DNS Leak With VPN Director Policy

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

NB_8

Occasional Visitor
My OpenVPN clients connect properly with no DNS leaks when the "Yes (all)" option is selected for "Redirect Internet traffic through tunnel". I would opt to simply leave this as-is, however, preferring not to have any leaks, I would like to be able to use "VPN Director (policy rules)" in light of user findings on that option avoiding IP leaks.


If anyone can please point me in the right direction as to how one might go about keeping killswitch functionality and avoiding DNS leak while using "VPN Director (policy rules)" it would be much appreciated.
 

eibgrad

Very Senior Member
The link you posted is NOT specifically related to DNS leaks. That bug allows *any* traffic to leak over the WAN on reboot until the OpenVPN client is connected. And that same link provides a temporary workaround until the problem can be corrected in the firmware.
 

NB_8

Occasional Visitor
The link you posted is NOT specifically related to DNS leaks. That bug allows *any* traffic to leak over the WAN on reboot until the OpenVPN client is connected. And that same link provides a temporary workaround until the problem can be corrected in the firmware.
I have not yet ventured into the realm of SSH coding, so at this time I am seeking to address the traffic leak issue (which I initially referred to as "IP leaks") in another way.

Using "VPN Director (policy rules)" apparently avoids the traffic leak issue. However, since I'm getting a DNS leak when I use "VPN Director (policy rules)", I'm trying to figure out what can be changed so that "VPN Director (policy rules)"can be used without causing a DNS leak.
 

eibgrad

Very Senior Member
Then the link you pointed to doesn't seem relevant.

One of the side-effects of using the VPN Director is that it necessarily takes the router itself OFF the VPN. And therefore any services its offering (e.g., DNSMasq as the local DNS proxy) are now bound to the WAN, NOT the VPN. So you have to be very careful about how you configure DNS on the OpenVPN client. The "Accept DNS configuration" setting should either be Exclusive or Strict. I would at least start there. It's also possible to configure "Accept DNS configuration" as Disabled *if* you configure DoT on the WAN, since then all your DNS activity will be encrypted, and then it doesn't matter whether your DNS is performed over the WAN or VPN.
 

NB_8

Occasional Visitor
Then the link you pointed to doesn't seem relevant.

One of the side-effects of using the VPN Director is that it necessarily takes the router itself OFF the VPN. And therefore any services its offering (e.g., DNSMasq as the local DNS proxy) are now bound to the WAN, NOT the VPN. So you have to be very careful about how you configure DNS on the OpenVPN client. The "Accept DNS configuration" setting should either be Exclusive or Strict. I would at least start there. It's also possible to configure "Accept DNS configuration" as Disabled *if* you configure DoT on the WAN, since then all your DNS activity will be encrypted, and then it doesn't matter whether your DNS is performed over the WAN or VPN.
After looking into this more, DoT will not be an option due to incompatible servers.

That stated, short of getting started with SSH scripting, can anyone recommend a workaround to avoid WAN traffic leaks prior to OpenVPN clients becoming connected? The issue is detailed in the link in the OP.
 

eibgrad

Very Senior Member
After looking into this more, DoT will not be an option due to incompatible servers.

That stated, short of getting started with SSH scripting, can anyone recommend a workaround to avoid WAN traffic leaks prior to OpenVPN clients becoming connected? The issue is detailed in the link in the OP.

 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top