Failing DNS Leak Test - Help

[bapesta786]

I have an AC68U running Merlin f/w. I have an account with a VPN provider, from which I obtained a configuration file which I uploaded to the VPN Client configuration part within the router admin console.

I have 3 devices which I would like to route through my VPN tunnel however no matter which configuration I choose, I somehow fail IP Leak tests.

See below for settings and outcomes:

Accept DNS Configuration: Exclusive
Redirect Internet Traffic: Policy Rules (Strict)
Result: Devices pick up VPN IP address, however DNS servers show my ISP's

Accept DNS Configuration: Strict
Redirect Internet Traffic: Policy Rules (Strict)
Result: Devices pick up VPN IP address, however DNS servers show my ISP's

Accept DNS Configuration: Strict
Redirect Internet Traffic: Policy Rules (Strict)
Custom Configuration: 'dhcp-option DNS x.x.x.x'
Result: Devices listed in Policy Rules pick up VPN IP address AND DNS address HOWEVER...every other device on the network , keeps ISP IP address but route their traffic through DNS IP. This has me baffled!

Any ideas?

 

[M@rco]

Try setting 'Connect to DNS Server automatically' to No in WAN > WAN DNS Settings and configure them manually. That's how I configured it, and I never have a DNS leak. I've set 'Accept DNS Configuration' to Disabled in my VPN config.

 

[skeal]

I have an AC68U running Merlin f/w. I have an account with a VPN provider, from which I obtained a configuration file which I uploaded to the VPN Client configuration part within the router admin console.

I have 3 devices which I would like to route through my VPN tunnel however no matter which configuration I choose, I somehow fail IP Leak tests.

See below for settings and outcomes:

Accept DNS Configuration: Exclusive
Redirect Internet Traffic: Policy Rules (Strict)
Result: Devices pick up VPN IP address, however DNS servers show my ISP's

Accept DNS Configuration: Strict
Redirect Internet Traffic: Policy Rules (Strict)
Result: Devices pick up VPN IP address, however DNS servers show my ISP's

Accept DNS Configuration: Strict
Redirect Internet Traffic: Policy Rules (Strict)
Custom Configuration: 'dhcp-option DNS x.x.x.x'
Result: Devices listed in Policy Rules pick up VPN IP address AND DNS address HOWEVER...every other device on the network , keeps ISP IP address but route their traffic through DNS IP. This has me baffled!

Any ideas?

When using Exclusive you will notice in port forwarding info under syslog tab that there are forwards to a private ip for each device listed in policy rules. You may have to reboot the router to get this working right. It would be normal for your other non policy routed clients to use your defined system dns under wan settings as there are no policy restrictions.

 

[bapesta786]

Try setting 'Connect to DNS Server automatically' to No in WAN > WAN DNS Settings and configure them manually. That's how I configured it, and I never have a DNS leak. I've set 'Accept DNS Configuration' to Disabled in my VPN config.

thanks for the reply - which DNS servers would go in this section?

 

[skeal]

@bapesta786 Use Stubby or DNSCrypt. (Stubby > DNSCrypt)

Someone trying to get banned again here?

 

[bapesta786]

When using Exclusive you will notice in port forwarding info under syslog tab that there are forwards to a private ip for each device listed in policy rules.

Yep i can see that. This is expected right?

You may have to reboot the router to get this working right. It would be normal for your other non policy routed clients to use your defined system dns under wan settings as there are no policy restrictions.

Which DNS servers am I setting here?

 

[skeal]

Yep i can see that. This is expected right? Yes it is.



Which DNS servers am I setting here?

The prefered dns you pick, ex. 8.8.8.8 or cloudflare 1.1.1.1 or maybe quad9 9.9.9.9 or your isp dns.

 

[skeal]

The prefered dns you pick, ex. 8.8.8.8 or cloudflare 1.1.1.1 or maybe quad9 9.9.9.9 or your isp dns.

Basically your choice.

 

[bapesta786]

Basically your choice.

So i've set the DNS servers under WAN servers to 8.8.8.8.

I've set "Accept DNS Configuration" under VPN to disabled. I connected my VPN. IP Leak test shows my device having my VPN IP address, and the Google DNS servers.

As you said above, every other device has still got my ISP IP address and Google DNS servers, which is fine, however i want my own device to use the VPN DNS servers.

So I've set the 'Accept DNS Configuration' to strict, which makes my device pick up VPN DNS server however every other device also picks up VPN DNS plus Google DNS. Why is this?!

 

[skeal]

Because strict adds the servers to list and uses them in your specified order. In my opinion you want exclusive that is how mine is set. I have two ips routed through my vpn and use the vpn provider's dns only.

 

[bapesta786]

Because strict adds the servers to list and uses them in your specified order. In my opinion you want exclusive that is how mine is set. I have two ips routed through my vpn and use the vpn provider's dns only.

bizarre, I have set it to 'exclusive'. I can see my phone listed in 'port forwarding' however it still uses Google DNS. I am going to try adding it in custom configuration

 

[bapesta786]

Nope - still can't get it to work. So frustrating. Will revisit tomorrow.

