Solved Exclusive DNS leads to all VPN connections blocked

Inrumpo

Occasional Visitor
Hello community!

I'm experiencing a weird and annoying issue. I hope that I'll find some help here. Since I don't know the cause of my issue, I'm posting this one in the VPN section of the forum.

Environment:
  1. Asus RT-AC86u Router
  2. Asus WRT Merlin 386.7_2
  3. amtm 3.3
  4. Skynet 7.2.8 (only script besides amtm)
Backstory:
We had a power outage a few days ago. For whatever reason, my network stopped working after that. My router didn't manage to perform an NTP sync. This brought everything to a halt. Multiple reboots and a firmware update to 386.7_1 (at that time) didn't help. I had to do a factory reset. Since the previously saved .tar settings file turned out to be invalid, I have to redo my whole configuration manually. However, I'm not getting it to work the way it did before.

Goal:
I'd like to (again) use my VPN service (NordVPN for now) with their DNS servers and "Accept DNS Configuration" set to "Exclusive" and route some of my devices through this VPN using the "VPN Director (policy ruels)". NordVPN DNS Servers are 103.86.96.100 and 103.86.99.100. For all other devices that don't go through the VPN I want to use DoT with my selected Servers.

The issue:
The VPN connection itself (setting it up in my router settings) does work, but: As long as I've set "Accept DNS Configuration" to "Exclusive", devices that should go through the VPN via policy rules will not have internet access. Setting "Accept DNS Configuration" to "Strict" (or more lenient) does work, but this causes DNS leaks I want to avoid.

Such blocking can look like this in my log:
Jul 22 22:44:52 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:cc:xx:xx:xx:xx:xx:xx:xx SRC=79.124.62.130 DST=MY-IP-REDACTED LEN=40 TOS=0

Current WAN settings:
Screenshot 2022-07-26 at 19-11-59 ASUS Wireless Router RT-AC86U - Internet Connection.png


Current VPN Client settings:
Screenshot 2022-07-26 at 19-14-45 ASUS Wireless Router RT-AC86U - OpenVPN Client Settings.png


I've basically followed this NordVPN guide.

What I've tried without luck:
  • router reboot
  • firmware update
  • refresh VPN whitelist in Skynet
  • refresh whitelist entries in Skynet
  • manually whitelist the DNS servers in question in Skynet, but doesn't work ("ipset v7.6: Element cannot be added to the set: it's already added")
  • testing different WAN DNS settings (enable/disable DNSSEC support/DNS Privacy Protocol etc.)
Using other DNS servers (from ISP or Quad9 etc.) does work, but I want/need to use those provided by NordVPN.

I hope someone has an idea how to fix this. Help is appreciated.
 
Last edited:

ColinTaylor

Part of the Furniture
Don't use NordVPN's DNS servers in your WAN DNS settings. Use either your ISP's DNS servers or some other publicly available server like 9.9.9.9.
 

Inrumpo

Occasional Visitor
Don't use NordVPN's DNS servers in your WAN DNS settings. Use either your ISP's DNS servers or some other publicly available server like 9.9.9.9.
Thanks for the quick answer! I did test this and (to my surprise) it seems to work.
Now my test device can access the internet through the VPN and I don't see any other DNS servers/leaks when testing – even though I haven't even set the VPN provider's DNS servers anymore.

Would you mind explaining why my previous setup didn't work (anymore)?
 

ColinTaylor

Part of the Furniture
Would you mind explaining why my previous setup didn't work (anymore)?
Because those instructions on NordVPN's website are years out of date. The way Merlin's VPN client works has changed significantly since then, especially since the introduction of VPN Director.
 

Inrumpo

Occasional Visitor
Because those instructions on NordVPN's website are years out of date. The way Merlin's VPN client works has changed significantly since then, especially since the introduction of VPN Director.
Ok …

The only weird thing I'm seeing now is my routher thinking it's disconnected, while it clearly isn't. It even shows some internet traffic right next to it.
Screenshot 2022-07-26 232808.png
 

ColinTaylor

Part of the Furniture
Ok …

The only weird thing I'm seeing now is my routher thinking it's disconnected, while it clearly isn't. It even shows some internet traffic right next to it.
View attachment 43102
That's a known problem that's unrelated to the VPN. Have you changed the Network Monitoring settings (Administration - System), or blocked Microsoft telemetry?
 

Inrumpo

Occasional Visitor
That's a known problem that's unrelated to the VPN. Have you changed the Network Monitoring settings (Administration - System), or blocked Microsoft telemetry?
Network Monitoring:
Screenshot ASUS Wireless Router RT-AC86U.png

Looks like the default settings to me.

Blocked Microsoft telemetry:
Not that I know of. At least not in/on my router.

I don't care much if this known problem is just a UI thing without any consequences.
 

ColinTaylor

Part of the Furniture
I don't care much if this known problem is just a UI thing without any consequences.
If it's what I think it is then it's just a UI thing. In which case setting Network Monitoring as follows should "fix" it.

Untitled.png
 

128bit

Regular Contributor
Don't use NordVPN's DNS servers in your WAN DNS settings. Use either your ISP's DNS servers or some other publicly available server like 9.9.9.9.
well, i had the exact same problem after finally taking the dive to put nord on the router and be free of their app. i started this migration yesterday and had spent hours trying to get "exclusive" to work. it did for awhile though and then proof.
:confused: after all that time, i didn't want to believe your solution would work - it was way too simple. in fact, i had been using quad9 and replaced it with those nord addresses; but it worked great and my media devices still do netflix, youtubeTV and prime. :) so yeah, i'm truly thankful for a board like this with such nice "furniture!" i also copied some of inrumpo's dns settings for good measure. u folks are truly the best.

now that said, i have one "n" client that still has the same behavior. i even added the quad dns addresses directly to its adapter but still only intranet (local lan) no internet. if you have any additional thoughts. . .
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top