OpenVPN DNS issue

[Skeptical.me]

After rebooting my router, and without changing any settings, all the routed Devices going through the VPN keep showing the DNS that is in the LAN>DHCP SERVER>DNS SERVER 1 and not the VPN's DNS, that is even though I've set "Accept DNS Configuration" to "Exclusive".

Has anyone else experienced this before?

By the way, DNS Filtering in AiProtection is set to off.

Any help is greatly appreciated.

Custom Configuration:

fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
keysize 256
sndbuf 524288
rcvbuf 524288
comp-lzo no
push "comp-lzo no"

 

[octopus]

You havent spicified any routing client. Then your route get generted.
Chain DNSVPN2
You can test with eg a dummy client "172.16.1.0"

 

[Skeptical.me]

Custom Configur

You havent spicified any routing client. Then your route get generted.
Chain DNSVPN2
You can test with eg a dummy client "172.16.1.0"

Thanks for your reply.

I'm not sure I completely understand what you mean. I'm only have an intermediate understanding of networking and this router.

All my devices are routed through the VPN other than my iMac (there are 12 devices)

 

[Martineau]

After rebooting my router, and without changing any settings, all the routed Devices going through the VPN keep showing the DNS that is in the LAN>DHCP SERVER>DNS SERVER 1 and not the VPN's DNS, that is even though I've set "Accept DNS Configuration" to "Exclusive".

Check the output of:

iptables --line -t nat -nvL DNSVPN1  2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --
line -t nat -nvL DNSVPN4 2>/dev/null;iptables --line -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null

 

[Skeptical.me]

Check the output of:

iptables --line -t nat -nvL DNSVPN1  2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --
line -t nat -nvL DNSVPN4 2>/dev/null;iptables --line -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null

Does this look right?

https://i.imgur.com/7c9kfT4.png

 

[Xentrk]

Does this look right?

https://i.imgur.com/7c9kfT4.png

Eliminate the hard return and rerun the command

iptables --line -t nat -nvL DNSVPN1 2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --line -t nat -nvL DNSVPN4 2>/dev/null;iptables --line  -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null

 

[Martineau]

Does this look right?
https://i.imgur.com/7c9kfT4.png

Well if I could see it! green on black and quite small/fuzzy...no idea why you can't cut'n'paste the text?

Anyway, four devices will bypass EXCLUSIVE and use the 'WAN' i.e. whatever the router configuration uses for its DNS

.54,.111,.118 and the busy .212

and three devices will use the VPN private DNS 10.155.01

.139,.151 and .158

So if this is what you intended/expect then it looks fine...although not sure about your statement:

'All my devices are routed through the VPN other than my iMac (there are 12 devices) '

Is that why there is the strange 192.0.0.0 line?

 

[Skeptical.me]

Eliminate the hard return and rerun the command

iptables --line -t nat -nvL DNSVPN1 2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --line -t nat -nvL DNSVPN4 2>/dev/null;iptables --line  -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null

Here's the output ...

xxxx@RT-AC86U-1960:/tmp/home/root# iptables --line -t nat -nvL DNSVPN1 2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --line -t nat -nvL DNSVPN
4 2>/dev/null;iptables --line  -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null
Chain DNSVPN2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 RETURN     all  --  *      *       192.0.0.0            0.0.0.0/0           
2     1098  106K RETURN     all  --  *      *       192.168.1.219        0.0.0.0/0           
3        0     0 RETURN     all  --  *      *       192.168.1.111        0.0.0.0/0           
4        0     0 RETURN     all  --  *      *       192.168.1.94         0.0.0.0/0           
5        0     0 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0           
6       13   877 DNAT       all  --  *      *       192.168.1.139        0.0.0.0/0            to:10.155.0.1
7       36  2232 DNAT       all  --  *      *       192.168.1.151        0.0.0.0/0            to:10.155.0.1
8        0     0 DNAT       all  --  *      *       192.168.1.158        0.0.0.0/0            to:10.155.0.1
xxxx@RT-AC86U-1960:/tmp/home/root# 5        0     0 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0

https://i.imgur.com/4NMxJ7p.png

 

[Skeptical.me]

Well if I could see it! green on black and quite small/fuzzy...no idea why you can't cut'n'paste the text?

