What's new

help with NordVPN client settings

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Chenks

Regular Contributor
looking for some advice on my current VPN client connection (NordVPN)
i've set it up accroding to the NordVPN instructions - with one exception that it said to set the router DNS to their DNS IPs, but as i use pihole and i'm only targetting specific devices or IPs (via VPN director) then that obviously wasn't appropriate.

i can see that the targetted devices are indeed reporting their WAN IP as being the NordVPN IP, but i suspect that i'm still routing via my pihole (using cloudflare) DNS, and i'm wanting everything targetted by VPN director to go thru the VPN (including DNS etc).

do i need to adjust the VPN client settings?

Screenshot 2022-09-09 134608.jpg


Code:
remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0


#log /tmp/vpn.log
 
... but i suspect that i'm still routing via my pihole (using cloudflare) DNS, and i'm wanting everything targetted by VPN director to go thru the VPN (including DNS etc).
Why do you suspect that? Pi-hole isn't a router it's a DNS server.
 
yes i know pihole isn't a router, i didn't suggest it was.
i have the pihole DNS set via DHCP as the DNS for any connected devices, and due to nordvpn saying i needed to change that to nordvpn DNS (which i didn't and won't do), i suspect that DNS resolution is being done by local pihole when it should be done by NordVPN for the targetted devices set by VPN director.
 
yes i know pihole isn't a router, i didn't suggest it was.
You said: "... i suspect that i'm still routing via my pihole ...".

i have the pihole DNS set via DHCP as the DNS for any connected devices, and due to nordvpn saying i needed to change that to nordvpn DNS (which i didn't and won't do), i suspect that DNS resolution is being done by local pihole when it should be done by NordVPN for the targetted devices set by VPN director.
It should be fairly easy to test. Turn off the VPN client and do an nslookup on a local hostname that the pihole knows. Then turn the VPN back on and repeat the test. If the client's DNS request is going directly to NordVPN's server it shouldn't be able to resolve it.
 
Phones / browsers are a PITA sometimes. My phone / chrome tend to turn on secureDNS or something else that allow bypassing pihole even though it works just fine most of the time. I need to toggle the option in the browser and restart chrome to get the ads to go away again. Whether it's triggered by an update or some other process I haven't nailed down yet but, it's easily fixable. The phone itself has a DNS option as well besides the browser. Whether Apple does this or not is another story and I can't answer that for you but, it's something to look into.

As to using Nord's DNS IP's or not... doesn't really matter but, I'm sure they block DNS to malicious sites based on a list they get frequent updates for. Now, the thing I found recently is setting the DNS in the client to the pihole IP instead of their servers forces everything to the pihole and from the pihole using their servers for DNS works fine as well. I've been collecting a lot more info this way than before where local lookups were just going straight to their DNS vs the pihole.

Code:
Technology: NORDLYNX
Firewall: disabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: disabled
Auto-connect: enabled
IPv6: disabled
Meshnet: disabled
DNS: 192.168.0.2
 
You said: "... i suspect that i'm still routing via my pihole ...".

that's being a bit pendatic, isn't it?
clearly that meant i suspect that DNS is still "routing" via my pihole.

It should be fairly easy to test. Turn off the VPN client and do an nslookup on a local hostname that the pihole knows. Then turn the VPN back on and repeat the test. If the client's DNS request is going directly to NordVPN's server it shouldn't be able to resolve it.

a local hostname as in the hostname of a LAN device?
 
Phones / browsers are a PITA sometimes. My phone / chrome tend to turn on secureDNS or something else that allow bypassing pihole even though it works just fine most of the time. I need to toggle the option in the browser and restart chrome to get the ads to go away again. Whether it's triggered by an update or some other process I haven't nailed down yet but, it's easily fixable. The phone itself has a DNS option as well besides the browser. Whether Apple does this or not is another story and I can't answer that for you but, it's something to look into.

As to using Nord's DNS IP's or not... doesn't really matter but, I'm sure they block DNS to malicious sites based on a list they get frequent updates for. Now, the thing I found recently is setting the DNS in the client to the pihole IP instead of their servers forces everything to the pihole and form the pihole using their servers for DNS works fine as well. I've been collecting a lot more info this way than before where local lookups were just going straight to their DNS vs the pihole.

i'm not talking about using the NordVPN client apps, i'm talking about the router itself connecting to NordVPN, and then using VPN director to target specific devices to go thru the VPN, and other not.
 
i'm hoping @eibgrad is around as i'm sure they have discussed this previously and have advised on adjusting the custom configuration.
 
a local hostname as in the hostname of a LAN device?
Maybe. I don't use Pi-hole or have any knowledge of how you've set yours up.

