How to push own DNS server when using VPN

[Jerie-]

Expected Behavior:
When using VPN (NordVPN), local client will use local DNS servers as defined in DHCP of Asus router (GT-AC5300) and not VPN's DNS service.

Actual Behavior:
When connected to a private VPN, clients bypass local DNS and use the VPNs DNS service instead. As a result, problem loading some sites (Amazon . com, etc..) and ads are not block.

Current Setup:
Asus GT-AC5300 with latest firmware, 3.0.0.4.384.21140 using FusionVPN (OpenVPN client)
Local DNS running Pi-Hole (DNS over HTTPS)

With older firmware (3.0.0.4.384.20648), GT-AC5300 worked fine, clients were using local DNS as configured in DHCP. But with latest firmware, clients are being forced to use VPN's DNS servers instead.

Is there a way to force VPN connection to use local DNS? Let say, editing the x.nordvpn.com.udp.ovpn file?

Any help would be appreciated. Thanks.

 

[Xentrk]

Expected Behavior:
When using VPN (NordVPN), local client will use local DNS servers as defined in DHCP of Asus router (GT-AC5300) and not VPN's DNS service.

Actual Behavior:
When connected to a private VPN, clients bypass local DNS and use the VPNs DNS service instead. As a result, problem loading some sites (Amazon . com, etc..) and ads are not block.

Current Setup:
Asus GT-AC5300 with latest firmware, 3.0.0.4.384.21140 using FusionVPN (OpenVPN client)
Local DNS running Pi-Hole (DNS over HTTPS)

With older firmware (3.0.0.4.384.20648), GT-AC5300 worked fine, clients were using local DNS as configured in DHCP. But with latest firmware, clients are being forced to use VPN's DNS servers instead.

Is there a way to force VPN connection to use local DNS? Let say, editing the x.nordvpn.com.udp.ovpn file?

Any help would be appreciated. Thanks.

I use Asuswrt-Merlin and not stock firmware. I have a similar issue with DNS when using Policy Rules. I found a work around solution. Not sure if this applies to stock firmware as well. Search for DNS in the blog post for more information.

https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/

 

[Jerie-]

I use Asuswrt-Merlin and not stock firmware. I have a similar issue with DNS when using Policy Rules. I found a work around solution. Not sure if this applies to stock firmware as well. Search for DNS in the blog post for more information.

https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/

Thanks for the link Xentrk. Could you explain what the difference is between DNS Strick and DNS Exclusive? Looks like those options are only available on Merlins. Unfortunately Merlin does not support the GT-AC5300, so I'm stuck with stock.

As for my situation. I think I may have solve the problem. If forcing clients to use a VPNs DNS service is the norm, then I'm sticking with the last working firmware. If it's a bug, I wish Asus would fix it. I did contact Asus support about this and got my router replaced... tech support believes I have bad chipset in my router. Whatever. I just got the replacement in yesterday with same results. Anyways, I've modified my VPN config file and things seems to be working on both original and replacement router. I'll let it run for a few days to see if I need to go back to an older firmware. Amazon and other sites are working again and both of my DNS are working as it should; one goes down, the other picks up. And finally, ad blocking is working again. So ... fingers cross.

 

[Xentrk]

Thanks for the link Xentrk. Could you explain what the difference is between DNS Strick and DNS Exclusive? Looks like those options are only available on Merlins. Unfortunately Merlin does not support the GT-AC5300, so I'm stuck with stock.

As for my situation. I think I may have solve the problem. If forcing clients to use a VPNs DNS service is the norm, then I'm sticking with the last working firmware. If it's a bug, I wish Asus would fix it. I did contact Asus support about this and got my router replaced... tech support believes I have bad chipset in my router. Whatever. I just got the replacement in yesterday with same results. Anyways, I've modified my VPN config file and things seems to be working on both original and replacement router. I'll let it run for a few days to see if I need to go back to an older firmware. Amazon and other sites are working again and both of my DNS are working as it should; one goes down, the other picks up. And finally, ad blocking is working again. So ... fingers cross.

The definition of the Accept DNS Configuration field values are as follows:

a. Disabled: DNS servers pushed by VPN provided DNS server are ignored.

b. Relaxed: DNS servers pushed by VPN provided DNS server are prepended to the current list of DNS servers, of which any can be used.

c. Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order (existing DNS servers are only used if VPN provided ones don't respond).

d. Exclusive: Only the pushed VPN provided DNS servers are used.