Anyway, four devices will bypass EXCLUSIVE and use the 'WAN' i.e. whatever the router configuration uses for its DNS

.54,.111,.118 and the busy .212

and three devices will use the ISP private DNS 10.155.01

.139,.151 and .158

So if this is what you intended/expect then it looks fine...although not sure about your statement:

'All my devices are routed through the VPN other than my iMac (there are 12 devices) '

Is that why there is the strange 192.0.0.0 line?

Sorry, seriously for some reason I couldn't copy it. This client is ridicules.

I managed to copy it , however.

Here: (I have no idea what the 192.0.0.0 is??? Where would that come from?)

xxxx@RT-AC86U-1960:/tmp/home/root# iptables --line -t nat -nvL DNSVPN1 2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --line -t nat -nvL DNSVPN
4 2>/dev/null;iptables --line  -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null
Chain DNSVPN2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination     
1        0     0 RETURN     all  --  *      *       192.0.0.0            0.0.0.0/0       
2     1098  106K RETURN     all  --  *      *       192.168.1.219        0.0.0.0/0       
3        0     0 RETURN     all  --  *      *       192.168.1.111        0.0.0.0/0       
4        0     0 RETURN     all  --  *      *       192.168.1.94         0.0.0.0/0       
5        0     0 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0       
6       13   877 DNAT       all  --  *      *       192.168.1.139        0.0.0.0/0            to:10.155.0.1
7       36  2232 DNAT       all  --  *      *       192.168.1.151        0.0.0.0/0            to:10.155.0.1
8        0     0 DNAT       all  --  *      *       192.168.1.158        0.0.0.0/0            to:10.155.0.1
xxxx@RT-AC86U-1960:/tmp/home/root# 5        0     0 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0

Sorry: There are 11 devices all up, one is not included here (Apple Watch), I hope this helps. Sorry for any misunderstanding, I'm only learning.

 

[Martineau]

Sorry, seriously for some reason I couldn't copy it. This client is ridicules.

I managed to copy it , however.

Here:

xxxx@RT-AC86U-1960:/tmp/home/root# iptables --line -t nat -nvL DNSVPN1 2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --line -t nat -nvL DNSVPN
4 2>/dev/null;iptables --line  -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null
Chain DNSVPN2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination     
1        0     0 RETURN     all  --  *      *       192.0.0.0            0.0.0.0/0       
2     1098  106K RETURN     all  --  *      *       192.168.1.219        0.0.0.0/0       
3        0     0 RETURN     all  --  *      *       192.168.1.111        0.0.0.0/0       
4        0     0 RETURN     all  --  *      *       192.168.1.94         0.0.0.0/0       
5        0     0 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0       
6       13   877 DNAT       all  --  *      *       192.168.1.139        0.0.0.0/0            to:10.155.0.1
7       36  2232 DNAT       all  --  *      *       192.168.1.151        0.0.0.0/0            to:10.155.0.1
8        0     0 DNAT       all  --  *      *       192.168.1.158        0.0.0.0/0            to:10.155.0.1
xxxx@RT-AC86U-1960:/tmp/home/root# 5        0     0 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0

Sorry: There are 11 devices all up, one is not included here (Apple Watch), I hope this helps. Sorry for any misunderstanding, I'm only learning.

If you are still using LAN>DHCP SERVER>DNS SERVER 1 - I think this is incorrect?

Try setting them to blank

​

 

[Skeptical.me]

If you are still using LAN>DHCP SERVER>DNS SERVER 1 - I think this is incorrect?

Try setting them to blank

​

I just tried that and when I check the connection on ipleak.net is shows my ISP's DNS .... I've never had this issue before. I have no idea whats gone wrong. Maybe I should just reset the router.

 

[Martineau]

I just tried that and when I check the connection on ipleak.net is shows my ISP's DNS ....

Did you restart the VPN Client? … and checked the DNSVPN2 chain?

Maybe I should just reset the router.

