1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

DNS requests not routed thru VPN on Asuswrt-Merlin

Discussion in 'Asuswrt-Merlin' started by RKaniec, Nov 17, 2019.

  1. RKaniec

    RKaniec New Around Here

    Joined:
    Nov 16, 2019
    Messages:
    4
    Hello,

    I've setup an OpenVPN Client on my router Asus RT-AC68U with Asuswrt-Merlin version 384.13_0 as follows:
    Force Internet traffic through tunnel: Policy Rules (strict)
    Rule: 192.168.24.0/24: VPN
    Accept DNS Configuration: Exclusive

    The VPN connection works fine but there is one problem:
    not the DNS servers provied by the VPN tunnel but those from the WAN DNS Setting of the router are used.

    I check the results on https://dnsleaktest.com

    Could you please help to find the reason of this malfunction?

    Best regards,
    RKaniec
     
  2. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    325
    Test to add to custom config in vpn client
    Code:
    dhcp-option DNS 8.8.8.8
    dhcp-option DNS 1.1.1.1
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 1.1.1.1"
    And change 8.8.8.8 & 1.1.1.1 to your vpn dns servers and see if it works
    edit:
    Also add rule for router
    edit2:
    Router 192.168.24.1 WAN (recommended)
     
    Last edited: Nov 17, 2019
  3. RKaniec

    RKaniec New Around Here

    Joined:
    Nov 16, 2019
    Messages:
    4
    Hello Zastoff,

    yes, it works. Thank you very much!!!
    Do you know why the "Exclusive" setting under "Accept DNS Configuration" does not take effect without this coding?

    I also added the recommended rule Router 192.168.0.1 WAN but it changed nothing: with your coding the VPN connection works correcty with and without this rule. What is it for?

    Regards,
    RKaniec
     
  4. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    325
    Dont know why exactly, Maybe the vpn server push dns servers in a faulty way, Exclusive setting should have worked..
    You can try to increase Verbosity in the vpn client to see more what happens when you connect to the vpn-server (DNS servers they push and so on)
    The Router Rule is recommended when using 192.168.24.0/24 VPN ,Can cause issues if you get Routers ip (192.168.24.1) forced thru the vpn-client guess ISP connection and more weird issues
    https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
     
    Last edited: Nov 17, 2019
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,774
    Location:
    UK
    :confused: Are you referring to the very last line of the wiki page? In which case the rules for the OP would be (assuming his router is at 192.168.24.1):
    Code:
    LAN           192.168.24.0/24    0.0.0.0        VPN
    Router        192.168.24.1       0.0.0.0        WAN
     
    Zastoff likes this.
  6. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    325
    Sorry missed he was using 192.168.24
     
  7. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,516
    Location:
    The Land of Smiles
    @RKaniec

    If you have Accept DNS Configuration = Exclusive + Policy Rules, you should have a script in /etc/openvpn/fw directory that sets dns for the VPN Client. For example, VPN Client 5:

    Code:
    /tmp/etc/openvpn/fw/client5-dns.sh
    This command will check if the appropriate iptables chain was created:
    Code:
    iptables --line -t nat -nvL | grep DNSVPN
    
    1        6   248 DNSVPN5    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    2     4110  278K DNSVPN5    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    
    To see the DNS pushed by the server, look at the appropriate file in the /etc/openvpn/dns/ folder.
    Code:
    cat /etc/openvpn/dns/client5.resolv
    
    server=10.9.0.1
    server=10.8.0.1
    What browser are you using when you do the DNS Leak test?

    To force all client devices to use VPN specified by the router, go the LAN->DNSFilter screen and turn on "Enable DNS Filter" and set mode to "Router".
     
  8. RKaniec

    RKaniec New Around Here

    Joined:
    Nov 16, 2019
    Messages:
    4
    @Xentrk

    How can I see the /etc/openvpn/fw directory? Where should I look for it?
    Where can I enter the commands?

    I am using Firefox. Does it make any difference at the DNS leak test?

    Thank you for the tip, but you mean the DNS specified by the router, not VPN, don't you?
     
  9. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,516
    Location:
    The Land of Smiles
    You need to use an SSH session to view the contents of the directory and files. SSH needs to be enabled. You then need to install and SSH client. I use MobaXterm. Many use WinSCP. Many choices are available.

    You can change do a directory by using the "cd" command, e.g. cd /etc/openvpn/fw

    You can look at file contents using the cat command e.g cat /etc/openvpn/fw/client5-dns.sh

    Firefox has or is rolling out DoH built into the browser. Firefox is enabling this feature automatically. In this case, the DNS specified on the browser may override the DNS specified by the router. Merlin has made an update in 384.14 Beta release to override the Firefox feature.

    Correct on the DNS Filter setting question. The Accept DNS Configuration = Exclusive will force all devices that use the VPN Client to use the DNS pushed by the VPN Server rather than the DNS specified by the router.
     
    Kingp1n likes this.