 

[Jerie-]

@Xentrk,

So I'm guessing that by default my VPNs DNS configuration is set to Strict. It seems that way. If I wanted to ignore VPNs DNS service, I would need to set DNS to Disabled? How would I do that? I'm running stock firmware since I'm on a GT.

Would I add:

setenv opt block-outside-dns

And to push my own DNS, is it:

push "dhcp-option DNS xxx.xxx.xxx.xxx"

or is it:

dhcp-option DNS xxx.xxx.xxx.xxx

Thanks.

By the way, are you running pfSense on your main server and the Asus routers as APs? I've been thinking about going pfSense sooner or later. If so, how's that working out?

 

[Xentrk]

@Xentrk,

So I'm guessing that by default my VPNs DNS configuration is set to Strict. It seems that way. If I wanted to ignore VPNs DNS service, I would need to set DNS to Disabled? How would I do that? I'm running stock firmware since I'm on a GT.

Would I add:

setenv opt block-outside-dns

And to push my own DNS, is it:

push "dhcp-option DNS xxx.xxx.xxx.xxx"

or is it:

dhcp-option DNS xxx.xxx.xxx.xxx

Thanks.

By the way, are you running pfSense on your main server and the Asus routers as APs? I've been thinking about going pfSense sooner or later. If so, how's that working out?

What I found with Policy Rules and Accept DNS Configuration Exclusive is dnsmasq is bypassed and AB-Solution will not work over the OpenVPN tunnel. I have to set Accept DNS Configuration to Strict. In the Custom Config section on the OpenVPN Client screen, I add the line

dhcp-option DNS some.dns.ip.address

This prepends the DNS server to the DNS provided by the VPN tunnel and Dnsmasq will work. However, your DNS will now leak. If I recall, the block-outside-dns only works on a windows client.

I went with pfSense as I was chasing bandwidth. I converted an old Win 7 PC with an Intel i-5 I did a write up here https://x3mtek.com/openvpn-performance/. I currently use an AC68U as an AP.

The pfSense is my main router at home. I support two AC88Us and an AC86U at three sites I support. I have an AC88U as a spare. I am currently using it to develop selective routing scripts and to experiment with other settings and entware packages that I will write about on my blog site x3mtek.com

I am close to finishing the work on the selective routing scripts this weekend. I then plan to release for beta testing and then publish on github and snbforums. Once I finish, I plan to experiment with DNS some more. Specifically the unbound package and perhaps unbound over TLS.

 

[Jerie-]

@Xentrk,

Ok. So how do I set my DNS options (Disabled, Relaxed, Strict, Exclusive, etc.) since I'm unable to use Merlins? What are the correct "terminology" would I have to issue in my config file?

Also, am I understanding this DNS leak terminology correctly? It's when an ISP, as well as any eavesdroppers along the way, is able to see a user's website(s) they visit, correct? If I'm using DNS over HTTPS and that traffic is going through the VPN... is a DNS leak still possible?

Unbound over TLS? Sounds interesting. Currently using DNS over HTTPS with Cloudflare. I would like to learn how to setup DNS over TLS. Will keep an eye on your progress if you don't mind.

As for pfSense router, what do you think of something like:
https://www.amazon.com/dp/B0741FF4HV/?tag=snbforums-20
or
https://www.amazon.com/dp/B076B6SWG5/?tag=snbforums-20

Thanks again.

 

[Xentrk]

@Xentrk,

Ok. So how do I set my DNS options (Disabled, Relaxed, Strict, Exclusive, etc.) since I'm unable to use Merlins? What are the correct "terminology" would I have to issue in my config file?

Also, am I understanding this DNS leak terminology correctly? It's when an ISP, as well as any eavesdroppers along the way, is able to see a user's website(s) they visit, correct? If I'm using DNS over HTTPS and that traffic is going through the VPN... is a DNS leak still possible?

Unbound over TLS? Sounds interesting. Currently using DNS over HTTPS with Cloudflare. I would like to learn how to setup DNS over TLS. Will keep an eye on your progress if you don't mind.

