1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN DNS issue

Discussion in 'Asuswrt-Merlin' started by Skeptical.me, Sep 13, 2018.

  1. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    228
    Location:
    Australia
    After rebooting my router, and without changing any settings, all the routed Devices going through the VPN keep showing the DNS that is in the LAN>DHCP SERVER>DNS SERVER 1 and not the VPN's DNS, that is even though I've set "Accept DNS Configuration" to "Exclusive".

    Has anyone else experienced this before?

    By the way, DNS Filtering in AiProtection is set to off.

    Any help is greatly appreciated.

    Custom Configuration:

    fast-io
    remote-random
    pull
    tls-client
    verify-x509-name Server name-prefix
    ns-cert-type server
    route-method exe
    route-delay 2
    tun-mtu 1500
    fragment 1300
    mssfix 1450
    keysize 256
    sndbuf 524288
    rcvbuf 524288
    comp-lzo no
    push "comp-lzo no"


    [​IMG]
    [​IMG]
     
    Last edited: Sep 13, 2018
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    988
    You havent spicified any routing client. Then your route get generted.
    Chain DNSVPN2
    You can test with eg a dummy client "172.16.1.0"
     
  4. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    228
    Location:
    Australia
    Custom Configur
    Thanks for your reply.

    I'm not sure I completely understand what you mean. I'm only have an intermediate understanding of networking and this router.

    All my devices are routed through the VPN other than my iMac (there are 12 devices)
     
  5. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,842
    Location:
    UK
    Check the output of:
    Code:
    iptables --line -t nat -nvL DNSVPN1  2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --
    line -t nat -nvL DNSVPN4 2>/dev/null;iptables --line -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null
     
    Skeptical.me likes this.
  6. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    228
    Location:
    Australia
    Does this look right?

    https://i.imgur.com/7c9kfT4.png
    [​IMG]
     
  7. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,674
    Location:
    The Land of Smiles
    Eliminate the hard return and rerun the command

    Code:
    iptables --line -t nat -nvL DNSVPN1 2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --line -t nat -nvL DNSVPN4 2>/dev/null;iptables --line  -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null
    
     
  8. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,842
    Location:
    UK
    Well if I could see it! ;) green on black and quite small/fuzzy...no idea why you can't cut'n'paste the text?:rolleyes:

    Anyway, four devices will bypass EXCLUSIVE and use the 'WAN' i.e. whatever the router configuration uses for its DNS

    .54,.111,.118 and the busy .212

    and three devices will use the VPN private DNS 10.155.01

    .139,.151 and .158


    So if this is what you intended/expect then it looks fine...although not sure about your statement:

    'All my devices are routed through the VPN other than my iMac (there are 12 devices)
    '

    Is that why there is the strange 192.0.0.0 line?
     
    Last edited: Sep 13, 2018
  9. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    228
    Location:
    Australia
    Here's the output ...

    Code:
    [email protected]:/tmp/home/root# iptables --line -t nat -nvL DNSVPN1 2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --line -t nat -nvL DNSVPN
    4 2>/dev/null;iptables --line  -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null
    Chain DNSVPN2 (2 references)
    num   pkts bytes target     prot opt in     out     source               destination         
    1        0     0 RETURN     all  --  *      *       192.0.0.0            0.0.0.0/0           
    2     1098  106K RETURN     all  --  *      *       192.168.1.219        0.0.0.0/0           
    3        0     0 RETURN     all  --  *      *       192.168.1.111        0.0.0.0/0           
    4        0     0 RETURN     all  --  *      *       192.168.1.94         0.0.0.0/0           
    5        0     0 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0           
    6       13   877 DNAT       all  --  *      *       192.168.1.139        0.0.0.0/0            to:10.155.0.1
    7       36  2232 DNAT       all  --  *      *       192.168.1.151        0.0.0.0/0            to:10.155.0.1
    8        0     0 DNAT       all  --  *      *       192.168.1.158        0.0.0.0/0            to:10.155.0.1
    [email protected]:/tmp/home/root# 5        0     0 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0        
    https://i.imgur.com/4NMxJ7p.png

    [​IMG]
     
  10. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    228
    Location:
    Australia
    Sorry, seriously for some reason I couldn't copy it. This client is ridicules.

    I managed to copy it , however.

    Here: (I have no idea what the 192.0.0.0 is??? Where would that come from?)

