Help! VPN Director and Mullvad VPN forcing all computers to use Mullvad DNS

torstein

Regular Contributor
TLDR:
Like the title says, VPN Director on Merlin 386.3_2 configured with Mullvad VPN is forcing all computers on my network to use Mullvad DNS servers, and not just the one Mac I have tunneled through Mullvad VPN. I hope you can help :)

THIS IS WHAT I'M TRYING TO DO:
I want my Asus AX86U to only tunnel my Mac mini through Mullvad VPN. The rest of my computers I don't want to go through Mullvad VPN. I followed this guide https://mullvad.net/it/help/asus-merlin-and-mullvad-vpn/ and it works perfectly - that is, only my Mac mini is tunneled through Mullvad VPN. All my other devices are not going through Mullvad VPN, as I hoped for, but my other Macs are now using Mullvads DNS-servers 10.8.0.1 and 193.138.218.74. This is fair, because the guide did specify to add the Mullvad DNS-servers under DHCP-settings on the AX86U (I assume this is to prevent DNS leaks). However, I don't want my other computers on the home network to use Mullvads DNS servers, I want to use the default DNS-servers of the router, which in my case is NextDNS. If I remove the Mullvad DNS servers, then my real IP leaks, as one would expect.

How can I make my Asus AX86U router with Mullvad VPN through VPN Director use Mullvads DNS servers only on the Mac mini, and leave the DNS alone on all my other computers on the network?

I tried adding this
Code:
push "dhcp-option DNS 193.138.218.74"
push "dhcp-option DNS 10.8.0.1"
to the end of the custom configuration text field under VPN --> VPN Client on the router, but it didn't work. It just caused DNS leaks as well, and I'm not really sure it actually did anything.

This is what the entire "Custom config" looks like:
Code:
resolv-retry infinite
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
fast-io
remote-random
comp-lzo no
push "dhcp-option DNS 193.138.218.74"
push "dhcp-option DNS 10.8.0.1"

Any other ideas?
 
Last edited:

eibgrad

Part of the Furniture
Do NOT specify the recommended Mullvad DNS servers under the DHCP server. Instead, push them as DNS options (as you just did), but you also need to specify "Exclusive" for "Accept DNS Configuration" on the OpenVPN client GUI.

P.S. When using Exclusive, it's only possible for the router to bind VPN clients to *one* DNS server. And so if you specify more than one, I don't know which one will be selected. You're better off to chose the one known to be bound to the VPN tunnel itself (10.8.0.1) rather than 193.138.218.74, because the latter *might* be accessed over the WAN resulting in a DNS leak. Or else you may have to bind 193.138.218.74 (as a remote IP) to the VPN as well using policy rules.
 
Last edited:

torstein

Regular Contributor
Thanks for helping! It didn't work, sadly. See attached photo for settings.

I did what you said, I removed Mullvad DNS servers under DHCP, set "Accept DNS Configuration" to "Exclusive" and set the push-command dhcp option under Custom Configuration
Code:
push "dhcp-option DNS 193.138.218.74"
push "dhcp-option DNS 10.8.0.1"
. My actual IP gets hidden this way, but DNS leaks reveals my actual DNS servers.

Since it didn't work, I then did what you suggested in your edit, and added Mullvads DNS servers to "Remote IP" under "VPN Director Rules" but that ended up exposing my real IP-address as well as DNS servers.

Mullvad in their guide recommends setting "Remtote IP" to
Code:
0.0.0.0/0
for some reason, so I guess I should leave them alone.

I don't understand why it leaks. What you suggested setting Accept DNS Config to Exclusive sounds reasonable and should have worked.

Is it my

Code:
push "dhcp-option DNS 193.138.218.74"
push "dhcp-option DNS 10.8.0.1"

that is written incorrectly?
 

Attachments

  • Skjermbilde 2021-12-29 kl. 00.51.40.png
    Skjermbilde 2021-12-29 kl. 00.51.40.png
    285.2 KB · Views: 65

eibgrad

Part of the Furniture
How are you defining a DNS leak? *I* am only considering it a DNS leak from the perspective of those devices bound to the VPN (192.168.5.205 in this case). And how are you verifying it? Online DNS leak testing tools are notoriously unreliable when it comes to the router. As I tell ppl all the time, the only thing I consider 100% reliable for verifying where DNS requests are being routed is by dumping/monitoring connection tracking on the router.

Code:
watch -tn5 "cat /proc/net/nf_conntrack | grep 'dport=53 '"
 

torstein

Regular Contributor
I use https://www.dnsleaktest.com to verify. I'm as you probably understand not an expert, so me defining a leak is laughable at best, but I consider it as dnsleaktest.com showing my ISPs DNS servers instead of mullvads servers.

But... I think I may actually have solved it, with lots of help from you :)

So I removed the "push" command from the config. Left the DHCP DNS empty like you suggested, and kept the Exclusive setting on Allow DNS Config. I then added the Mullvad DNS servers directly into my Mac mini DNS servers in System preferences / Network / Ethernet/ DNS Servers, and... now dnsleaktest.com reports back correct IP address (ie not my real one) and correct DNS-servers (Mullvads) and not my real ones from my own country. I ran the dns leak test several times, and it consistently shows mullvads, and not my ISPs, and my other Macs are unaffected and showing my real IP and ISPs DNS servers.

