Diversion Diversion not working with OpenVPN

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Maasamda

New Around Here
Hi,

I have an AX86 with Merlin 386.3 Beta 3. I am using Diversion and Unbound. I also use OpenVPN.

I just can't manage to set up OpenVPN in such a way that Diversion and Unbound continue to work. I know that Accept DNS Configuration = Exclusive when using VPN director causes DNSMasq to be bypassed and therefore Diversion and Unbound don't work.

Is it possible to set it up so that I:

1. Can run almost all devices via OpenVPN (ExpressVPN), without DNS leaks taking place. While Diversion and Unbound continue to work.

And

2. Can run a small group of other devices outside of OpenVPN. While Diversion and Unbound continue to work here too.

I now have the following configuration:

OpenVPNclient1:

- Accept DNS configuration = Exclusive

- Redirect Internet Traffic through VPN= VPN Director Policy Rules

VPN Director:

- 192.168.50.0/24 OVPN1

- 192.168.50.1 (router) WAN

- 192.168.50.4 WAN

- 192.168.50.5 WAN

Router settings:

LAN --> DHCP --> DNS and WINS Setting:


- DSN server 1 and DNS server 2 = <Empty>

- Advertise router's IP in addition to user-specified DNS = No

DNS Filter:

- On

- Global Filter Mode = Router

WAN --> WAN DNS settings:

- Connect to DNS Server automatically = No

- DNS Server1 = 8.8.8.8

- DNS Server2 = 8.8.4.4

- Forward local domain queries to upstream DNS = No

- Enable DNS Rebind protection = No

- Enable DNSSEC support Yes = No

- Prevent client auto DoH = Yes

- DNS Privacy Protocol = None

I know the above setting ensures that Diversion/Unbound do not work due to the OpenVPN client configuration. I've tried all sorts of settings, but not with the desired result.

Does anyone know the solution?
 

chongnt

Senior Member
I tested both mentioned options for accept dns configuration: strict and disabled. Both cause DNS leak to my ISP from the devices routed throughout the VPN…..
You can have a look here. This is pre 386.3 though.


 

Zastoff

Very Senior Member
I tested both mentioned options for accept dns configuration: strict and disabled. Both cause DNS leak to my ISP from the devices routed throughout the VPN…..
Can try to change:
Tools/Other settings
Wan: Use local caching DNS server as system resolver (default: No) = Yes
That solved my wan dns from leaking when I used vpn
 

kernol

Very Senior Member
I tested both mentioned options for accept dns configuration: strict and disabled. Both cause DNS leak to my ISP from the devices routed throughout the VPN…..

I'm sure you realise that when using unbound - a dns leak test will report your router's public ip address as your DNS [and likely give it the same name as your Internet Service Provider]. That is not a leak but working as designed.

I have the same settings as you and my unbound works perfectly as does Diversion ... EXCEPT on my OPVN4 client I am using VPNUnlimited and have my Accept DNS configuration set to "disabled" [meaning there is no redirection of my dns server away from my unbound on my router].

Incidentally - the exact same settings trying to use NordVPN fails - no idea why.
 

Maasamda

New Around Here
I'm sure you realise that when using unbound - a dns leak test will report your router's public ip address as your DNS [and likely give it the same name as your Internet Service Provider]. That is not a leak but working as designed.

I have the same settings as you and my unbound works perfectly as does Diversion ... EXCEPT on my OPVN4 client I am using VPNUnlimited and have my Accept DNS configuration set to "disabled" [meaning there is no redirection of my dns server away from my unbound on my router].

Incidentally - the exact same settings trying to use NordVPN fails - no idea why.
Thnx, this helps me out!

OpenVPN client configuration set to "Disabled" and results looked at in the right way :) Diversion & Unbound working now.
 

Vertron

Regular Contributor
I'm sure you realise that when using unbound - a dns leak test will report your router's public ip address as your DNS [and likely give it the same name as your Internet Service Provider]. That is not a leak but working as designed.

I have the same settings as you and my unbound works perfectly as does Diversion ... EXCEPT on my OPVN4 client I am using VPNUnlimited and have my Accept DNS configuration set to "disabled" [meaning there is no redirection of my dns server away from my unbound on my router].

Incidentally - the exact same settings trying to use NordVPN fails - no idea why.
Are you sure about this? If you bind the VPN to unbound and set redirect internet traffic to "yes" instead of "policy rules", it will show the VPN IP instead of the ISP IP when doing a DNS leak test, therefore unbound is in the tunnel. With policy rules enabled it shows the ISP IP instead, I assume that means unbound is no longer going through the tunnel and is exposed?

I'm currently reading about this script and think it might be the solution: https://www.snbforums.com/threads/unbound-dns-vpn-client-w-policy-rules.67370/
 

kernol

Very Senior Member
I'm sure you realise that when using unbound - a dns leak test will report your router's public ip address as your DNS [and likely give it the same name as your Internet Service Provider]. That is not a leak but working as designed.

I have the same settings as you and my unbound works perfectly as does Diversion ... EXCEPT on my OPVN4 client I am using VPNUnlimited and have my Accept DNS configuration set to "disabled" [meaning there is no redirection of my dns server away from my unbound on my router].

Incidentally - the exact same settings trying to use NordVPN fails - no idea why.
Are you sure about this? If you bind the VPN to unbound and set redirect internet traffic to "yes" instead of "policy rules", it will show the VPN IP instead of the ISP IP when doing a DNS leak test, therefore unbound is in the tunnel. With policy rules enabled it shows the ISP IP instead, I assume that means unbound is no longer going through the tunnel and is exposed?

I'm currently reading about this script and think it might be the solution: https://www.snbforums.com/threads/unbound-dns-vpn-client-w-policy-rules.67370/

We at cross purposes here ...

My first paragraph was in reference to ZERO VPN being used - just a reminder that dns leak test will show your public ip address as the DNS server address when using unbound [as opposed to the ISP's DNS etc];

My second paragraph was referencing when you indeed do go through a VPNClient [tunnel] BUT set the DNS Configuration [for the tunnel] as DISABLED ... in other words NOT using the DNS provided by the VPN service provider. In that case the DNS is still unbound on your router - with Diversion continuing to work.

Clearly - if you invoke the VPNClient tunnel and use option "Yes" - all [not with Policy Rules] ... my understanding is that you are now wanting the tunnel to adopt the DNS services provided by the tunnel - so Diversion will NOT work.

The thread you identify may well be the one to follow if what you are trying to do is push unbound down the VPN tunnel to continue acting as your DNS and retain Diversion in good working order.;)
 

Vertron

Regular Contributor
Hi,

I have an AX86 with Merlin 386.3 Beta 3. I am using Diversion and Unbound. I also use OpenVPN.

I just can't manage to set up OpenVPN in such a way that Diversion and Unbound continue to work. I know that Accept DNS Configuration = Exclusive when using VPN director causes DNSMasq to be bypassed and therefore Diversion and Unbound don't work.

Is it possible to set it up so that I:

1. Can run almost all devices via OpenVPN (ExpressVPN), without DNS leaks taking place. While Diversion and Unbound continue to work.

And

2. Can run a small group of other devices outside of OpenVPN. While Diversion and Unbound continue to work here too.

Does anyone know the solution?

I put together a quick guide on how to set this up, see post #198:
https://www.snbforums.com/threads/unbound-dns-vpn-client-w-policy-rules.67370/page-10
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top