As for pfSense router, what do you think of something like:
https://www.amazon.com/dp/B0741FF4HV/?tag=snbforums-20
or
https://www.amazon.com/dp/B076B6SWG5/?tag=snbforums-20

Thanks again.

Sorry for the late reply as I have been ill.

I can't help you with your question. You may need to ask in the stock Asuswrt forum. Asuswrt-Merlin attempts to keep as close to stock as possible. But the OpenVPN is the major area of improved features compared to stock. And the Accept DNS Configuration setting is one such feature. I will keep you posted on my unbound progress.

 

[Jerie-]

Sorry for the late reply as I have been ill.

I can't help you with your question. You may need to ask in the stock Asuswrt forum. Asuswrt-Merlin attempts to keep as close to stock as possible. But the OpenVPN is the major area of improved features compared to stock. And the Accept DNS Configuration setting is one such feature. I will keep you posted on my unbound progress.

I originally posted there about my problem but didn't get anywhere.

Anyways, I bit the bullet and got a Protectli to run pfSense. It's been running for two days now and my problems with DNS has been solved. VPN speed is nice, only about 8Mbps less than regular connection. Been told that if I was worried about DNS leaks, to run Unbound as my own DNS server on my raspberry pi (as well as pi-hole) so no need for DNS over TLS/HTTPS. Too soon to know for sure but everything works well and tests have been positive at the moment. I'll offload my GT for two Ubiquiti Pro access points to finally close out dead spots eventually.

 

[Xentrk]

I originally posted there about my problem but didn't get anywhere.

Anyways, I bit the bullet and got a Protectli to run pfSense. It's been running for two days now and my problems with DNS has been solved. VPN speed is nice, only about 8Mbps less than regular connection. Been told that if I was worried about DNS leaks, to run Unbound as my own DNS server on my raspberry pi (as well as pi-hole) so no need for DNS over TLS/HTTPS. Too soon to know for sure but everything works well and tests have been positive at the moment. I'll offload my GT for two Ubiquiti Pro access points to finally close out dead spots eventually.

I use the Unbound that is bundled on pfSense. No need to use an install it on a Pi. In the web gui, you can configure it to use the vpn tunnel. This is the setting the prevents DNS leaks from occurring. I have 3 openvpn clients running. When I do a DNS leak test, it reports the IP addresses of the three VPN clients. Let me know if you want a screen print of the config.

 

[Jerie-]

I use the Unbound that is bundled on pfSense. No need to use an install it on a Pi. In the web gui, you can configure it to use the vpn tunnel. This is the setting the prevents DNS leaks from occurring. I have 3 openvpn clients running. When I do a DNS leak test, it reports the IP addresses of the three VPN clients. Let me know if you want a screen print of the config.

Xentrk, Much appreciated... can always use the help. pfSense can be intimidating at first but enjoying the experience. If I run Unbound on pfSense and then replace pi-hole with pfBlockerNB, I should be able to repurpose my raspberrypi as a Unifi Controller once I receive my Ubiquiti APs.

Thanks again.

 

[Xentrk]

Xentrk, Much appreciated... can always use the help. pfSense can be intimidating at first but enjoying the experience. If I run Unbound on pfSense and then replace pi-hole with pfBlockerNB, I should be able to repurpose my raspberrypi as a Unifi Controller once I receive my Ubiquiti APs.

Thanks again.

I plan to do some write ups on my pfSense config once I finish my current project.
Here is a pic of the unbound gui. Note how the outbound network interfaces are via the VPN tunnels

 

[Jerie-]

I plan to do some write ups on my pfSense config once I finish my current project.
Here is a pic of the unbound gui. Note how the outbound network interfaces are via the VPN tunnels

Thanks again. Looking forward to reading your pfSense write up.

On another note, do you see any advantages to having six Ethernet ports on the Protectli? Right now I'm only using the LAN & WAN ports; the 4 other ports are not used. Over the weekend Amazon had a "deal" on the Intel Nuc8 i7 with dGFx (i7-8705G with Radeon RX Vega). I have extra memory and an ssd from a laptop upgrade and made the purchase knowing that if I was unable to run pfSense on it, it would make a nice media system (HTPC). It's an i7 with two Intel NICs vs an i5 (7200U) with 6 NIC ports; a quad 65watt vs duo 15watt cpu. Overkill and waste of the Nuc 8 as a router?

