What's new

DNS requests not routed thru VPN on Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RKaniec

Occasional Visitor
Hello,

I've setup an OpenVPN Client on my router Asus RT-AC68U with Asuswrt-Merlin version 384.13_0 as follows:
Force Internet traffic through tunnel: Policy Rules (strict)
Rule: 192.168.24.0/24: VPN
Accept DNS Configuration: Exclusive

The VPN connection works fine but there is one problem:
not the DNS servers provied by the VPN tunnel but those from the WAN DNS Setting of the router are used.

I check the results on https://dnsleaktest.com

Could you please help to find the reason of this malfunction?

Best regards,
RKaniec
 
Test to add to custom config in vpn client
Code:
dhcp-option DNS 8.8.8.8
dhcp-option DNS 1.1.1.1
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"
And change 8.8.8.8 & 1.1.1.1 to your vpn dns servers and see if it works
edit:
Also add rule for router
edit2:
Router 192.168.24.1 WAN (recommended)
 
Last edited:
Test to add to custom config in vpn client
Code:
dhcp-option DNS 8.8.8.8
dhcp-option DNS 1.1.1.1
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"
And change 8.8.8.8 & 1.1.1.1 to your vpn dns servers and see if it works
edit:
Also add rule for router
Router 192.168.1.1 WAN (recommended)

Hello Zastoff,

yes, it works. Thank you very much!!!
Do you know why the "Exclusive" setting under "Accept DNS Configuration" does not take effect without this coding?

I also added the recommended rule Router 192.168.0.1 WAN but it changed nothing: with your coding the VPN connection works correcty with and without this rule. What is it for?

Regards,
RKaniec
 
Dont know why exactly, Maybe the vpn server push dns servers in a faulty way, Exclusive setting should have worked..
You can try to increase Verbosity in the vpn client to see more what happens when you connect to the vpn-server (DNS servers they push and so on)
The Router Rule is recommended when using 192.168.24.0/24 VPN ,Can cause issues if you get Routers ip (192.168.24.1) forced thru the vpn-client guess ISP connection and more weird issues
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
 
Last edited:
The Router Rule is recommended when using 192.168.0/24 VPN ,Can cause issues if you get Routers ip (192.168.1.1) forced thru the vpn-client guess ISP connection and more weird issues
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
:confused: Are you referring to the very last line of the wiki page? In which case the rules for the OP would be (assuming his router is at 192.168.24.1):
Code:
LAN           192.168.24.0/24    0.0.0.0        VPN
Router        192.168.24.1       0.0.0.0        WAN
 
:confused: Are you referring to the very last line of the wiki page? In which case the rules for the OP would be (assuming his router is at 192.168.24.1):
Code:
LAN           192.168.24.0/24    0.0.0.0        VPN
Router        192.168.24.1       0.0.0.0        WAN
Sorry missed he was using 192.168.24
 
@RKaniec

If you have Accept DNS Configuration = Exclusive + Policy Rules, you should have a script in /etc/openvpn/fw directory that sets dns for the VPN Client. For example, VPN Client 5:

Code:
/tmp/etc/openvpn/fw/client5-dns.sh

This command will check if the appropriate iptables chain was created:
Code:
iptables --line -t nat -nvL | grep DNSVPN

1        6   248 DNSVPN5    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2     4110  278K DNSVPN5    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

To see the DNS pushed by the server, look at the appropriate file in the /etc/openvpn/dns/ folder.
Code:
cat /etc/openvpn/dns/client5.resolv

server=10.9.0.1
server=10.8.0.1

What browser are you using when you do the DNS Leak test?

To force all client devices to use VPN specified by the router, go the LAN->DNSFilter screen and turn on "Enable DNS Filter" and set mode to "Router".
 
@RKaniec

If you have Accept DNS Configuration = Exclusive + Policy Rules, you should have a script in /etc/openvpn/fw directory that sets dns for the VPN Client. For example, VPN Client 5:

Code:
/tmp/etc/openvpn/fw/client5-dns.sh

This command will check if the appropriate iptables chain was created:
Code:
iptables --line -t nat -nvL | grep DNSVPN

1        6   248 DNSVPN5    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2     4110  278K DNSVPN5    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

To see the DNS pushed by the server, look at the appropriate file in the /etc/openvpn/dns/ folder.
Code:
cat /etc/openvpn/dns/client5.resolv

server=10.9.0.1
server=10.8.0.1

What browser are you using when you do the DNS Leak test?

To force all client devices to use VPN specified by the router, go the LAN->DNSFilter screen and turn on "Enable DNS Filter" and set mode to "Router".

@Xentrk

How can I see the /etc/openvpn/fw directory? Where should I look for it?
Where can I enter the commands?

I am using Firefox. Does it make any difference at the DNS leak test?

Thank you for the tip, but you mean the DNS specified by the router, not VPN, don't you?
 
@Xentrk

How can I see the /etc/openvpn/fw directory? Where should I look for it?
Where can I enter the commands?

I am using Firefox. Does it make any difference at the DNS leak test?

Thank you for the tip, but you mean the DNS specified by the router, not VPN, don't you?
You need to use an SSH session to view the contents of the directory and files. SSH needs to be enabled. You then need to install and SSH client. I use MobaXterm. Many use WinSCP. Many choices are available.

You can change do a directory by using the "cd" command, e.g. cd /etc/openvpn/fw

You can look at file contents using the cat command e.g cat /etc/openvpn/fw/client5-dns.sh

Firefox has or is rolling out DoH built into the browser. Firefox is enabling this feature automatically. In this case, the DNS specified on the browser may override the DNS specified by the router. Merlin has made an update in 384.14 Beta release to override the Firefox feature.

