IPSec VPN Server and Internet routing

[lluke]

Hi All,
in the past, I configured 2 different IPSec VPN Servers to join the home network while on the go with the following setup:

• Server #1: just to connect to internal lan(s), achieved by leaving the "DNS Server" entries empty from the Advanced Settings of the VPN Server configuration page
• Server #2: to fully route the internal lan(s) and internet traffic, achieved by specifying the router's internal IP on the "DNS Server 1" entry from the Advanced Settings of the VPN Server configuration page

I'm pretty sure it worked on Merlin firmware until a couple of versions ago (not sure which one unfortunately), but now I see the internet routed through the VPN also using Server #1.
Checking (from here) the DNS Server identified while running Server #1 and #2, I get in both cases the public IP of the router (expected only for Server #2 since I run unbound in my setup).

Is the scenario I'm looking for still feasible and supported by the Merlin firmware? If so, should I add any other setting/rule to get it working as expected?


PS: my setup is an RT-AC86U currently on AsusWRT Merlin 386.12 using unbound as DNS Server running directly on the router.


Thanks in advance for the support!

 

[drinkingbird]

Hi All,
in the past, I configured 2 different IPSec VPN Servers to join the home network while on the go with the following setup:

• Server #1: just to connect to internal lan(s), achieved by leaving the "DNS Server" entries empty from the Advanced Settings of the VPN Server configuration page
• Server #2: to fully route the internal lan(s) and internet traffic, achieved by specifying the router's internal IP on the "DNS Server 1" entry from the Advanced Settings of the VPN Server configuration page

I'm pretty sure it worked on Merlin firmware until a couple of versions ago (not sure which one unfortunately), but now I see the internet routed through the VPN also using Server #1.
Checking (from here) the DNS Server identified while running Server #1 and #2, I get in both cases the public IP of the router (expected only for Server #2 since I run unbound in my setup).

Is the scenario I'm looking for still feasible and supported by the Merlin firmware? If so, should I add any other setting/rule to get it working as expected?


PS: my setup is an RT-AC86U currently on AsusWRT Merlin 386.12 using unbound as DNS Server running directly on the router.


Thanks in advance for the support!

Just put a dummy IP for DNS on server 1, like an IP on your LAN that doesn't respond to DNS? Simply removing DNS access isn't really a secure way of blocking Internet though, you should be using IP filtering or at least some static routes.

 

[lluke]

Just put a dummy IP for DNS on server 1, like an IP on your LAN that doesn't respond to DNS? Simply removing DNS access isn't really a secure way of blocking Internet though, you should be using IP filtering or at least some static routes.

I'll do this try, but I expect to lose the internet connectivity once connected to a VPN Server with a wrong DNS configuration. Am I wrong?

Maybe it wasn't clear from the first message, but when connected to the VPN Server #1 the devices should be able to reach the internet through the existing connection and use the VPN tunnel only for intranet access.
This was in the past the behaviour of the VPN IPSec Server when no DNS Servers were provided.

 

[drinkingbird]

I'll do this try, but I expect to lose the internet connectivity once connected to a VPN Server with a wrong DNS configuration. Am I wrong?

Maybe it wasn't clear from the first message, but when connected to the VPN Server #1 the devices should be able to reach the internet through the existing connection and use the VPN tunnel only for intranet access.
This was in the past the behaviour of the VPN IPSec Server when no DNS Servers were provided.

For that you need the client to be set up to allow split tunneling and tell it which subnet you want routed over the VPN, and that the rest should go direct.

What was happening before was probably a bug that you were benefitting from.

 

[lluke]

For that you need the client to be set up to allow split tunneling and tell it which subnet you want routed over the VPN, and that the rest should go direct.

What was happening before was probably a bug that you were benefitting from.

Got it, I don't think the native iOS/MacOS clients allow the tunnel splitting. Hope I'll find which is the "bug I was benefitting from" to eventually replicate the same "rule" (e.g., firewall or whatever else) to achieve it through a custom script.

Thanks for the support!

 

[drinkingbird]

Got it, I don't think the native iOS/MacOS clients allow the tunnel splitting. Hope I'll find which is the "bug I was benefitting from" to eventually replicate the same "rule" (e.g., firewall or whatever else) to achieve it through a custom script.

Thanks for the support!

If you were able to have some access going via VPN and other bypassing it, they must support split tunneling.

The DNS handed out by the router to the client should only be used for the tunnel traffic. So having a fake DNS there and a real one on the main connection should work, you can even mess with priorities to have the main internet be the preferred path and a static route for your home network via the VPN but that is getting a bit messy. Or maybe go into the properties for the virtual VPN adapter and change just the DNS section to manual and leave it blank.

You can toy with settings in the asus but as far as I know if you leave it blank, it will hand out itself as the DNS server, unless (possibly) you disable the DNS server on the router completely.