Intel Nuc 8: https://www.amazon.com/dp/B07BR3HCZ3/?tag=snbforums-20
Protectli i5: https://www.amazon.com/dp/B076B6SWG5/?tag=snbforums-20

 

[Xentrk]

Thanks again. Looking forward to reading your pfSense write up.

On another note, do you see any advantages to having six Ethernet ports on the Protectli? Right now I'm only using the LAN & WAN ports; the 4 other ports are not used. Over the weekend Amazon had a "deal" on the Intel Nuc8 i7 with dGFx (i7-8705G with Radeon RX Vega). I have extra memory and an ssd from a laptop upgrade and made the purchase knowing that if I was unable to run pfSense on it, it would make a nice media system (HTPC). It's an i7 with two Intel NICs vs an i5 (7200U) with 6 NIC ports; a quad 65watt vs duo 15watt cpu. Overkill and waste of the Nuc 8 as a router?

Intel Nuc 8: https://www.amazon.com/dp/B07BR3HCZ3/?tag=snbforums-20
Protectli i5: https://www.amazon.com/dp/B076B6SWG5/?tag=snbforums-20

Those look like some sweet builds. @sfx2000 has helped me with similar questions. I will defer to him.

My build uses an Intel i5. Last time I looked at Protectli models, they did not have one that supported AES-NI, which is a requirement when pfSense 2.5 is rolled out. AES-NI is key to achieving high speeds when using OpenVPN. I'm glad to see they have some models that support AES-NI now.

The number of ports do not matter on the pfSense appliance. One port is dedicated to WAN and one port to LAN. Most users connect a switch to the LAN port for devices that require a wired connection. I used to use a D-Link flashed with DD-WRT as the AP. I now use an Asus 68U.

I did some research awhile back about how to enable the other ports on the appliance for LAN use. I concluded that it was too much of a hassle than I was willing to take on. Using a switch is like using an Easy Button in comparison. I don't need VLAN's. So, an 8 port un-managed switch works great for my use case.

 

[occamsrazor]

Over the weekend Amazon had a "deal" on the Intel Nuc8 i7 with dGFx (i7-8705G with Radeon RX Vega). I have extra memory and an ssd from a laptop upgrade and made the purchase knowing that if I was unable to run pfSense on it, it would make a nice media system (HTPC). It's an i7 with two Intel NICs vs an i5 (7200U) with 6 NIC ports; a quad 65watt vs duo 15watt cpu. Overkill and waste of the Nuc 8 as a router?

Intel Nuc 8: https://www.amazon.com/dp/B07BR3HCZ3/?tag=snbforums-20
Protectli i5: https://www.amazon.com/dp/B076B6SWG5/?tag=snbforums-20

Seems like the NUC8 would be massive overkill for pfSense, but who ever complained about overkill?
Just curious if you ever ended up using it for pfSense and how it was. Does it have Intel or other brand NICs?

 

[Jerie-]

Seems like the NUC8 would be massive overkill for pfSense, but who ever complained about overkill?
Just curious if you ever ended up using it for pfSense and how it was. Does it have Intel or other brand NICs?

Yes, the Nuc8 is overkill and a waste of its GPU/thunderbolt 3 ports (etc) in such an environment but the Protectli i5 I had originally purchased cost about the same but had an older CPU. Amazon had the Nuc8 (BOXNUC8i7HNK1) at $679.99 with an additional discount of $30 a while back; the Protectli i5 was and is still at $639. That price didn't last long though. I went back 30 mins later to order a second one and it had already went up w/o the additional discount; it's now $719.99. So using the NUC8, in this case, is a no brainer.

I ended up returning the Protectli and keeping the Nuc8 as my main router along with two new Ubiquiti access points. Sold off my GT-AC5300 at a fair price and can't be happier. It's been more than a month and the network is rock solid. Been tweaking pfSense and hopeful that I am able to tune it to my liking and considering taking a course at our local Tech college to learn more. And yes, both NIC are Intel brand (Intel i219-LM & i210-AT Gigabit Ethernet). For what I am using it for, it's fine. It's not as quiet as the Protectli and uses more power but it's worth it. I just need to upgrade my UPS's battery so that it will last longer. With the GT-AC5300, with power outage, it will last 3+ hours; the Nuc8 lasted almost 2 hours.

