Mullvad and Merlin

Ai_

Occasional Visitor
Hello

A query

The Mv guide is https://mullvad.net/en/help/asus-merlin-and-mullvad-vpn/

It seems incorrect (as in also out of date as the screenshots do not match the actual interface), under Setting up the DHCP Server DNS it says

Note: Merlin firmware version 386.5_2 may fail this step and make the router inaccessible. If this happens you can install a newer firmware version or the older 386.5 instead

At this point even on the latest Merlin the router becomes inaccessible

Going back to an earlier version is not really ideal

Also, trying to get all blocklists DNS working https://github.com/mullvad/dns-adblock To block everything enter: 100.64.0.31

Thoughts welcome, thanks
 

Ai_

Occasional Visitor
Ok, downgraded firmware to 386.5 and seems to be working.
What went wrong after that?
 

eibgrad

Part of the Furniture
Just a lot of bad advice on Mullvad's part here.

Do NOT change the DNS servers in the DHCP server as suggested. By doing so and NOT advertising the router's IP, *all* your clients will be directly bound to the VPN provider's DNS servers, even those NOT bound to the VPN through the VPN Director, and will be denied access to DNSMasq, which means the loss of everything it has to offer, including local name resolution, caching, ad blocking, etc. In effect, DNSMasq, at least as a DNS server, becomes null and void. You might as well disable it.

To make matters worse, of the the recommended DNS servers (193.138.218.74 and 10.8.0.1), only the latter is bound to the VPN, since that appears to be their end of the tunnel. With the VPN Director active and "Accept DNS configuration" set to Relaxed (their recommendations), the former will be routed over the WAN (at least for the purposes of DNSMasq), which is a recipe for DNS leaks! Not unless you take steps to explicitly bind it to the VPN w/ a route directive in the custom config field.

Code:
route 193.138.218.74

(note, it's also possible to bind that IP to the VPN using routing policy)

Even the fact they recommend Relaxed makes no sense. Given the rest of their recommendations, as I said, DNSMasq won't be used anyway; all the clients are purposely told NOT to use it. It would actually make more sense to set "Accept DNS configuration" to Disabled, since any reconfiguration of DNSMasq for DNS purposes is pointless.

All in all, the whole approach is bad, even if it can technically be made to work.

The preferred method is to leave the DHCP server alone and manage access to their DNS servers through the "Accept DNS configuration" option. Most VPN providers will push their own DNS servers at the time of the connection. Depending on how "Accept DNS configuration" is configured, the router will reconfigure DNSMasq appropriately.

The only setting that guarantees no DNS leaks is Exclusive. And while those bound to the VPN will lose access to DNSMasq, at least it's *only* those clients, NOT the whole WLAN/LAN! Even if you didn't use the VPN Director at all, you'd still be better off using Exclusive, since then access to DNSMasq would be retained for ALL your clients.

This is what makes DNS configuration so difficult. There's a boatload of ifs, ands, and buts that go into any proper configuration. And numerous settings across multiple GUI pages. It's just too darn complicated. And it doesn't help when the VPN provider is just as confused as the customer. The customer *assumes* the VPN provider knows what they're doing, but that's often NOT the case.

In fairness, the VPN provider also has to make assumptions about what YOU want in terms of DNS behavior. Not everyone has the same needs or intentions, but the VPN provider can't possibly address all situations. So he makes broad, sweeping assumptions that sometimes lead to bad outcomes.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top