What's new

Diversion Is there anyway to get Diversion working with OpenVPN Client in Merlin 388.1 RT-AX88U?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Skeptical.me

Very Senior Member
I've found that if I use an OpenVPN Client and set Accept DNS Configuration to Exclusive Diversion stops working, I did read something in the 388.1 release notes but I'm not sure I understood. Is there a tutorial to get Diversion working while using an OpenVPN client in Merlin 388.1?



Code:
388.1 (3-Dec-2022)

  - CHANGED: Setting an OpenVPN client to redirect all traffic while
             in "Exclusive" DNS mode will now force redirect ALL
             DNS traffic just like in VPN Director mode.
             While this will allow redirecting clients with
             hardcoded DNS servers, it also means that your whole
             LAN will lose the ability of doing local name
             resolution.  It might be best to use VPN Director
             in that case to control which client should
             be involved in the DNS redirection, or use
             DNS Director instead of Exclusive DNS mode.
 
I've found that if I use an OpenVPN Client and set Accept DNS Configuration to Exclusive Diversion stops working, I did read something in the 388.1 release notes but I'm not sure I understood. Is there a tutorial to get Diversion working while using an OpenVPN client in Merlin 388.1?



Code:
388.1 (3-Dec-2022)

  - CHANGED: Setting an OpenVPN client to redirect all traffic while
             in "Exclusive" DNS mode will now force redirect ALL
             DNS traffic just like in VPN Director mode.
             While this will allow redirecting clients with
             hardcoded DNS servers, it also means that your whole
             LAN will lose the ability of doing local name
             resolution.  It might be best to use VPN Director
             in that case to control which client should
             be involved in the DNS redirection, or use
             DNS Director instead of Exclusive DNS mode.
Set, Accept DNS Configuration = Disabled, in OVPN Client settings. It will use the routers LAN IP for DNS. This allows Diversion to work as it does on your LAN.
 
Set, Accept DNS Configuration = Disabled, in OVPN Client settings. It will use the routers LAN IP for DNS. This allows Diversion to work as it does on your LAN.

Will the VPN still work perfectly okay? I actually need websites to use the VPN's DNS, I use ExpressVPN to stream US content here in Australia. And some websites won't stream unless I'm using the VPN's DNS.
 
Last edited:
Set, Accept DNS Configuration = Disabled, in OVPN Client settings. It will use the routers LAN IP for DNS. This allows Diversion to work as it does on your LAN.

I just set up the VPN as you've suggested, the good news is Diversion works, and some Streaming Apps on the Apple TV work, but others like Amazon Prime, Netflix, and HBO MAx don't work. ExpressVPN does something with the DNS they use that allows them to overcome VPN blocks on some sites' Apps.
 
Will the VPN still work perfectly okay? I actually need websites to use the VPN's DNS, I use ExpressVPN to stream US content here in Australia. And some websites won't stream unless I'm using the VPN's DNS.
You could setup a separate client just for the US device requirements as I do.
I just set up the VPN as you've suggested, the good news is Diversion works, and some Streaming Apps on the Apple TV work, but others like Amazon Prime, Netflix, and HBO MAx don't work. ExpressVPN does something with the DNS they use that allows them to overcome VPN blocks on some sites' Apps.
The Amazon app doesn't work on my android phone either. It's because we are blocking specific ad domains that the app requires. If you were to enable the domains to get the app to work, you would have ads all over the place on other sites. Somethings don't work with a VPN. Amazon Prime detects my VPN but Netflix doesn't. Disney+ detects my VPN and it shuts down access as well. So your issue is quite common.
 
You could setup a separate client just for the US device requirements as I do.

The Amazon app doesn't work on my android phone either. It's because we are blocking specific ad domains that the app requires. If you were to enable the domains to get the app to work, you would have ads all over the place on other sites. Somethings don't work with a VPN. Amazon Prime detects my VPN but Netflix doesn't. Disney+ detects my VPN and it shuts down access as well. So your issue is quite common.
With ExpressVPN Amazon PrimeVideo, Disney+, Netflix and HBO Max all work, ExpressVPN is simply the best for streaming foreign content. But you need your LAN to use their IP as well as their DNS for some reason, I'm not aware of the mechanics of it all. I'll just have to have one client's DNS Configuration set to Exclusive for the times I want to watch content using those Apps and have Diversion temporarily unusable.

EDIT: Actually with VPN Director I've been able to set one VPN client up just for the Apple TV and set the DNS configuration to Exclusive and those other apps are working now. And Diversion is working on the other devices using a separate VPN Client with the DNS Configuration set to Disabled.
 
Last edited:
With ExpressVPN Amazon PrimeVideo, Disney+, Netflix and HBO Max all work
Thanks for your feedback, I'm trying a few DNS related changes to my VPN to see if Disney+ and Prime will work.
 