Sadly whilst painful to manually reconfigure your router, given that your screenshot shows 6 WAN devices and 5 VPN devices, yet the DNSVPN2 chain doesn't reflect the same number of 11 entries (but inexplicably has the spurious 192.0.0.0 entry) this may be the best course of action

NOTE: If you do reset the router, if the Selective Routing table is empty, then ALL LAN devices (by default) will be routed via the WAN, so you only need to add devices with target 'VPN'.

 

[Skeptical.me]

Did you restart the VPN Client? … and checked the DNSVPN2 chain?


Sadly whilst painful to manually reconfigure your router, given that your screenshot shows 6 WAN devices and 5 VPN devices, yet the DNSVPN2 chain doesn't reflect the same number of 11 entries (but inexplicably has the spurious 192.0.0.0 entry) this may be the best course of action

NOTE: If you do reset the router, if the Selective Routing table is empty, then ALL LAN devices (by default) will be routed via the WAN, so you only need to add devices with target 'VPN'.

I've reset it now, and everything is working as it should. Thank you. If this mysterious 192.0.0.0 returns I'll come back here and seek more advice, I have no idea what caused that.

Thanks again!


Sent from my iPhone using Tapatalk Pro

 

[Skeptical.me]

(but inexplicably has the spurious 192.0.0.0 entry)

I may be just paranoid but could this strange occurrence be due to malware or something similar? My ISP's router is set to Bridge mode, and the 86U is exposed to the internet (no ports are forwarded, no WAN access enabled)

 

[Skeptical.me]

Did you restart the VPN Client? … and checked the DNSVPN2 chain?


Sadly whilst painful to manually reconfigure your router, given that your screenshot shows 6 WAN devices and 5 VPN devices, yet the DNSVPN2 chain doesn't reflect the same number of 11 entries (but inexplicably has the spurious 192.0.0.0 entry) this may be the best course of action

NOTE: If you do reset the router, if the Selective Routing table is empty, then ALL LAN devices (by default) will be routed via the WAN, so you only need to add devices with target 'VPN'.

So, tonight when I tested my IP and DNS on IPleak.net all of my WiFi devices are showing my ISP's DNS.

However, all Ethernet connected devices that are routed through the VPN are running perfectly okay. (There are two devices .219 and .128 that are routed to the WAN)

I ran this:

iptables --line -t nat -nvL DNSVPN1 2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --line -t nat -nvL DNSVPN4 2>/dev/null;iptables --line  -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null

And this is the result:

Chain DNSVPN3 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1      151 10160 RETURN     all  --  *      *       192.168.1.219        0.0.0.0/0
2        8   586 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0
3      675 60461 DNAT       all  --  *      *       192.168.1.111        0.0.0.0/0            to:10.9.0.1
4        4   240 DNAT       all  --  *      *       192.168.1.158        0.0.0.0/0            to:10.9.0.1
5        0     0 DNAT       all  --  *      *       192.168.1.217        0.0.0.0/0            to:10.9.0.1
6        0     0 DNAT       all  --  *      *       192.168.1.233        0.0.0.0/0            to:10.9.0.1

3 WiFi Devices that are routed through the VPN on the No, 3 VPN Profile are missing. They are connected to the WiFi, 2 on the 2.4Ghz and 1 on the 5Ghz.

I think I'm starting to wish I hadn't purchased this router. There are only a few things I changed (about a week ago), I took the advice of someone from this forum (https://www.snbforums.com/threads/today-i-purchased-a-rt-ac86u.48560/#post-426782) and disabled beamforming and MU-MIMO (and so on), would this problem be related to those settings changes?

Edit: Changing those settings back made no difference.



Edit 2: I'm not sure what's wrong with the .ovpn config from the VPN provider I'm using in VPN 3 Profile but it appears that is the problem here.

When I use VPN Profile 2, which is a different VPN provider, ALL devices routed through the VPN are showing the correct IP Address and DNS Address on ipleak.net. However, the WiFi devices still don't appear on the table, just as they don't appear above.


