1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

DNS requests not routed thru VPN on Asuswrt-Merlin

Discussion in 'Asuswrt-Merlin' started by RKaniec, Nov 17, 2019.

  1. RKaniec

    RKaniec New Around Here

    Joined:
    Nov 16, 2019
    Messages:
    4
    Hello,

    I've setup an OpenVPN Client on my router Asus RT-AC68U with Asuswrt-Merlin version 384.13_0 as follows:
    Force Internet traffic through tunnel: Policy Rules (strict)
    Rule: 192.168.24.0/24: VPN
    Accept DNS Configuration: Exclusive

    The VPN connection works fine but there is one problem:
    not the DNS servers provied by the VPN tunnel but those from the WAN DNS Setting of the router are used.

    I check the results on https://dnsleaktest.com

    Could you please help to find the reason of this malfunction?

    Best regards,
    RKaniec
     
  2. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    493
    Test to add to custom config in vpn client
    Code:
    dhcp-option DNS 8.8.8.8
    dhcp-option DNS 1.1.1.1
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 1.1.1.1"
    And change 8.8.8.8 & 1.1.1.1 to your vpn dns servers and see if it works
    edit:
    Also add rule for router
    edit2:
    Router 192.168.24.1 WAN (recommended)
     
    Last edited: Nov 17, 2019
  3. RKaniec

    RKaniec New Around Here

    Joined:
    Nov 16, 2019
    Messages:
    4
    Hello Zastoff,

    yes, it works. Thank you very much!!!
    Do you know why the "Exclusive" setting under "Accept DNS Configuration" does not take effect without this coding?

    I also added the recommended rule Router 192.168.0.1 WAN but it changed nothing: with your coding the VPN connection works correcty with and without this rule. What is it for?

    Regards,
    RKaniec
     
  4. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    493
    Dont know why exactly, Maybe the vpn server push dns servers in a faulty way, Exclusive setting should have worked..
    You can try to increase Verbosity in the vpn client to see more what happens when you connect to the vpn-server (DNS servers they push and so on)
    The Router Rule is recommended when using 192.168.24.0/24 VPN ,Can cause issues if you get Routers ip (192.168.24.1) forced thru the vpn-client guess ISP connection and more weird issues
    https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
     
    Last edited: Nov 17, 2019
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    12,136
    Location:
    UK
    :confused: Are you referring to the very last line of the wiki page? In which case the rules for the OP would be (assuming his router is at 192.168.24.1):
    Code:
    LAN           192.168.24.0/24    0.0.0.0        VPN
    Router        192.168.24.1       0.0.0.0        WAN
     
    Zastoff likes this.
  6. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    493
    Sorry missed he was using 192.168.24
     
  7. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,921
    Location:
    The Land of Smiles
    @RKaniec

    If you have Accept DNS Configuration = Exclusive + Policy Rules, you should have a script in /etc/openvpn/fw directory that sets dns for the VPN Client. For example, VPN Client 5:

    Code:
    /tmp/etc/openvpn/fw/client5-dns.sh
    This command will check if the appropriate iptables chain was created:
    Code:
    iptables --line -t nat -nvL | grep DNSVPN
    
    1        6   248 DNSVPN5    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    2     4110  278K DNSVPN5    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    
    To see the DNS pushed by the server, look at the appropriate file in the /etc/openvpn/dns/ folder.
    Code:
    cat /etc/openvpn/dns/client5.resolv
    
    server=10.9.0.1
    server=10.8.0.1
    What browser are you using when you do the DNS Leak test?

    To force all client devices to use VPN specified by the router, go the LAN->DNSFilter screen and turn on "Enable DNS Filter" and set mode to "Router".
     
  8. RKaniec

    RKaniec New Around Here

    Joined:
    Nov 16, 2019
    Messages:
    4
    @Xentrk

    How can I see the /etc/openvpn/fw directory? Where should I look for it?
    Where can I enter the commands?

    I am using Firefox. Does it make any difference at the DNS leak test?

    Thank you for the tip, but you mean the DNS specified by the router, not VPN, don't you?
     
  9. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,921
    Location:
    The Land of Smiles
    You need to use an SSH session to view the contents of the directory and files. SSH needs to be enabled. You then need to install and SSH client. I use MobaXterm. Many use WinSCP. Many choices are available.

    You can change do a directory by using the "cd" command, e.g. cd /etc/openvpn/fw

    You can look at file contents using the cat command e.g cat /etc/openvpn/fw/client5-dns.sh

    Firefox has or is rolling out DoH built into the browser. Firefox is enabling this feature automatically. In this case, the DNS specified on the browser may override the DNS specified by the router. Merlin has made an update in 384.14 Beta release to override the Firefox feature.

    Correct on the DNS Filter setting question. The Accept DNS Configuration = Exclusive will force all devices that use the VPN Client to use the DNS pushed by the VPN Server rather than the DNS specified by the router.
     
    Kingp1n likes this.
  10. Pseudomax

    Pseudomax Occasional Visitor

    Joined:
    Apr 19, 2018
    Messages:
    32
    Hi, I have a similar issue/question (happy to open a new thread but thought I would continue this one as I suspect the two might be associated).

    Basically, I have an Asus RT-AC87U router that is my LAN gateway to the internet. I obviously have multiple clients on the LAN (both wired and wireless). I use the 192.168.1.0 as my subnet. However, I also have a QNAP NAS on the network with 2 used ports (192.168.1.170 & 192.168.1.171). But because the NAS has many purposes from storing Photos, Multimedia to also my work documents, and acts as a sync between clients both locally & remotely, I operate over a VPN. But I have never really had this working correctly...

