DNS problem with VPN on AC86U

[callefreddan]

Hey all,

I have a DNS problem with my AC86U when I use this with a VPN client.

On my network I have an AppleTV that I want to be connected to a VPN. And it works flawlessly. However, Amazon Prime Video and a couple of other local streaming services in my country have blocked the use of VPN.
To avoid this blockage, my VPN provider has a solution that can be activated, which enables streaming services. And this solution works when I use their VPN client on my computer.

The problem is getting this to work on my AppleTV. When I have been in contact with my VPN provider, they told me that I would enable DNS filters in the router and enter their DNS addresses, which I did. I also use their DNSs under the WAN section.

Now we jump to the strange part.
As mentioned above, I was in contact with my VPN provider, and this was yesterday. After I changed some functions in the router, I made it work. Amazon Prime and all other streaming services worked on my AppleTV. But it only worked in the afternoon, in the evening I got the usual error message "You are using a VPN or a Proxy ...".

This morning I tested again, and it worked again (without making any changes). So it works from time to time.

In other words, it seems that my router gives my AppleTV the ability to prioritize / choose which DNS it prefers. Despite this, I have forced it to use my VPN provider.

VPN Settings:

WAN:

DNSfilter:

LAN:

 

[eibgrad]

It's NOT clear to me exactly what the VPN provider has suggested as a solution based solely on what you posted. I see you've configured the WAN (and therefore DNSMasq by extension) w/ two DNS servers, presumably suggested by the OpenVPN provider. Then you create a DNS filter that redirects the Apple TV back to DNSMasq. Which is fine. But then you've configured the OpenVPN client to use Exclusive w/ that same device. And that's going to preempt whatever you've configured via the DNS filter w/ the first DNS server push'd from the OpenVPN server in the PUSH_REPLY.

cat /tmp/syslog.log | grep PUSH_REPLY

That's why I say, I don't understand specifically what you're expecting to solve the problem based on the above configuration. I presume it's one of those DNS servers you configured on the WAN (which is problematic if only one of them solves the problem; DNSMasq will use *all* available DNS servers sooner or later). But then the use of Exclusive on the OpenVPN client is going to be configured w/ some unknown DNS server push'd by the OpenVPN server.

So again, what *specifically* is suppose to fix the problem for the Apple TV? One of those DNS servers defined on the WAN? Which one? Either one?

 

[callefreddan]

It's NOT clear to me exactly what the VPN provider has suggested as a solution based solely on what you posted. I see you've configured the WAN (and therefore DNSMasq by extension) w/ two DNS servers, presumably suggested by the OpenVPN provider. Then you create a DNS filter that redirects the Apple TV back to DNSMasq. Which is fine. But then you've configured the OpenVPN client to use Exclusive w/ that same device. And that's going to preempt whatever you've configured via the DNS filter w/ the first DNS server push'd from the OpenVPN server in the PUSH_REPLY.

cat /tmp/syslog.log | grep PUSH_REPLY

That's why I say, I don't understand specifically what you're expecting to solve the problem based on the above configuration. I presume it's one of those DNS servers you configured on the WAN (which is problematic if only one of them solves the problem; DNSMasq will use *all* available DNS servers sooner or later). But then the use of Exclusive on the OpenVPN client is going to be configured w/ some unknown DNS server push'd by the OpenVPN server.

So again, what *specifically* is suppose to fix the problem for the Apple TV? One of those DNS servers defined on the WAN? Which one? Either one?

You are absolutely right. In my pictures, my VPN was exclusive, but usually I have had this as Relaxed or Strict.

My VPN provider says I should use their DNS addresses to get the streaming services working. I have tested using these in WAN, DHCP, and DNS filters. Nothing worked.

I have always used my VPN's DNS addresses in WAN, and left DHCP blank, and my OpenVPN configuration has been Relaxed or Strict.

After reading a lot of posts that you have made in other threads regarding DNS and the problems with 'Strict', I tested the following.
My WAN blank (retrieved from ISP), DHCP blank, DNS filter disabled and OpenVPN as exclusive. With these settings, the VPN connection retrieves DNS from my VPN, and then everything works with the streaming services.

Should I enter my VPN's public DNS addresses in WAN, it will stop working, even if my VPN connection is exclusive. So at the moment, your previous posts have actually solved my problem, but I just have to live with the fact that I can not use my VPN's public DNS on all devices in my network while my OpenVPN runs exclusive.

 

[dave14305]

In DNS Filter, entering values in Custom 1, 2 or 3 fields have no effect unless you assign the device to the same value in the dropdown menu (e.g. Custom 1, 2 or 3).

 

[eibgrad]

You are absolutely right. In my pictures, my VPN was exclusive, but usually I have had this as Relaxed or Strict.

My VPN provider says I should use their DNS addresses to get the streaming services working. I have tested using these in WAN, DHCP, and DNS filters. Nothing worked.

I have always used my VPN's DNS addresses in WAN, and left DHCP blank, and my OpenVPN configuration has been Relaxed or Strict.

After reading a lot of posts that you have made in other threads regarding DNS and the problems with 'Strict', I tested the following.
My WAN blank (retrieved from ISP), DHCP blank, DNS filter disabled and OpenVPN as exclusive. With these settings, the VPN connection retrieves DNS from my VPN, and then everything works with the streaming services.

Should I enter my VPN's public DNS addresses in WAN, it will stop working, even if my VPN connection is exclusive. So at the moment, your previous posts have actually solved my problem, but I just have to live with the fact that I can not use my VPN's public DNS on all devices in my network while my OpenVPN runs exclusive.

Well based on those latest comments, I don't see what's so essential about using your VPN providers DNS servers on the WAN, and why you care if the rest of your network uses them. What we do know is that using your ISP's DNS servers on the WAN, plus Exclusive on the VPN, works. The latter avoids known issues w/ Relaxed and Strict. And the usual complaint about having to use Exclusive is that it bypasses DNSMasq, therefore you lose access to local name resolution, caching, ad-blocking, etc. But given the only device using the VPN is a smart TV, that doesn't seem all that much of a loss.

So it seems to me you have a working solution and are insisting on being able to use the VPN providers DNS servers on the WAN for some unknown reason. As a general rule, I don't like doing that for several reasons, including having doubts (at least w/ some providers) they will be publicly available over the WAN. For NON VPN purposes, I'm just inclined to use the ISP's DNS servers, or else well-known servers from Cloudflare, Quad9, etc.

 

[iTyPsIDg]

I recommend that you set "Accept DNS Configuration" to "Disabled." Doing so ensures that the DNS assigned is the one you specify.

Next, you have the Apple TV set to use Router in DNSfilter, but you also have Global set to Router. That is redundant.

Since you only want one device to use the VPN DNS, I recommend you follow most of eibgrad's post here. You should deviate slightly by NOT using the VPN DNS in your WAN settings. Instead, you will assign the Apple TV to Custom 1, for example, and use that for the VPN DNS. You may not need to follow all of the steps, but I don't see how it could hurt in your use case. You can test to see if the routes and VPN Director Policy rules for the VPN DNS servers are necessary by using his script, located here.

I want to stress again, however, do not follow the entire setup if you use the VPN DNS in your WAN it will cause you to have to reset your router because you have the killswitch enabled.