Correct on the DNS Filter setting question. The Accept DNS Configuration = Exclusive will force all devices that use the VPN Client to use the DNS pushed by the VPN Server rather than the DNS specified by the router.
 
Hi, I have a similar issue/question (happy to open a new thread but thought I would continue this one as I suspect the two might be associated).

Basically, I have an Asus RT-AC87U router that is my LAN gateway to the internet. I obviously have multiple clients on the LAN (both wired and wireless). I use the 192.168.1.0 as my subnet. However, I also have a QNAP NAS on the network with 2 used ports (192.168.1.170 & 192.168.1.171). But because the NAS has many purposes from storing Photos, Multimedia to also my work documents, and acts as a sync between clients both locally & remotely, I operate over a VPN. But I have never really had this working correctly...

I used to think that it was the NAS QVPN software causing the problem (I setup multiple VPN client gateways using this software which connected but typically within 24hours I would lose access to the NAS remotely and have to reboot ... often every day ... and this always resolved the problem).

However, recently I have used some of the home working time to try and fix this permanently and I have moved the VPN off the NAS onto the router with policy based routing whereby only the NAS is routed through the VPN tunnel. I also have recently setup a wireguard VPN between a remote site I operate from and this works successfully off a second WAP client to the 192.168.1.0 LAN (I port forward all traffic to this router from the primary gateway).

But since changing the VPN client to the Asus-Merlin router it has worked even less well and now seems to not have a connection to the internet at all. I suspect the DNS as part of the problem, but I can't figure it out. I do though have LAN access to the NAS without a problem. As part of the attempt to solve it, I also changed the NAS from static IP's on its interface to static IP's assigned by the router.

I attach screenshots of my setup to see if this helps ...

Thanks
RT-AC87U - DHCP Server.png RT-AC87U - DNS-based Filtering.png RT-AC87U - Internet Connection.png RT-AC87U - LAN IP.png RT-AC87U - OpenVPN Client Settings.png
 
But since changing the VPN client to the Asus-Merlin router it has worked even less well and now seems to not have a connection to the internet at all.

Perhaps I'm misunderstanding what you're trying to do, but I have a similar setup that works without issue. There's no special config needed to allow devices from anywhere in the world to communicate with your NAS over a VPN. Once the client is connected to your router's VPN server the NAS should be accessible just the same as if you were at home on the LAN.
 
Hi, yes I know it should ... but it is not for some reason? So the LAN IP is accessible but the NAS can't get out to the internet via the VPN and I can't seem to access it (it gives me errors with updating the myqnapcloud ddns) ...
 
Are you trying to run a VPN server and client at the same time? Meaning, are you trying to have some/all devices on your LAN access the Internet through a VPN while being able to access your LAN from the internet by VPN? If so, I don't think that's feasible.
 
No, not from the same router ... the router in question is my gateway for my whole network (via my ISP)... so all other clients are using DNS filtering or no filtering to connect directly. Only the NAS is listed in the DNS filtering to use the VPN DNS servers and then in the VPN client settings to be the only clients to use the tunnel.

I do have an additional DD-WRT router on the same subnet that is a Wireguard server for roaming clients. I use this though mainly for ensuring that if I am travelling outside the UK I am still able to access eg BBC Player services (and I port forward all this traffic to the Wireguard router (but the primary router does not fulfil any other function in this regard.
 
No, not from the same router ... the router in question is my gateway for my whole network (via my ISP)... so all other clients are using DNS filtering or no filtering to connect directly. Only the NAS is listed in the DNS filtering to use the VPN DNS servers and then in the VPN client settings to be the only clients to use the tunnel.
I still can't see how you can make that work. Whichever device (NAS or router) is running the VPN client is going to be inaccessible from outside the VPN. If the router is running a VPN client you will not be able to connect to a VPN server on that router from the internet. Likewise, if you're running a VPN client on the NAS you will not be able to access the NAS from the LAN.

Maybe I'm misunderstanding. Are you able to sketch a rough network diagram?
 
Hi there, thanks for taking the time to help!

I attach a very rough diagram...

The problem I am having is getting the NAS to connect through the OpenVPN route (it seems to be completely blocked at the Asus Router (as it is accessible on the LAN and via the Wireguard route).

Thanks
Network Topology.png
 
The diagram is also incorrect after the NordVPN connection as obviously beyond their servers the traffic is not encrypted either ...
 
Also, thinking more about what you said, I think I understand that per your comment... I am trying to do the impossible as I am trying to get Qsync to operate via the NordVPN route and that is by default not an accessible route?

However, it still doesn't explain why my NAS can't access the internet through that route?
 
Which device(s) are connected to NordVPN? The NAS won't access the internet through NordVPN unless the NAS itself is a VPN client connected to NordVPN servers.

I think describing a VPN as a "tunnel" is a bit misleading in that sense. Forwarding only works in one direction. Only the client(s) can access the internet through the server. You can't get the server to access the internet through the clients.
 
Hi, the router is the only device connected to NordVPN. But there is policy based routing that only routes traffic from the NAS IP's though the VPN (see the config images I sent at the start). So as I have tried to setup, only the NAS would be accessing the internet through the tunnel, but for some reason it is blocked from doing so. I did use the NAS app (QVPN) to access and connect directly with NordVPN too but this was just as unstable (and the router at this point did not connect...)
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top