. The work around is to set Accept DNS Configuration = Disabled. The VPN will use the DNS specified on the WAN menu. For DNS, I highly recommend Stubby. You can read more about it at the links below.

https://x3mtek.com/dns-over-tls-with-dnsmasq-and-stubby-on-asuswrt-merlin/

In the install script, there is an option to force all client DNS traffic to use Stubby. This will fix the issue with LAN clients that have hard coded DNS.
https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin

You will need to install entware for all of the scripts to work. I recommend you look at the Asuswrt-Merlin-Terminal-Menu to install entware along with some of the other scripts such as Diversion and Stubby. See the AMTM thread for more info.

Thank You for these useful links, so basically DNS policy Exclusive locks the DNS to whatever the VPN server pushes and forces DNS requests to go through the tunnel, even the LAN/DNSFilter rules to not apply in this case, correct? It's interesting though when you say that only the WAN IP address determines whether one gets the proxy message as my testing points to the DNS location making a difference.

If I use Accept DNS = Exclusive, Netflix streaming works on all clients (phones, tablets, computers etc.) except the Roku. As soon as I switch Accept DNS = Strict it is still using the same VPN DNS, however, now all the clients get a proxy error. For now I have my Roku on WAN, but when I have more time I will definitely try your solution, thanks again.

 

[Xentrk]

You would need to run some linux commands to understand why changing DNS prevents the proxy error. I suspect it is a routing configuration rather than DNS. Here are some commands to show how firmware is configuring DNS and routing. If you want to experiment, try running the commands when you route all traffic over the tunnel and when you route using Policy Rules.

ip route show table local
iptables --line -t nat -nvL PREROUTING | grep DNS
ip rule
ip route | grep tun
route -n
ip route show table 111
ip route show table 112
iptables -nvL PREROUTING -t mangle --line

I have tested on many streaming apps that block VPNs with my DNS set to a foreign country. As long as my end point is in the streaming media market geo location, it has worked 100 percent. But for the streaming services that block VPNs, once I change my end point to a shared VPN server, I get the proxy error.

With Asuswrt-Merlin firmware, dnsmasq is by-passed when setting Accept DNS Configuration = Exclusive combined with using Policy Rules. This only applies to clients connected to the VPN, not the WAN iface. However, dnsmasq is not bypassed when setting Accept DNS Configuration = Exclusive when routing All Traffic over the tunnel.

If you use Strict, I recommend configuring the DNS in the custom config section by adding a entry like the one below to explicitly configure the tunnel to use the DNS you specify:

dhcp-option DNS 1.1.1.1

 

[Xentrk]

I don't have any experience using the DNSFilter. If you use DNSFilter with any external DNS, it will also bypass dnsmasq.
https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-44#post-464720

 

[rob-tech]

You would need to run some linux commands to understand why changing DNS prevents the proxy error. I suspect it is a routing configuration rather than DNS. Here are some commands to show how firmware is configuring DNS and routing. If you want to experiment, try running the commands when you route all traffic over the tunnel and when you route using Policy Rules.

ip route show table local
iptables --line -t nat -nvL PREROUTING | grep DNS
ip rule
ip route | grep tun
route -n
ip route show table 111
ip route show table 112
iptables -nvL PREROUTING -t mangle --line

I have tested on many streaming apps that block VPNs with my DNS set to a foreign country. As long as my end point is in the streaming media market geo location, it has worked 100 percent. But for the streaming services that block VPNs, once I change my end point to a shared VPN server, I get the proxy error.

With Asuswrt-Merlin firmware, dnsmasq is by-passed when setting Accept DNS Configuration = Exclusive combined with using Policy Rules. This only applies to clients connected to the VPN, not the WAN iface. However, dnsmasq is not bypassed when setting Accept DNS Configuration = Exclusive when routing All Traffic over the tunnel.

If you use Strict, I recommend configuring the DNS in the custom config section by adding a entry like the one below to explicitly configure the tunnel to use the DNS you specify:

dhcp-option DNS 1.1.1.1

I don't have any experience using the DNSFilter. If you use DNSFilter with any external DNS, it will also bypass dnsmasq.
https://www.snbforums.com/threads/stubby-installer-asuswrt-merlin.49469/page-44#post-464720

Thank You for taking the time to explain all this, for now my tunnel does everything I need, I have the Roku on WAN and everything else on VPN with the Exclusive DNS option. There are no leaks and there is no speed loss with the AC87u, however, if I were to upgrade my internet plan more processing power would be required from the router.

 

[Xentrk]

Thank You for taking the time to explain all this, for now my tunnel does everything I need, I have the Roku on WAN and everything else on VPN with the Exclusive DNS option. There are no leaks and there is no speed loss with the AC87u, however, if I were to upgrade my internet plan more processing power would be required from the router.

Glad you got it working. The primary factor in OpenVPN performance is the CPU in the router. The AC86U and AX88U models have the newer CPU that support hardware acceleration for OpenVPN.

I converted an old Win 7 PC to a pfSense appliance with an Intel i5 CPU that has AES-NI support. My OpenVPN peformance is vastly improved compared to my AC88U. See https://x3mtek.com/openvpn-performance/ for details. Then, I also discovered the firmware supports my Selective Routing use case using the admin console. Whereas I have to write scripts on the Asuswrt-Merlin firmware, which I enjoy doing and still in in the process of developing.