 

[skeal]

Quick questions, who is your vpn provider and do you pay for the service or is it free?

 

[RMerlin]

Note that if you have IPv6 enabled on your network, this will bypass your VPN tunnels.

 

[bapesta786]

Quick questions, who is your vpn provider and do you pay for the service or is it free?

Service is provided by Private Tunnel, and yes I have paid for it. Interesting thing I noticed from log file below. Not sure if it's relevant but I like clean log files so assistance on this matter is appreciated.

Sep 23 09:34:57 openvpn[2479]: OpenVPN 2.4.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 4 2017
Sep 23 09:34:57 openvpn[2479]: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
Sep 23 09:34:57 openvpn[2480]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 23 09:34:57 openvpn[2480]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 23 09:34:57 openvpn[2480]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 23 09:34:57 openvpn[2480]: TCP/UDP: Preserving recently used remote address: [AF_INET]50.7.148.122:1194
Sep 23 09:34:57 openvpn[2480]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Sep 23 09:34:57 openvpn[2480]: NOTE: setsockopt TCP_NODELAY=1 failed
Sep 23 09:34:57 openvpn[2480]: UDP link local: (not bound)
Sep 23 09:34:57 openvpn[2480]: UDP link remote: [AF_INET]50.7.148.122:1194
Sep 23 09:34:57 openvpn[2480]: TLS: Initial packet from [AF_INET]50.7.148.122:1194, sid=db1e66d0 ad774826
Sep 23 09:34:57 openvpn[2480]: VERIFY OK: depth=2, CN=OpenVPN CA
Sep 23 09:34:57 openvpn[2480]: VERIFY OK: depth=1, CN=PT Transitional 20150615
Sep 23 09:34:57 openvpn[2480]: VERIFY KU OK
Sep 23 09:34:57 openvpn[2480]: Validating certificate extended key usage
Sep 23 09:34:57 openvpn[2480]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sep 23 09:34:57 openvpn[2480]: VERIFY EKU OK
Sep 23 09:34:57 openvpn[2480]: VERIFY OK: depth=0, CN=par1.privatetunnel.com
Sep 23 09:34:57 openvpn[2480]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sep 23 09:34:57 openvpn[2480]: [par1.privatetunnel.com] Peer Connection Initiated with [AF_INET]50.7.148.122:1194
Sep 23 09:34:59 openvpn[2480]: SENT CONTROL [par1.privatetunnel.com]: 'PUSH_REQUEST' (status=1)
Sep 23 09:34:59 openvpn[2480]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.9.0.1,ifconfig 10.9.214.100 255.255.0.0,client-ip 94.9.197.34,ping 8,ping-restart 40,reneg-sec 3600,cipher AES-128-GCM,compress lz4-v2,peer-id 83546,topology subnet,explicit-exit-notify,redirect-gateway def1,dhcp-option DNS 10.9.0.1,sndbuf 0,rcvbuf 0,socket-flags TCP_NODELAY,block-ipv6'
Sep 23 09:34:59 openvpn[2480]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: client-ip (2.4.3)
Sep 23 09:34:59 openvpn[2480]: Options error: option 'reneg-sec' cannot be used in this context ([PUSH-OPTIONS])
Sep 23 09:34:59 openvpn[2480]: Option 'explicit-exit-notify' in [PUSH-OPTIONS]:11 is ignored by previous <connection> blocks
Sep 23 09:34:59 openvpn[2480]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:17: block-ipv6 (2.4.3)
Sep 23 09:34:59 openvpn[2480]: OPTIONS IMPORT: timers and/or timeouts modified
Sep 23 09:34:59 openvpn[2480]: OPTIONS IMPORT: explicit notify parm(s) modified
Sep 23 09:34:59 openvpn[2480]: OPTIONS IMPORT: compression parms modified
Sep 23 09:34:59 openvpn[2480]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sep 23 09:34:59 openvpn[2480]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Sep 23 09:34:59 openvpn[2480]: OPTIONS IMPORT: --socket-flags option modified
Sep 23 09:34:59 openvpn[2480]: NOTE: setsockopt TCP_NODELAY=1 failed
Sep 23 09:34:59 openvpn[2480]: OPTIONS IMPORT: --ifconfig/up options modified
Sep 23 09:34:59 openvpn[2480]: OPTIONS IMPORT: route options modified
Sep 23 09:34:59 openvpn[2480]: OPTIONS IMPORT: route-related options modified
Sep 23 09:34:59 openvpn[2480]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sep 23 09:34:59 openvpn[2480]: OPTIONS IMPORT: peer-id set
Sep 23 09:34:59 openvpn[2480]: OPTIONS IMPORT: adjusting link_mtu to 1625
Sep 23 09:34:59 openvpn[2480]: OPTIONS IMPORT: data channel crypto options modified
Sep 23 09:34:59 openvpn[2480]: Data Channel: using negotiated cipher 'AES-128-GCM'
Sep 23 09:34:59 openvpn[2480]: Data Channel Encrypt: Cipher 'AES-128-GCM' initialized with 128 bit key
Sep 23 09:34:59 openvpn[2480]: Data Channel Decrypt: Cipher 'AES-128-GCM' initialized with 128 bit key
Sep 23 09:34:59 openvpn[2480]: TUN/TAP device tun12 opened
Sep 23 09:34:59 openvpn[2480]: TUN/TAP TX queue length set to 100
Sep 23 09:34:59 openvpn[2480]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sep 23 09:34:59 openvpn[2480]: /usr/sbin/ip link set dev tun12 up mtu 1500
Sep 23 09:34:59 openvpn[2480]: /usr/sbin/ip addr add dev tun12 10.9.214.100/16 broadcast 10.9.255.255
Sep 23 09:34:59 openvpn[2480]: updown.sh tun12 1500 1553 10.9.214.100 255.255.0.0 init
Sep 23 09:34:59 openvpn-updown: Forcing 192.168.0.173 to use DNS server 10.9.0.1
Sep 23 09:35:00 openvpn[2480]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #8 / time = (1537695298) Sun Sep 23 09:34:58 2018 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sep 23 09:35:00 openvpn[2480]: TLS Error: incoming packet authentication failed from [AF_INET]50.7.148.122:1194
Sep 23 09:35:02 openvpn[2480]: /usr/sbin/ip route add 50.7.148.122/32 via 94.9.196.1
Sep 23 09:35:02 openvpn[2480]: /usr/sbin/ip route add 0.0.0.0/1 via 10.9.0.1
Sep 23 09:35:02 openvpn[2480]: /usr/sbin/ip route add 128.0.0.0/1 via 10.9.0.1
Sep 23 09:35:02 openvpn-routing: Configuring policy rules for client 2
Sep 23 09:35:03 openvpn[2480]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sep 23 09:35:03 openvpn[2480]: Initialization Sequence Completed

