Merlin OpenVPN Client settings

TrebleTA

Regular Contributor
Hi all, so I've been trying to set up a client OpenVPN for my DSL-AX82U. Apon setting up I can select Accept DNS Config. if I select anything but Exclusive, I am getting DNS leaks, is this normal?
If I select exclusive only 1 DNS is found.
Other setting can get like 100 dns servers, if I then use DNS filtering well my dns servers found are swish and Japan. Yet in dns filtering I selected 8.8.8.8... what's happening?
 

eibgrad

Part of the Furniture
There are two different scenarios for the use of Exclusive; when ALL traffic is routed over the VPN by default, vs. traffic is selectively routed over the VPN using the VPN Director.

In the case of the former, DNSMasq is reconfigured to only use the DNS server(s) pushed by the OpenVPN server (those already defined on the WAN are ignored). In that situation, you will have multiple DNS servers "in play" provided the OpenVPN provider pushes multiple DNS servers.

However, in the case of the latter, the situation changes. For each client managed by the VPN Director, the router creates a rule in the firewall that redirects the client's DNS to *one* of the DNS servers pushed by the OpenVPN server (DNSMasq remains unchanged). Since by definition you can only redirect to a single destination IP, that's why in that particular scenario the client is "locked into" one and only one DNS server. It's also why in that scenario those clients lose access to any and all other DNSMasq features, be it local name resolution, ad-blocking, local caching, etc.
 

eibgrad

Part of the Furniture
P.S. When you do NOT use Exclusive, it can create DNS leaks because of the way DNSMasq works. When using Strict or Relaxed, you're *combining* the WAN's DNS server(s) (typically provided by the ISP, or custom servers if you choose to do so) w/ those of the OpenVPN provider. Some ppl are under the impression (wrongly) that using Strict will force only the OpenVPN provider's DNS servers to be used. But that's simply NOT the case. Given enough time and activity, ***ALL*** the available DNS servers (which includes those defined on the WAN) will eventually be used.

That's why, for all practical purposes, if you only want the OpenVPN provider's DNS servers to be used, you must use Exclusive. Anything else means potential DNS leaks. But as I explained above, Exclusive has its own issues too.

There's a lot more meat and potatoes discussion about DNS handling that you might find useful in the following thread.

 

TrebleTA

Regular Contributor
Thank you for info, So if I get this right.

1. If I'm in VPN Director, I should only assign 1 device, else it can run in to problems, if I'm using Exclusive, Unless I used for all traffic not VPN Director?

2. If I dont want dns leaks then I want Exclusive, Yet on the vpn setup guide from them they picked relaxed?

I was using Cyber Ghost.
P.s also when I used Exclusive, only 1 DNS was available.
Also if my IP address is a VPN, do I need to worrie about dns tracking?
 
Last edited:

eibgrad

Part of the Furniture
1. NO. What I'm saying is that for each local IP/network listed in the VPN Director, the router will use one and only one DNS server pushed by the OpenVPN server, and create a firewall rule for each local IP/network that redirects all DNS queries from those IPs/networks to that DNS server and over the VPN.

2. The VPN providers' configuration information is routinely wrong and outdated. But even when it is correct, they may be *assuming* that you have the OpenVPN client configured to route *all* traffic over the VPN by default, and NOT necessarily selectively using the VPN Director (some VPN provider instructions haven't even been updated since the VPN Director was introduced w/ 386.3!). So their recommendations often assume that any DNS servers configured w/ the router, whether from the ISP or those provided by the VPN provider, will be routed over the VPN. But when using the VPN Director, this removes the router itself from the VPN, and that raises the possibility that the ISP's DNS server(s) might be accessed over the WAN (esp. since ASUS started statically binding the WAN's DNS servers to the WAN back w/ 386.4).

Basically, you can't trust the VPN providers' instructions when it comes to DNS. It's a complicated subject, and most are unwillingly/unable to keep their instructions in-sync w/ changes to the router.
 
Last edited:

TrebleTA

Regular Contributor
Right, I see. A big thank you.

So that explaned what I was seeing. Is there a work around, to make VPN Director more like Route all?

I did like the idea of 3 client profiles 1 for gaming stuff, 1 for the web brower for like mobiles and 1 for p2p streaming for the pc.
Yet the setting I had seemed to be ok and with 1 DNS, but Cyber ghost do not support gamming OverVPN, only via there app also bbc iplayer was getting problems among other things so have cancled. So now i'm looking for a better VPN, once they give me a refund. If you know of a better one or anyone else with one there impressed with?
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top