    Code:
    [email protected]:/tmp/home/root# iptables --line -t nat -nvL DNSVPN1 2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --line -t nat -nvL DNSVPN
    4 2>/dev/null;iptables --line  -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null
    Chain DNSVPN2 (2 references)
    num   pkts bytes target     prot opt in     out     source               destination     
    1        0     0 RETURN     all  --  *      *       192.0.0.0            0.0.0.0/0       
    2     1098  106K RETURN     all  --  *      *       192.168.1.219        0.0.0.0/0       
    3        0     0 RETURN     all  --  *      *       192.168.1.111        0.0.0.0/0       
    4        0     0 RETURN     all  --  *      *       192.168.1.94         0.0.0.0/0       
    5        0     0 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0       
    6       13   877 DNAT       all  --  *      *       192.168.1.139        0.0.0.0/0            to:10.155.0.1
    7       36  2232 DNAT       all  --  *      *       192.168.1.151        0.0.0.0/0            to:10.155.0.1
    8        0     0 DNAT       all  --  *      *       192.168.1.158        0.0.0.0/0            to:10.155.0.1
    [email protected]:/tmp/home/root# 5        0     0 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0        
    Sorry: There are 11 devices all up, one is not included here (Apple Watch), I hope this helps. Sorry for any misunderstanding, I'm only learning.

    [​IMG]
     
    Last edited: Sep 14, 2018
  11. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,842
    Location:
    UK
    If you are still using LAN>DHCP SERVER>DNS SERVER 1 - I think this is incorrect? o_O

    Try setting them to blank

     
  12. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    228
    Location:
    Australia
    I just tried that and when I check the connection on ipleak.net is shows my ISP's DNS .... I've never had this issue before. I have no idea whats gone wrong. Maybe I should just reset the router.
     
  13. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,842
    Location:
    UK
    Did you restart the VPN Client? … and checked the DNSVPN2 chain?
    Sadly whilst painful to manually reconfigure your router, given that your screenshot shows 6 WAN devices and 5 VPN devices, yet the DNSVPN2 chain doesn't reflect the same number of 11 entries (but inexplicably has the spurious 192.0.0.0 entryo_O) this may be the best course of action :(

    NOTE: If you do reset the router, if the Selective Routing table is empty, then ALL LAN devices (by default) will be routed via the WAN, so you only need to add devices with target 'VPN'.
     
    Last edited: Sep 13, 2018
    Skeptical.me likes this.
  14. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    228
    Location:
    Australia
    I've reset it now, and everything is working as it should. Thank you. If this mysterious 192.0.0.0 returns I'll come back here and seek more advice, I have no idea what caused that.

    Thanks again!


    Sent from my iPhone using Tapatalk Pro
     
  15. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    228
    Location:
    Australia
    I may be just paranoid but could this strange occurrence be due to malware or something similar? My ISP's router is set to Bridge mode, and the 86U is exposed to the internet (no ports are forwarded, no WAN access enabled)
     
  16. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    228
    Location:
    Australia
    So, tonight when I tested my IP and DNS on IPleak.net all of my WiFi devices are showing my ISP's DNS.

    However, all Ethernet connected devices that are routed through the VPN are running perfectly okay. (There are two devices .219 and .128 that are routed to the WAN)

    I ran this:

    Code:
    iptables --line -t nat -nvL DNSVPN1 2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --line -t nat -nvL DNSVPN4 2>/dev/null;iptables --line  -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null
    And this is the result:

    Code:
    Chain DNSVPN3 (2 references)
    num   pkts bytes target     prot opt in     out     source               destination
    1      151 10160 RETURN     all  --  *      *       192.168.1.219        0.0.0.0/0
    2        8   586 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0
    3      675 60461 DNAT       all  --  *      *       192.168.1.111        0.0.0.0/0            to:10.9.0.1
    4        4   240 DNAT       all  --  *      *       192.168.1.158        0.0.0.0/0            to:10.9.0.1
    5        0     0 DNAT       all  --  *      *       192.168.1.217        0.0.0.0/0            to:10.9.0.1
    6        0     0 DNAT       all  --  *      *       192.168.1.233        0.0.0.0/0            to:10.9.0.1
    
    3 WiFi Devices that are routed through the VPN on the No, 3 VPN Profile are missing. They are connected to the WiFi, 2 on the 2.4Ghz and 1 on the 5Ghz.

    I think I'm starting to wish I hadn't purchased this router. There are only a few things I changed (about a week ago), I took the advice of someone from this forum (https://www.snbforums.com/threads/today-i-purchased-a-rt-ac86u.48560/#post-426782) and disabled beamforming and MU-MIMO (and so on), would this problem be related to those settings changes?

    Edit: Changing those settings back made no difference.



    Edit 2: I'm not sure what's wrong with the .ovpn config from the VPN provider I'm using in VPN 3 Profile but it appears that is the problem here.

    When I use VPN Profile 2, which is a different VPN provider, ALL devices routed through the VPN are showing the correct IP Address and DNS Address on ipleak.net. However, the WiFi devices still don't appear on the table, just as they don't appear above.