Edit 3: Now I have a strange 192.1.0.0 (But now my iPhone is showing .236)

Chain DNSVPN2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination      
1        0     0 RETURN     all  --  *      *       192.1.0.0            0.0.0.0/0        
2       52  3580 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0        
3      275 18902 RETURN     all  --  *      *       192.168.1.219        0.0.0.0/0        
4      451 40231 DNAT       all  --  *      *       192.168.1.111        0.0.0.0/0            to:10.42.0.1
5       23  1660 DNAT       all  --  *      *       192.168.1.217        0.0.0.0/0            to:10.42.0.1
6        4   240 DNAT       all  --  *      *       192.168.1.158        0.0.0.0/0            to:10.42.0.1
7        0     0 DNAT       all  --  *      *       192.168.1.233        0.0.0.0/0            to:10.42.0.1
8      179 15260 DNAT       all  --  *      *       192.168.1.236        0.0.0.0/0            to:10.42.0.1

 

[Martineau]

Edit 2: I'm not sure what's wrong with the .ovpn config from the VPN provider I'm using in VPN 3 Profile but it appears that is the problem here.

When I use VPN Profile 2, which is a different VPN provider, ALL devices routed through the VPN are showing the correct IP Address and DNS Address on ipleak.net. However, the WiFi devices still don't appear on the table, just as they don't appear above.


Edit 3: Now I have a strange 192.1.0.0 (But now my iPhone is showing .236)

Chain DNSVPN2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination   
1        0     0 RETURN     all  --  *      *       192.1.0.0            0.0.0.0/0     
2       52  3580 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0     
3      275 18902 RETURN     all  --  *      *       192.168.1.219        0.0.0.0/0     
4      451 40231 DNAT       all  --  *      *       192.168.1.111        0.0.0.0/0            to:10.42.0.1
5       23  1660 DNAT       all  --  *      *       192.168.1.217        0.0.0.0/0            to:10.42.0.1
6        4   240 DNAT       all  --  *      *       192.168.1.158        0.0.0.0/0            to:10.42.0.1
7        0     0 DNAT       all  --  *      *       192.168.1.233        0.0.0.0/0            to:10.42.0.1
8      179 15260 DNAT       all  --  *      *       192.168.1.236        0.0.0.0/0            to:10.42.0.1

The Exclusive VPN client DNS rules are normally generated from the NVRAM variables:

nvram show | grep vpn_client[[:digit:]]_clientlist

If the NVRAM variables are corrupt, then this could possibly be due to the NVRAM being depleted - but given the fact that .126 (iPhone) does (randomly) finally make an appearance probably indicates that NVRAM shortage isn't the cause.

If there is a significant difference between the 'openvpn.config' generated for VPN Client 3's provider compared to that generated for VPN Client 2, then this may have a bearing.

Do you have both VPN Client 2 and VPN Client 3 active at the same time?...maybe there is a conflict in the iptables rule priority?

Are the 'missing' WiFi devices on a different subnet?

NOTE: Still don't know why 192.1.0.0 is listed but seemingly as it has no rule hits (and would be forced to use the Routers WAN DNS anyway) it is probably innocuous?

 

[Skeptical.me]

The Exclusive VPN client DNS rules are normally generated from the NVRAM variables:

nvram show | grep vpn_client[[:digit:]]_clientlist

If the NVRAM variables are corrupt, then this could possibly be due to the NVRAM being depleted - but given the fact that .126 (iPhone) does (randomly) finally make an appearance probably indicates that NVRAM shortage isn't the cause.

If there is a significant difference between the 'openvpn.config' generated for VPN Client 3's provider compared to that generated for VPN Client 2, then this may have a bearing.

Do you have both VPN Client 2 and VPN Client 3 active at the same time?...maybe there is a conflict in the iptables rule priority?

NOTE: Still don't know why 192.1.0.0 is listed but seemingly as it has no rule hits (and would be forced to use the Routers WAN DNS anyway) it is probably innocuous?

I hope its innocuous lol

No, I only ever use one VPN Profile at a time. I understand you can use multiple VPN's with Merlin but I've always thought that would put a heavy load on the CPU, so I avoid it.