Is this safe enough, ie will my real ip and "identity" be exposed? Is this a reliable solution you think? Shouldn't the router be specifying mullvads dns-servers and not the mac mini itself?
 
Last edited:

eibgrad

Part of the Furniture
Well if you configure the client itself directly w/ Mullvad DNS servers, then it's no longer necessary to use Exclusive w/ the OpenVPN client. You could just specify Disabled and eliminate the push'd DNS options too. IOW, the whole point of configuring the router w/ DNS is so you don't have to configure individual clients. But if you prefer that approach, yes, it will work. As long as that client is itself bound to the VPN, it should be safe.
 

torstein

Regular Contributor
Hmm, but when I set it to Relaxed, then my ISP DNS servers show up on dns leak test, and when I set it back to Exclusive, Mullvads DNS servers show instead. I'd much rather have my router do it, since I trust that more (just a gut feeling).

Why does setting the VPN client to Relaxed leak my ISP dns but setting it to Exclusive does not, when I have configured the mac mini itself with mullvad dns servers? It makes no sense to me.
 

eibgrad

Part of the Furniture
Relaxed means the router will use BOTH the DNS servers from the ISP and VPN, and in no particular order (basically, whichever responds first). The reason Mullvad suggested Relaxed was because their original instructions assumed the only DNS servers that would be available to your clients were those they provided, and which they had you specify w/ the DHCP server. But since you're NOT doing that, then you need to use either Exclusive or Strict (the latter will use BOTH the ISP's and VPN's DNS servers, but show preference to the VPN's).
 

torstein

Regular Contributor
I understand. I now set it to Disabled, and it is not leaking, it shows mullvad dns servers. I dont know why it was acting weird a moment ago.

I do want the router to be the one giving my mac the dns server and not me typing them directly into the Mac, like you said. How do I do that, since push dhcp-option and specifying them in remote ip in vpn director didn't work?
 

eibgrad

Part of the Furniture
If Mullvad is telling you that 10.8.0.1 (a *private* IP) is a valid DNS server for all their servers (seems odd, you'd think different servers would be using different private IP networks, but let's take them at their word), then I recommend you only set that one DNS option. Because if the tunnel is indeed configured by the OpenVPN server w/ 10.8.0.0/24, the *only* route that 10.8.0.1 could possibly use is the tunnel! So it doesn't even require any VPN Director rules for the DNS server. And just specify Exclusive on the OpenVPN client. That will redirect the default DNS server of any client bound to the VPN to 10.8.0.1.
 
Last edited:

torstein

Regular Contributor
But where would I put the 10.8.0.1? Under DHCP --> DNS? Or as a "push dhcp-option" under custom config? Mullvad lists the 10.8.0.1 as DNS server 2, not 1, so that has me thinking it might not be their primary DNS? See attached photo. I'm just guessing here.
 

Attachments

  • Skjermbilde 2021-12-29 kl. 10.36.48.png
    Skjermbilde 2021-12-29 kl. 10.36.48.png
    118.9 KB · Views: 44

eibgrad

Part of the Furniture
You don't actually push directives from the perspective of the OpenVPN client. Pushing is only required when configuring the server (i.e., the server pushes directives to the client). For the OpenVPN client, you just specify them.

Code:
dhcp-option DNS 10.8.0.1

Whether there are one or ten DNS servers available from the OpenVPN provider, it doesn't make any difference which one you use. It's still a DNS server. In fact, I wouldn't be surprised if the two (193.138.218.74 and 10.8.0.1) aren't in fact the same DNS server, and the former is just the public facing IP of the latter. But whether that's true or NOT, as I said, it doesn't matter which DNS server you use. I suggested 10.8.0.1 because if in fact the IP tunnel established is 10.8.0.0/24, the *only* way it could be accessed is over the tunnel. As such, 10.8.0.1 is guaranteed leakproof, and doesn't require a VPN Director rule to bind it to the VPN.

All that said, if instead you specified the following ...

Code:
dhcp-option DNS 193.138.218.74
dhcp-option DNS 10.8.0.1

... and added a VPN Director rule for the remote IP 193.138.218.74, I would still expect it to work, regardless which IP the router used for the purposes of the Exclusive or Strict setting.
 

torstein

Regular Contributor
I did what you suggested, but sadly it doesn't work. Both my real IP and DNS-servers are exposed when I enable the option Exclusive and add...
Code:
dhcp-option DNS 193.138.218.74
dhcp-option DNS 10.8.0.1
... to the bottom of custom config with remote IP set to 193.138.218.74.

I even tried just having this...
Code:
dhcp-option DNS 10.8.0.1
... at the end and setting remote IP to 193.138.218.74. Leaked everything.

I then switched it around and set...
Code:
dhcp-option DNS 193.138.218.74
... and set remote IP to 10.8.0.1. Same result.

Of course i rebooted the router and mac mini in between all changes. It just leaks. I spoke with Mullvad customer support and "Eric" wrote:
Regarding the setup for letting one client get a different DNS I don't
think you can set your DHCP server to serve a different DNS server to
only one client. You would have to configure your mac manually to use
the DNS server of our VPN servers, while the rest of the clients use the
one they get from the DHCP server. It's not elegant but I think that's
the way to go.
I'll just do that, and add the DNS servers directly on my Mac mini. It's not elegant like Eric suggests, but it works, and it hides my real IP and DNS servers, while leaving all other devices unaffected by the VPN.

Thanks for taking the time to help, I've learned a ton. You've been wonderful! :)
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top