But for example (using the router as a DNS server) a normal nslookup looks like this:
Code:
C:\>nslookup nuc
Server:  RT-AX86U.home.lan
Address:  192.168.1.1

Name:    nuc.home.lan
Address:  192.168.1.10
If I enable the VPN client just for this PC I then get this:
Code:
C:\>nslookup nuc
Server:  UnKnown
Address:  192.168.1.1

*** UnKnown can't find nuc: Non-existent domain
 
my pihole isn't the DHCP server, so it doesn't know the "hostname" of a device, well it didn't when i tried a couple of the named devices i have on the LAN

Code:
C:\Users\chenk>nslookup
Default Server:  pi.hole
Address:  192.168.50.2


> xpslaptop
Server:  pi.hole
Address:  192.168.50.2


*** pi.hole can't find xpslaptop: Non-existent domain

but doing
Code:
dig 8.8.8.8
on the raspberry pi (which is one of the devices going thru the VPN), says the DNS server used is 192.168.50.2 (which is pihole) and not the VPN DNS.
 
my pihole isn't the DHCP server, so it doesn't know the "hostname" of a device, well it didn't when i tried a couple of the named devices i have on the LAN
That's why I said I don't know how you've set yours up. I've read that you can configure Pi-hole so that it uses the router's DNS server to supply local hostnames.

However, Pi-hole should be able to resolve its own hostname "pi.hole".
 
but doing
Code:
dig 8.8.8.8
on the raspberry pi (which is one of the devices going thru the VPN), says the DNS server used is 192.168.50.2 (which is pihole) and not the VPN DNS.
That won't change just because you've enabled the VPN client. The DNS requests are intercepted and redirected on the router using iptables similar to how DNSFilter works. But maybe the way you have your DHCP set up bypasses this. So you need to test it.


FYI, there was this thread earlier today. Which in turn pointed to this:
 
Last edited:
the first part of that thread

I would go ahead and put the Pi-Hole IP in LAN DHCP DNS 1 and WAN DNS 2. Put a reliable public DNS Server in WAN DNS 1 (e.g. Cloudflare, Quad9, etc.). In DNSFilter, set Custom 1 to the router's IP address and set the Global mode to Custom 1, after adding an exception for the Pi-Hole IP. On the LAN DHCP Server page, check the box to advertise the router IP in addition to the custom choice.

i actually already have 90% of that configured as it mentions, the only exception being the DNSFilter config.

however i believe this is not the solution to the issue i'm referring to, and is a fix to a different issue.
i believe what is needed is the custom config in the VPN client settings to be adjusted, and i'm seen reference to that before somewhere here.
 
That won't change just because you've enabled the VPN client. The DNS requests are intercepted and redirected on the router using iptables similar to how DNSFilter works. But maybe the way you have your DHCP set up bypasses this. So you need to test it.
Thinking about it, yes this would be the problem. Because you have configured your clients to go directly to the Pi-hole they never reach the redirect rule on the router.
 
essentially what i need, and thought VPN director would achieve that, is for any device where VPN director is routing WAN traffic thru the VPN that DNS resolution also goes thru the VPN.
from what i understand this should be possible.

afterall, if i was to install NordVPNs app on any of my devices then that is what happens.
 
essentially what i need, and thought VPN director would achieve that, is for any device where VPN director is routing WAN traffic thru the VPN that DNS resolution also goes thru the VPN.
from what i understand this should be possible.

afterall, if i was to install NordVPNs app on any of my devices then that is what happens.
The problem, as I just mentioned, is that all the VPN Client/VPN Director activity happens as a function of routing (on the router - obviously). By instructing your LAN clients to send their DNS requests directly to another device on the LAN (the Pi-hole) they aren't being routed.

So the only way for the LAN clients to be affected by VPN Director is if their DNS requests are going to the router (as is usually the case) instead of the Pi-hole. Of course, it may be possible for the router to then use the Pi-hole as it's upstream server. But then you start getting into the weeds about Pi-hole seeing everything coming from the router rather than individual machines.

EDIT: Here's a random thought. If there's only a limited number of devices on your LAN that you want to use NorVPN's DNS you could create DHCP reservations for them on the router. In those reservations you can specify what DNS server they use. If you specified the router as the DNS then it would be affected by the VPN Director rules.
 
Last edited:
EDIT: Here's a random thought. If there's only a limited number of devices on your LAN that you want to use NorVPN's DNS you could create DHCP reservations for them on the router. In those reservations you can specify what DNS server they use. If you specified the router as the DNS then it would be affected by the VPN Director rules.

i have 2 rules in the VPN director.
1 rule for a specific device where all traffic gets forced thru the VPN
1 rule for a specific WAN IP where no matter what device it is that specific WAN traffic goes thru the VPN

1 specific device in rule 1 has a DHCP reservced IP address - so that suggestion might work for this device, however i suspect that suggestion wouldn't work for rule 2, and it's rule 2 that is the one where i would actually need it to work on.

on the router side this is what is currently set
DHCP DNS - 192.168.50.2 (pihole)
WAN DNS - 1.1.1.1 (cloudflare)
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top