 

[o2fst4uo]

I plan to do some write ups on my pfSense config once I finish my current project.
Here is a pic of the unbound gui. Note how the outbound network interfaces are via the VPN tunnels

View attachment 14058

Hi, sorry to bring up an older thread. Did you make any progress on this blog post? I'm starting to give this a try myself and I think my biggest holdup is DNS. Can you confirm that these settings are really all that's required to get it to work? Do these settings allow regular DNS queries to work too?

 

[sfx2000]

Yes, the Nuc8 is overkill and a waste of its GPU/thunderbolt 3 ports (etc) in such an environment but the Protectli i5 I had originally purchased cost about the same but had an older CPU. Amazon had the Nuc8 (BOXNUC8i7HNK1) at $679.99 with an additional discount of $30 a while back; the Protectli i5 was and is still at $639. That price didn't last long though. I went back 30 mins later to order a second one and it had already went up w/o the additional discount; it's now $719.99. So using the NUC8, in this case, is a no brainer.

Well, the NUC8 is definitely overkill for pfSense, but one won't need to worry about capacity I suppose...

 

[Xentrk]

Hi, sorry to bring up an older thread. Did you make any progress on this blog post? I'm starting to give this a try myself and I think my biggest holdup is DNS. Can you confirm that these settings are really all that's required to get it to work? Do these settings allow regular DNS queries to work too?

I had to manually reenter my pfBlockerNG configs the other day and came across the blog article

https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/

In the article, he configured Unbound (DNS Resolver) differently from how I implemented it. The topic is at the end of the blog post. I did some testing but encountered some issues, so I reverted to my prior setup:

Network Interfaces - LAN
Outgoing Network Interfaces - I select the three OpenVPN clients

I will test some more once the wife is not around to yell at me when the network is not working.

Technically, my configuration leaks DNS as it shows the IPv4 addresses of the three OpenVPN clients when going to ipleak.net. But if you only use one client, you won't have this issue.

Optionally, pfSense 2.4.4_1 allows you to configure DNS over TLS.

https://www.linuxincluded.com/configuring-quad9-on-pfsense/

Note the check boxes in the attachment picture:

DNS Query Forwarding

Use SSL/TLS for outgoing DNS Queries to Forwarding Servers

I got an error message when trying to save the settings. I was able to work around by unchecking the checkbox for the SSL/TLS option. I then pasted the contents below into the Custom Configs box to get it to work (source: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html):

server:include: /var/unbound/pfb_dnsbl.*conf
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853

If you do not use pfBlockerNG then the first line should be "server:"

server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853

 

[o2fst4uo]

I had to manually reenter my pfBlockerNG configs the other day and came across the blog article

https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/

In the article, he configured Unbound (DNS Resolver) differently from how I implemented it. The topic is at the end of the blog post. I did some testing but encountered some issues, so I reverted to my prior setup:

Network Interfaces - LAN
Outgoing Network Interfaces - I select the three OpenVPN clients

I will test some more once the wife is not around to yell at me when the network is not working.

Technically, my configuration leaks DNS as it shows the IPv4 addresses of the three OpenVPN clients when going to ipleak.net. But if you only use one client, you won't have this issue.

Optionally, pfSense 2.4.4_1 allows you to configure DNS over TLS.

https://www.linuxincluded.com/configuring-quad9-on-pfsense/

Note the check boxes in the attachment picture:

DNS Query Forwarding

Use SSL/TLS for outgoing DNS Queries to Forwarding Servers

I got an error message when trying to save the settings. I was able to work around by unchecking the checkbox for the SSL/TLS option. I then pasted the contents below into the Custom Configs box to get it to work (source: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html):

server:include: /var/unbound/pfb_dnsbl.*conf
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853

If you do not use pfBlockerNG then the first line should be "server:"

server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853

It seems like it might be too hard to forward all requests for, say, Netflix to your American VPN client specifically though. I can get the traffic to go to the right gateway by using an alias for all Netflix IP addresses, but I can't figure out a way to force all DNS requests for "netflix.com" (and all other relevant URLs too) out a particular gateway regardless of the source. Any ideas?