    I used to think that it was the NAS QVPN software causing the problem (I setup multiple VPN client gateways using this software which connected but typically within 24hours I would lose access to the NAS remotely and have to reboot ... often every day ... and this always resolved the problem).

    However, recently I have used some of the home working time to try and fix this permanently and I have moved the VPN off the NAS onto the router with policy based routing whereby only the NAS is routed through the VPN tunnel. I also have recently setup a wireguard VPN between a remote site I operate from and this works successfully off a second WAP client to the 192.168.1.0 LAN (I port forward all traffic to this router from the primary gateway).

    But since changing the VPN client to the Asus-Merlin router it has worked even less well and now seems to not have a connection to the internet at all. I suspect the DNS as part of the problem, but I can't figure it out. I do though have LAN access to the NAS without a problem. As part of the attempt to solve it, I also changed the NAS from static IP's on its interface to static IP's assigned by the router.

    I attach screenshots of my setup to see if this helps ...

    Thanks
    RT-AC87U - DHCP Server.png RT-AC87U - DNS-based Filtering.png RT-AC87U - Internet Connection.png RT-AC87U - LAN IP.png RT-AC87U - OpenVPN Client Settings.png
     
  11. sbsnb

    sbsnb Senior Member

    Joined:
    Aug 9, 2017
    Messages:
    314
    Perhaps I'm misunderstanding what you're trying to do, but I have a similar setup that works without issue. There's no special config needed to allow devices from anywhere in the world to communicate with your NAS over a VPN. Once the client is connected to your router's VPN server the NAS should be accessible just the same as if you were at home on the LAN.
     
  12. Pseudomax

    Pseudomax Occasional Visitor

    Joined:
    Apr 19, 2018
    Messages:
    32
    Hi, yes I know it should ... but it is not for some reason? So the LAN IP is accessible but the NAS can't get out to the internet via the VPN and I can't seem to access it (it gives me errors with updating the myqnapcloud ddns) ...
     
  13. sbsnb

    sbsnb Senior Member

    Joined:
    Aug 9, 2017
    Messages:
    314
    Are you trying to run a VPN server and client at the same time? Meaning, are you trying to have some/all devices on your LAN access the Internet through a VPN while being able to access your LAN from the internet by VPN? If so, I don't think that's feasible.
     
  14. Pseudomax

    Pseudomax Occasional Visitor

    Joined:
    Apr 19, 2018
    Messages:
    32
    No, not from the same router ... the router in question is my gateway for my whole network (via my ISP)... so all other clients are using DNS filtering or no filtering to connect directly. Only the NAS is listed in the DNS filtering to use the VPN DNS servers and then in the VPN client settings to be the only clients to use the tunnel.

    I do have an additional DD-WRT router on the same subnet that is a Wireguard server for roaming clients. I use this though mainly for ensuring that if I am travelling outside the UK I am still able to access eg BBC Player services (and I port forward all this traffic to the Wireguard router (but the primary router does not fulfil any other function in this regard.
     
  15. sbsnb

    sbsnb Senior Member

    Joined:
    Aug 9, 2017
    Messages:
    314
    I still can't see how you can make that work. Whichever device (NAS or router) is running the VPN client is going to be inaccessible from outside the VPN. If the router is running a VPN client you will not be able to connect to a VPN server on that router from the internet. Likewise, if you're running a VPN client on the NAS you will not be able to access the NAS from the LAN.

    Maybe I'm misunderstanding. Are you able to sketch a rough network diagram?
     
  16. Pseudomax

    Pseudomax Occasional Visitor

    Joined:
    Apr 19, 2018
    Messages:
    32
    Hi there, thanks for taking the time to help!

    I attach a very rough diagram...

    The problem I am having is getting the NAS to connect through the OpenVPN route (it seems to be completely blocked at the Asus Router (as it is accessible on the LAN and via the Wireguard route).

    Thanks
    Network Topology.png
     
  17. Pseudomax

    Pseudomax Occasional Visitor

    Joined:
    Apr 19, 2018
    Messages:
    32
    The diagram is also incorrect after the NordVPN connection as obviously beyond their servers the traffic is not encrypted either ...
     
  18. Pseudomax

    Pseudomax Occasional Visitor

    Joined:
    Apr 19, 2018
    Messages:
    32
    Also, thinking more about what you said, I think I understand that per your comment... I am trying to do the impossible as I am trying to get Qsync to operate via the NordVPN route and that is by default not an accessible route?

    However, it still doesn't explain why my NAS can't access the internet through that route?
     
  19. sbsnb

    sbsnb Senior Member

    Joined:
    Aug 9, 2017
    Messages:
    314
    Which device(s) are connected to NordVPN? The NAS won't access the internet through NordVPN unless the NAS itself is a VPN client connected to NordVPN servers.

    I think describing a VPN as a "tunnel" is a bit misleading in that sense. Forwarding only works in one direction. Only the client(s) can access the internet through the server. You can't get the server to access the internet through the clients.
     
  20. Pseudomax

    Pseudomax Occasional Visitor

    Joined:
    Apr 19, 2018
    Messages:
    32
    Hi, the router is the only device connected to NordVPN. But there is policy based routing that only routes traffic from the NAS IP's though the VPN (see the config images I sent at the start). So as I have tried to setup, only the NAS would be accessing the internet through the tunnel, but for some reason it is blocked from doing so. I did use the NAS app (QVPN) to access and connect directly with NordVPN too but this was just as unstable (and the router at this point did not connect...)