    Edit 3: Now I have a strange 192.1.0.0 (But now my iPhone is showing .236)

    Code:
    Chain DNSVPN2 (2 references)
    num   pkts bytes target     prot opt in     out     source               destination      
    1        0     0 RETURN     all  --  *      *       192.1.0.0            0.0.0.0/0        
    2       52  3580 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0        
    3      275 18902 RETURN     all  --  *      *       192.168.1.219        0.0.0.0/0        
    4      451 40231 DNAT       all  --  *      *       192.168.1.111        0.0.0.0/0            to:10.42.0.1
    5       23  1660 DNAT       all  --  *      *       192.168.1.217        0.0.0.0/0            to:10.42.0.1
    6        4   240 DNAT       all  --  *      *       192.168.1.158        0.0.0.0/0            to:10.42.0.1
    7        0     0 DNAT       all  --  *      *       192.168.1.233        0.0.0.0/0            to:10.42.0.1
    8      179 15260 DNAT       all  --  *      *       192.168.1.236        0.0.0.0/0            to:10.42.0.1
     
    Last edited: Sep 19, 2018
  17. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,842
    Location:
    UK
    The Exclusive VPN client DNS rules are normally generated from the NVRAM variables:
    Code:
    nvram show | grep vpn_client[[:digit:]]_clientlist
    If the NVRAM variables are corrupt, then this could possibly be due to the NVRAM being depleted - but given the fact that .126 (iPhone) does (randomly) finally make an appearance probably indicates that NVRAM shortage isn't the cause.

    If there is a significant difference between the 'openvpn.config' generated for VPN Client 3's provider compared to that generated for VPN Client 2, then this may have a bearing.

    Do you have both VPN Client 2 and VPN Client 3 active at the same time?...maybe there is a conflict in the iptables rule priority?

    Are the 'missing' WiFi devices on a different subnet?

    NOTE: Still don't know why 192.1.0.0 is listed but seemingly as it has no rule hits (and would be forced to use the Routers WAN DNS anyway) it is probably innocuous?
     
    Last edited: Sep 19, 2018
  18. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    228
    Location:
    Australia
    I hope its innocuous lol

    No, I only ever use one VPN Profile at a time. I understand you can use multiple VPN's with Merlin but I've always thought that would put a heavy load on the CPU, so I avoid it.

    Profile 2 and 3 are very different, one is a .ovpn with a private IP address from TorGuard, and the other is from ExpressVPN. They seem to do things differently.

    Actually, I might try ASUS's customer service and see if they have seen these issues before. I've owned 2 other ASUS routers and I had absolutely no major issues with the VPN Profiles, nor general use of the routers.

    I guess the positive is I'm learning more, so I'll keep that in mind when I get a bit frustrated. :)

    Thanks again for taking the time to read and get back to me
     
  19. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    228
    Location:
    Australia
    Here I ran that NVRam command:

    Code:
    [email protected]:/tmp/home/root# nvram show | grep vpn_client[[2]]_clientlist
    size: 66894 bytes (64178 left)
     
  20. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,842
    Location:
    UK
    Err :rolleyes: the command does not to be altered, the string literal '[[:digit:]]' means any digit will match in the grep search expression.

    Please retry without modifying the command.
     
  21. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    228
    Location:
    Australia
    ahh yes, grep, I remember now, sorry about that.

    I ran the command but before I did I tried 2 VPN profiles at once as a work around )I've not done this before). Now all devices are routed through a VPN, and some of the devices that are routed to the WAN like my NAS (.219), (iMac) C3P0 (.128, and .94 WiFi) I'm running VPN Clients on those. And all WiFi devices are showing.

    And VPN Client 1 in the router isn't showing any odd 192.1.0.0, or 192.0.0.0

    Code:
    Chain DNSVPN1 (2 references)
    num   pkts bytes target     prot opt in     out     source               destination       
    1      149 10413 RETURN     all  --  *      *       192.168.1.111        0.0.0.0/0         
    2        0     0 RETURN     all  --  *      *       192.168.1.94         0.0.0.0/0         
    3       50  3507 RETURN     all  --  *      *       192.168.1.219        0.0.0.0/0         
    4        0     0 RETURN     all  --  *      *       192.168.1.150        0.0.0.0/0         
    5       23  1646 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0         
    6      367 34010 DNAT       all  --  *      *       192.168.1.236        0.0.0.0/0            to:10.149.0.1
    7      359 33049 DNAT       all  --  *      *       192.168.1.139        0.0.0.0/0            to:10.149.0.1
    Chain DNSVPN2 (2 references)
    num   pkts bytes target     prot opt in     out     source               destination       
    1        0     0 RETURN     all  --  *      *       19.0.0.0             0.0.0.0/0         
    2        0     0 RETURN     all  --  *      *       192.168.1.94         0.0.0.0/0         
    3       47  3317 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0         
    4      133  9108 RETURN     all  --  *      *       192.168.1.219        0.0.0.0/0         
    5      489 42480 DNAT       all  --  *      *       192.168.1.111        0.0.0.0/0            to:10.42.0.1
    6       48  3081 DNAT       all  --  *      *       192.168.1.217        0.0.0.0/0            to:10.42.0.1
    7        0     0 DNAT       all  --  *      *       192.168.1.158        0.0.0.0/0            to:10.42.0.1
    8        0     0 DNAT       all  --  *      *       192.168.1.233        0.0.0.0/0            to:10.42.0.1
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!