Profile 2 and 3 are very different, one is a .ovpn with a private IP address from TorGuard, and the other is from ExpressVPN. They seem to do things differently.

Actually, I might try ASUS's customer service and see if they have seen these issues before. I've owned 2 other ASUS routers and I had absolutely no major issues with the VPN Profiles, nor general use of the routers.

I guess the positive is I'm learning more, so I'll keep that in mind when I get a bit frustrated.

Thanks again for taking the time to read and get back to me

 

[Skeptical.me]

The Exclusive VPN client DNS rules are normally generated from the NVRAM variables:

nvram show | grep vpn_client[[:digit:]]_clientlist

If the NVRAM variables are corrupt, then this could possibly be due to the NVRAM being depleted - but given the fact that .126 (iPhone) does (randomly) finally make an appearance probably indicates that NVRAM shortage isn't the cause.

If there is a significant difference between the 'openvpn.config' generated for VPN Client 3's provider compared to that generated for VPN Client 2, then this may have a bearing.

Do you have both VPN Client 2 and VPN Client 3 active at the same time?...maybe there is a conflict in the iptables rule priority?

Are the 'missing' WiFi devices on a different subnet?

NOTE: Still don't know why 192.1.0.0 is listed but seemingly as it has no rule hits (and would be forced to use the Routers WAN DNS anyway) it is probably innocuous?

Here I ran that NVRam command:

xxxx@RT-AC86U-1960:/tmp/home/root# nvram show | grep vpn_client[[2]]_clientlist
size: 66894 bytes (64178 left)

 

[Martineau]

Here I ran that NVRam command:

xxxx@RT-AC86U-1960:/tmp/home/root# nvram show | grep vpn_client[[2]]_clientlist
size: 66894 bytes (64178 left)

Err the command does not to be altered, the string literal '[[:digit:]]' means any digit will match in the grep search expression.

Please retry without modifying the command.

 

[Skeptical.me]

Err the command does not to be altered, the string literal '[[:digit:]]' means any digit will match in the grep search expression.

Please retry without modifying the command.

ahh yes, grep, I remember now, sorry about that.

I ran the command but before I did I tried 2 VPN profiles at once as a work around )I've not done this before). Now all devices are routed through a VPN, and some of the devices that are routed to the WAN like my NAS (.219), (iMac) C3P0 (.128, and .94 WiFi) I'm running VPN Clients on those. And all WiFi devices are showing.

And VPN Client 1 in the router isn't showing any odd 192.1.0.0, or 192.0.0.0

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination       
1      149 10413 RETURN     all  --  *      *       192.168.1.111        0.0.0.0/0         
2        0     0 RETURN     all  --  *      *       192.168.1.94         0.0.0.0/0         
3       50  3507 RETURN     all  --  *      *       192.168.1.219        0.0.0.0/0         
4        0     0 RETURN     all  --  *      *       192.168.1.150        0.0.0.0/0         
5       23  1646 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0         
6      367 34010 DNAT       all  --  *      *       192.168.1.236        0.0.0.0/0            to:10.149.0.1
7      359 33049 DNAT       all  --  *      *       192.168.1.139        0.0.0.0/0            to:10.149.0.1
Chain DNSVPN2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 RETURN     all  --  *      *       19.0.0.0             0.0.0.0/0         
2        0     0 RETURN     all  --  *      *       192.168.1.94         0.0.0.0/0         
3       47  3317 RETURN     all  --  *      *       192.168.1.128        0.0.0.0/0         
4      133  9108 RETURN     all  --  *      *       192.168.1.219        0.0.0.0/0         
5      489 42480 DNAT       all  --  *      *       192.168.1.111        0.0.0.0/0            to:10.42.0.1
6       48  3081 DNAT       all  --  *      *       192.168.1.217        0.0.0.0/0            to:10.42.0.1
7        0     0 DNAT       all  --  *      *       192.168.1.158        0.0.0.0/0            to:10.42.0.1
8        0     0 DNAT       all  --  *      *       192.168.1.233        0.0.0.0/0            to:10.42.0.1