 

[bapesta786]

Note that if you have IPv6 enabled on your network, this will bypass your VPN tunnels.

thanks, however IPv6 is disabled.

 

[bapesta786]

Quick questions, who is your vpn provider and do you pay for the service or is it free?

I can definitely see my device listed in the port forwarding table.

VPN Connected

Tracert:

When I run a tracert to www.bbc.co.uk, with VPN connected, I see:

traceroute: Warning: www.bbc.co.uk has multiple addresses; using 212.58.249.208
traceroute to www.bbc.net.uk (212.58.249.208), 64 hops max, 72 byte packets

1 rt-ac68u-5ed8 (192.168.0.1) 1.471 ms 0.974 ms 1.030 ms
2 * 10.9.0.1 (10.9.0.1) 26.158 ms 25.098 ms
3 50.7.148.113 (50.7.148.113) 25.726 ms 26.447 ms 26.285 ms
4 be4970.rcr21.par02.atlas.cogentco.com (149.6.163.57) 26.056 ms 28.862 ms 25.426 ms
5 be2416.ccr42.par01.atlas.cogentco.com (130.117.48.253) 26.225 ms 26.919 ms 26.399 ms
6 prs-b2-link.telia.net (213.248.86.169) 25.881 ms 30.193 ms 25.993 ms
7 prs-bb4-link.telia.net (62.115.122.10) 33.439 ms 33.633 ms 33.207 ms
8 ldn-bb4-link.telia.net (62.115.114.228) 32.998 ms 34.576 ms 34.429 ms
9 ldn-b5-link.telia.net (213.155.132.197) 32.831 ms 32.996 ms 33.102 ms
10 atos-ic-315186-ldn-b5.c.telia.net (62.115.144.161) 33.471 ms 35.177 ms 33.865 ms
11 * * *
12 * * *
13 ae1.er01.lbh.bbc.co.uk (132.185.254.138) 34.371 ms 33.724 ms 33.638 ms
14 132.185.252.126 (132.185.252.126) 44.293 ms 49.404 ms 42.076 ms
15 bbc-vip146.lbh.bbc.co.uk (212.58.249.208) 33.504 ms 33.428 ms 41.533 ms


DNS Leak:

Without VPN connected:

Tracert:

traceroute to www.bbc.net.uk (212.58.249.210), 64 hops max, 72 byte packets

1 rt-ac68u-5ed8 (192.168.0.1) 2.191 ms 7.390 ms 2.730 ms
2 * * *
3 be329.pr2.hobir.isp.sky.com (84.38.37.26) 19.852 ms 22.946 ms 19.038 ms
4 212.58.239.76 (212.58.239.76) 26.118 ms 16.090 ms 16.678 ms
5 * * *
6 ae1.er02.lbh.bbc.co.uk (132.185.254.142) 17.106 ms 16.479 ms 16.321 ms
7 132.185.252.130 (132.185.252.130) 40.576 ms 46.597 ms 39.768 ms
8 bbc-vip148.lbh.bbc.co.uk (212.58.249.210) 16.116 ms 16.341 ms 16.382 ms

DNS Leak:

 

[bapesta786]

any ideas bud? @skeal

 

[skeal]

any ideas bud? @skeal

When was the last time you did a factory reset and manual config?

 

[bapesta786]

When was the last time you did a factory reset and manual config?

never lol.

I am due to update soon though. I am on F/W 380.68_4. Am I right in thinking that I now have to move over to what is called John's Fork now?