AdguardHome addons support custom upstream DNS for specific client while maintaining adblock. If you want to have adblock for devices routed to vpn while using their DNS, perhaps can try disable accept DNS and enter your VPN provider DNS in AdGuardHome custom client settings. I briefly tested with NordVPN and it seems to work.
 
Thanks for your feedback, I'm trying a few DNS related changes to my VPN to see if Disney+ and Prime will work.
Figured it out, it was my stupidity. You however got my brain started! Thanks.
 
Figured it out, it was my stupidity. You however got my brain started! Thanks.

I'm glad you got a solution to your issue while helping me, thanks!
 
I'm glad you got a solution to your issue while helping me, thanks!
Yeah I subscribed to the wrong feature from my VPN provider, I contacted support, they made the administrative change and boom it all works.
 
Yeah I subscribed to the wrong feature from my VPN provider, I contacted support, they made the administrative change and boom it all works.

What VPN provider are you with?
 
Torguard, I live in central Canada.

I've used Torguard before, they're good.

I'm wondering if you know whether WireGuard works with Diversion on 388.1? I have a Proton subscription for mail but it includes VPN so I could use a Wireguard connection for the devices I use to surf the internet and ExpressVPN for my Apple TV. I just figure if I'm not using ExpressVPN's DNS on the devices I surf the internet on, what's the point in using a VPN?
 
Last edited:
AdguardHome addons support custom upstream DNS for specific client while maintaining adblock. If you want to have adblock for devices routed to vpn while using their DNS, perhaps can try disable accept DNS and enter your VPN provider DNS in AdGuardHome custom client settings. I briefly tested with NordVPN and it seems to work.

I'm behind a double NAT, so using AdGuardHome isn't an option. And my living arrangements make it impossible for me to put the ISP router into bridge mode because other people use the wifi on it.
 
I'm wondering if you know whether WireGuard works with Diversion on 388.1?
Yes, I run a Wireguard Server, and a client on my AX88U. I route the Wireguard server connected clients, through my Wireguard client connected to Torguard. If the Wireguard client and DNS Director is setup right this all works well. I am however having trouble accessing LAN devices. For example I can't view my routers webui, when connected to my Wireguard server. I'm pursuing a solution as we speak.
I just figure if I'm not using ExpressVPN's DNS on the devices I surf the internet on, what's the point in using a VPN?
If you trust the DNS you are using then it's fine. The VPN still provides the protection you are looking for in spite of the DNS leak. If you need GEO location bypass, you will need your VPN's DNS though. By trust I mean, if you are using DoT and DNSSEC on your router and you want to use it, go ahead. The DNS leak will reveal only where you get DNS resolution from. Nothing else. My DoT DNS resolves from Vancouver B.C. Canada. My actual location is a long way away from there.
I'm behind a double NAT, so using AdGuardHome isn't an option. And my living arrangements make it impossible for me to put the ISP router into bridge mode because other people use the wifi on it
What I would do is; bridge the ISP router/modem and setup a guest network on the Asus router you have, with the same SSID and Password that you are using on the ISP router, presently. The change won't demand them to re-enter the information to connect, it will just work. This can be done without granting access to intranet, so they can't hack your router. They will not have the benefits of Diversion, but they don't have that now so....
 
If you trust the DNS you are using then it's fine. The VPN still provides the protection you are looking for in spite of the DNS leak. If you need GEO location bypass, you will need your VPN's DNS though. By trust I mean, if you are using DoT and DNSSEC on your router and you want to use it, go ahead. The DNS leak will reveal only where you get DNS resolution from. Nothing else. My DoT DNS resolves from Vancouver B.C. Canada. My actual location is a long way away from there.

Is there a tutorial for setting up DoT in the router? If you don't know if there's one no need to look, it's not something I've learned to do as yet. Using the OpenVPN client my ISP DNS is leaking, if it's possible to use another DNS server (whilst keeping Diversion working) using DoT that would be great.

Edit: All metadata is captured for two years by the Australian Government, I'd rather keep my data private.
 
Is there a tutorial for setting up DoT in the router? If you don't know if there's one no need to look, it's not something I've learned to do as yet. Using the OpenVPN client my ISP DNS is leaking, if it's possible to use another DNS server (whilst keeping Diversion working) using DoT that would be great.
Here is my DNS, I use Cloudflare because they don't keep logs of your DNS queries.
DNS.pngDNS Select Tool.png
The first screenshot is my DNS settings, the second screenshot is the item in the DNS DoT settings, where you select a preset DNS server.
 
If DNS Director is set to Router, then all your connected clients will use the DoT settings. If you need a device to use a different DNS server because of a VPN then you would add the device and it's specific DNS to the DNS Director clients list. Something like this:
DNS Director.png
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top