Just for my own peace of mind.....Difficult to imagine the VPN provider would be sensitive to the "Accept DNS configuration" setting given this option is only used to determine how the *local* DNSMasq process is reconfigured once the OpenVPN client gets connected. The VPN provider has no way of forcing you to use a specific DNS server. All he can do is make a suggestion by pushing one or more DNS servers to the OpenVPN client and letting it decide.
Also, the most common reason for DNS leaks in your scenario is due to the use of policy based routing, which has the side-effect of removing the router itself from the VPN. Hence, any processes the router is managing (including DNSMasq) are bound to the WAN/ISP by default.
So let's say the VPN provider pushes a *public* DNS server (e.g., 18.104.22.168) to the VPN client, rather than a *private* DNS server only accessible over the tunnel (e.g., 10.8.0.1), and the client is using Exclusive. That 22.214.171.124 DNS server will necessarily be accessed over the WAN/ISP, unless the VPN provider was smart enough to also include a route directive for 126.96.36.199 that binds it to the VPN (some do, many do NOT). At least that would *normally* work. But Merlin strips out such static routes for reasons I don't agree with.
Given the uncertainty, it's *my* recommendation that you specify "Disabled" for "Accept DNS configuration" and configure DNSMasq w/ your preferred DNS servers (e.g., Cloudflare, 188.8.131.52 and 184.108.40.206), which can be accomplished by configuring the WAN w/ custom servers. Then bind those servers (as destination IPs) to the VPN using policy based routing. Thus in all cases, you know w/ certainty which DNS servers are being used, and via which network interface. If you don't, then you're always going to face a certain level of risk regarding DNS leaks since you are not in control of the entire process.
Of course, another solution is to NOT use traditional DNS at all, but one of the DoT/DoH solutions (e.g., NextDNS). Now it doesn't matter whether DNS is accessed over the WAN or VPN, since in either case, the traffic is encrypted. Not unless you also have a need to obscure the fact you're using non-traditional DNS from your ISP (seems a bit extreme to me, but I suppose it might matter to some).
Sorry I appear such a dunce. I think I may be labouring under a misapprehension.
Does loading Merlin mean I'm using split-tunnelling or policy based routing? Are they the same thing? I don't have x3mRouting loaded at the moment.
I tried Express vpn this morning. It didn't work with openvpn client set for "Strict", and no extra configuration.
Router Log following Express connection....
May 31 09:59:08 ovpn-client3: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.40.0.1,comp-lzo no,route 10.40.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.40.1.38 10.40.1.37,peer-id 79,cipher AES-256-GCM'
I can see from the router log it's pushing a different DNS address (10.40.0.1) than it was a few days ago, and the ifconfig command shows 10.40.1.38. Different subnet, right?
From the Asus openvpn client page, "Service State" it shows me the same address as ifconfig, 10.40.1.38. That's the address of the tunnel, yes?
So the router/openvpn client does NOT know how to reach the DNS because the tunnel and DNS are in different subnets. Is that correct?
To get Express working with "Strict", then, I must bind the DNS 10.40.0.1 to the VPN using pbr, AND put the 10.40.0.1 adddress in my router WAN DNS settings? Is that correct?
And you use your own preferred public DNS servers; bind them to the VPN using pbr; set "Accept DNS Configuration" to "STRICT", and also put your DNS address in the router WAN? Is that correct?
x3mRouting is still pbr, just expanded so things like to domain names can be used as policy, yes?
iptables -vnL iptables -t nat -vnL iptables -t nat -vnL DNSVPN1 cat /tmp/etc/dnsmasq.conf cat /tmp/resolv.dnsmasq ...
Very briefly took a look at this this morning, after reading DNS over TLS etc....I don't pretend to understand most of that discussion. Some I recognise...
If I set Express to Exclusive. it works, unblocks the streams I want.
Set to Exclusive, I cannot ping or traceroute the pushed DNS, 10.40.0.1.
Using iptables -t nat -vnL, I can see an entry for DNSVPN3, which is my Express vpn (please excuse the woody cut and paste)
Chain PREROUTING (policy ACCEPT 1466 packets, 255K bytes)
pkts bytes target prot opt in out source destination
3 180 DNSVPN3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
460 31493 DNSVPN3 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
42 2512 DNSVPN4 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3640 249K DNSVPN4 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
4759 194K ACCEPT all -- eth0 * 0.0.0.0/0 220.127.116.11/4
28 1371 GAME_VSERVER all -- * * 0.0.0.0/0 100.64.45.208
28 1371 VSERVER all -- * * 0.0.0.0/0 100.64.45.208
Once I set it to Strict, it no longer works, and the Chain PREROUTING entry for DNSVPN3 disappears...
I use DDNS to facilitate the Express Mediastreamer option. If my vpn is off, in my account it registers my actual IP Address, and DNS leak test points me at a USA DNS, operated by them.
Once I activate a vpn, I see this message in my account....
"Looks like you’re connected to ExpressVPN with the app. All ExpressVPN IP addresses are automatically registered for DNS, so you don’t have to register this specific IP address."
Does that have any bearing on how the vpn is working despite the fact the pushed DNS is a different network address to the tunnel, and appears unreachable?
The more I look, the more confused I become....
|C||Asus AC68U and NordVPN||Asuswrt-Merlin||8|
|D||NordVPN OpenVPN not working on RT-AC86U with firmware 386.3.0 and 386.3.3||Asuswrt-Merlin||8|
|C||NordVPN setup issues with Merlin||Asuswrt-Merlin||4|
|Z||ASUS RT-AC5300 and NordVPN speed issue||Asuswrt-Merlin||6|
|R||NordVPN Firestick problems on RT-AC68U||Asuswrt-Merlin||4|
|R||NordVPN and DNS||Asuswrt-Merlin||25|
|E||What would be the best possible NordVPN bandwidth for RT-AC5300?||Asuswrt-Merlin||12|
|Solved Weird NordVPN windows APP Update links to bizzarre url?||Asuswrt-Merlin||9|