OpenVPN client when ISP disallows third party DNS servers

[Wanch]

I have run into something I have really no idea how to solve.

I am currently in Indonesia and wanted to put a VPN client to Express VPN on my router, an ASUS RT-AC86U flashed with Asuswrt-Merlin.

The problem is, the Indonesian ISP does not allow you to use any other DNS server than their own. If I don't use Automatic DNS server on my router or the specific DNS servers of the ISP, I am blocked from going online. This happens with VPN on, without VPN, on the router, and also if I try to change the DNS directly on a Mac, a PC or a mobile device. Google DNS, CloudFlare DNS, Open DNS... all the same. I am not able to go online unless I use my ISP's DNS servers.

If I configure an OpenVPN client to Express VPN on my router, I have no problem connecting to the VPN server. But once I try to enter a third party DNS, internet is blocked.

Without a third party DNS, my ISP's DNS is blocking and censoring internet, which I assume is the whole reason why my ISP is forcing me to use their own DNS servers in the first place.

If I am using the dedicated applications on my Mac and my mobile devices from Express VPN, then I have no problem accessing parts of the web such us Reddit and Vimeo which is deemed dangerous in Indonesia.

So, does anyone have any suggestions or ideas of what I can do, to have a VPN client on my router when my ISP disallows third party DNS servers?

Thanks

 

[RMerlin]

An ISP cannot block DNS servers going through a VPN because that VPN traffic hides those DNS queries from them. In this case, it's most likely the opposite - your VPN providers blocks third party DNS others than their own DNS, to prevent accidental leaks.

Just make sure your VPN client has DNS mode set to "Exclusive".

 

[Wanch]

Thank you very much.

By changing the setting to "Exclusive", at least, I can now by using *my ISP DNS* connected to Express VPN server access sites that was blocked by my ISP.

But still, if I change the DNS to Google or CloudFlare, internet is blocked. The same happens without an active VPN connection.

If I go to "WAN", change "Connect to DNS Server automatically" to "no", and add 1.1.1.1 and 1.0.0.1 to DNS Server 1 and 2 respectively... no internet! That happens with an active VPN client connection, and also without an active VPN client connection.

I know that ExpressVPN wants me to use CloudFlare or Google DNS servers, as they do not provide any DNS servers themselves for customers who manually set up a VPN client on a router to them. So I know ExpressVPN allows using third party DNS servers.

So it sure seems like my ISP is not allowing any other DNS's than their own.

 

[Makaveli]

So it sure seems like my ISP is not allowing any other DNS's than their own.

Based on what you posted so far this seem to be the issue.

 

[L&LD]

What browsers are you using to test with? Are you rebooting the router and your devices (or at least flushing the caches on the browsers) after each change when testing?

Maybe the Firefox implementation of DoH will help in this case?

 

[Zastoff]

Test to add to custom config in vpn client

dhcp-option DNS 1.0.0.1
dhcp-option DNS 1.1.1.1
push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"

Or maybe try https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/
with DoH servers and recommend to install thru amtm

 

[Wanch]

Test to add to custom config in vpn client

dhcp-option DNS 1.0.0.1
dhcp-option DNS 1.1.1.1
push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"

Or maybe try https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/
with DoH servers and recommend to install thru amtm

The custom configuration your provided to add to the vpn client worked! But I got DNS leaks. At least I managed to bypass my ISP's third party DNS block. Anything I can do about the DNS leaks?

Thank you!

 

[Zastoff]

What kind of dnsleaks do you get? what do you see when for example check https://www.dnsleaktest.com/?

Test setting:
Advanced Settings:
Force Internet traffic through tunnel: Policy rules (strict)
Block routed clients if tunnel goes down: yes (Kill switch if tunnel goes down)
Extra list for clients..
If your router uses 192.168.1.1 as log in or change the line below to what you use
ALL 192.168.1.0/24 0.0.0.0 VPN (routes all clients thru vpn)
Router 192.168.1.1 0.0.0.0 WAN(Router is kept on WAN=Good)
and just add more clients if needed on WAN(thru isp)
But good to add those clients manually under LAN/DHCP-Server
Enable Manual Assignment=yes
And add those clients by mac there
So they get the same ip from the router every time they connect