DoH using NextDNS CLI and OpenVPN (ProtonVPN) with PBR - Can it be done?

[MvW]

Greetings to all,

I have read this thread but I am confused, as I can't seem to figure out whether the goal of the topic starter was achieved and it seems that his goal is also slightly different compared to mine:

My wishes:

What I would like is to set up one (or more) tunnels to ProtonVPN (paid subscription) and use NextDNS CLI (paid subscription) at the same time, as the NextDNS Client communicates (with an unique identifier) the local client names for logging, parental controls, ad blocking etc. I want to keep oversight over each local clients' activity. For those of you who think OCD or control freak when reading this, you're both right. I would like DNS-resolving (NextDNS DoH) through the tunnel for (most of) the clients (see below).

I have my own laptop with YogaDNS (also for NextDNS, using my unique identifier) and the Windows ProtonVPN app installed, so I can setup a VPN connection wherever I want. In theory the laptop can bypass the VPN-config on my router, which means that (if I understand correctly) I need to use PBR, which seems to cause issues combined with NextDNS, if understand the other thread correctly.

I guess I also need to use PBR cause my kid doesn't want his PS4 Pro and his Gaming laptop to be routed through the VPN tunnel, because of the lower performance, which I understand.

Can this be done using the Next CLI client and OpenVPN? VPN related matters are rather complex for me (I can set up a server and setup a client as well, but have to little knowledge of advanced settings (allthough I'm learning a lot from @eibgrad and several others), but because of the troubles with my head, I'm up not to hours of trial and error (unfortunately, I must say, there used to be a time that part was the fun part). If anything goes wrong, even I do make frequent backups, for some reason it always comes down to setting up everything all over again, for which I lack the energy.

I've done quite a bit of reading the last few nights and also found a post using dnscrypt for NextDNS, using their SDNS-stamps, but it seems that I'm losing the 'client recognition' functionality and caching and probably other advantages over their own CLI client which matter to me, so that doesn't seem to be the solution either.

Can anyone help me in the right direction? Your help is very much appreciated.

Thanks in advance.

Best regards,
Marco

 

[eibgrad]

Yes, the OP of that other thread achieved his goals.

The issue for him was that because he was using PBR (policy based routing), that removed the router itself (and all its internal processes, like DNSMasq) from the VPN. So when he configured the NextDNS proxy on the router, and the proxy accessed the NextDNS servers on behalf of DNSMasq, those NextDNS servers were accessed over the WAN, NOT the VPN! That was his complaint (presumably concerned it might be a DNS leak).

In order for the OP to correct the problem, he needed to add the NextDNS servers as PBR rules, but using the destination IP field. That effectively bound those IPs back to the VPN.

However, in spite of everything in that lengthy (and admittedly confusing) thread, much of the concern for a DNS leak was unwarranted given those queries were encrypted by the NextDNS proxy! Once you're using DoT/DoH for DNS, it doesn't really matter anymore if you run your queries over the WAN or VPN. The issue is moot. But it can be disconcerting to users when they're expecting DNS to be accessed over the VPN, but NextDNS reports the public IP of their WAN.

So in the end, it was much ado about nothing. It was more about satisfying the OP's desire to have NextDNS report his access over the VPN (for whatever that's worth). More importantly, his DNS queries were always secured by the NextDNS proxy, regardless whether over the WAN or VPN.