OpenVPN DNS leaking

[brtravel]

I'm using the latest Merlin build (also tried 2 other recent builds) and when using OpenVPN client I find that my DNS is leaking when checking at https://dnsleaktest.com/ and https://ipleak.net/ . Either my true ISP alone will show, or a combination of my true ISP and other DNS at my VPN server location.

I'm using PIA, and when I connect to the same server with a client on my computer, phone, or tablet, there are no DNS leaks, only with the router acting as the client. I've tried L2TP on the router and there are no DNS leaks, but I would like to use OpenVPN.

Any ideas?

I've tried manually setting DNS (WAN - Internet Connection > WAN DNS Setting > Connect to DNS Server automatically), but when I select "No", enter google dns or opendns IPs, and click Apply, when the page refreshes the selection is back to "Yes". If I click "No" again the previously entered IPs are filled.

 

[john9527]

Make sure 'Accept DNS Configuration' is set to Strict on the VPN setup page.

 

[mirage22]

This is an interesting topic. I always wondered what does 'Accept DNS Configuration' on the VPN page mean?

1) What's the difference between disabled, relaxed, strict and exclusive.

2) Does 'accept dns configuration' mean accepting the configuration sent by the VPN provider or accepting what is set in the WAN DNS settings page?

3) Another question, in LAN > DNS Settings > what do these two points mean?
- Advertise router's IP in addition to user-specified DNS
- Forward local domain queries to upstream DNS

 

[john9527]

This is an interesting topic. I always wondered what does Accept DNS Configuration on the VPN page mean?

1) What's the difference between disabled, relaxed, strict and exclusive.

2) Does accept dns configuration mean accepting the configuration sent by the VPN provider or accepting what is set in the WAN DNS settings page?

My understanding.....

Exclusive - Use only the DNS servers supplied by the OpenVPN server. Note that this can cause a problem if the VPN goes down, and your VPN server is set by url and not ip, and you don't have an unencrypted route to the VPN server. Now you can't resolve your server address and VPN will stay down. Some of these cases have been addressed in the latest Merlin, but I don't think all.

Strict - Add the DNS servers supplied by the OpenVPN servers at the top of a list of your normal DNS servers. The servers are then accessed top to bottom on this list, so the non-VPN servers are only accessed if there is an error with the VPN DNS servers. This prevents the problem above.

Relaxed - The server list is created the same way as Strict, except the servers are accessed round robin (or random or some 'responsiveness' algorithm, don't quite remember which). Both the VPN DNS servers and your normal DNS servers are always used.

Disabled - The VPN DNS servers aren't used, only the existing DNS servers.

3) Another question, in LAN > DNS Settings > what do these two points mean?
- Advertise router's IP in addition to user-specified DNS

By default, the router will act as a caching DNS server via dnsmasq. If you specify other servers to use, again by default the router is added as a potential server. This option allows you to make sure all the DNS requests actually go to the servers you specified.

- Forward local domain queries to upstream DNS

The router will normally handle DNS requests for your local lan. This determines if you want the request to go to the user specified/ISP DNS servers if the router can't resolve the request. Or, if you disabled router advertisement DNS, to send these local lan requests upstream (maybe you are running another local DNS server that you want to handle these).

 

[Zhenya]

I might have missed something - so this thread is a bit eye opening.

Hopefully this is not a threadjack.

I have OpenVPN client running on my router. I have an OpenVPN running on my phone. When I connect to the VPN from them my phone and look at ipleak - it shows the IP belonging to my cellular provider not my home network! (EEEK!)

The 'Accept DNS Configuration' seems to only be on the client setting side on the router. How do I enforce this for the phone to tunnel only through my home network. Sorry for being a n00b. I looked through the setting on the phone OpenVPN client but didn't find a similar setting.

Zhenya

 

[martinr]

I might have missed something - so this thread is a bit eye opening.

Hopefully this is not a threadjack.

I have OpenVPN client running on my router. I have an OpenVPN running on my phone. When I connect to the VPN from them my phone and look at ipleak - it shows the IP belonging to my cellular provider not my home network! (EEEK!)

The 'Accept DNS Configuration' seems to only be on the client setting side on the router. How do I enforce this for the phone to tunnel only through my home network. Sorry for being a n00b. I looked through the setting on the phone OpenVPN client but didn't find a similar setting.

Zhenya

I might have misunderstood you, but if you are trying to connect from your (remote) phone back to your home network via a vpn encrypted tunnel, you need OpenVPN client on your phone (which you have) and OpenVPN server, not client, running on your router.

 

[cosmoxl]

I think the only way to use DNS pushed from the VPN server is to *not* specify DNS in the LAN/DHCP page. However, you'll also need to be using "all traffic" mode.

 

[mirage22]

John thank you for the detailed explanation.

You asked brtravel to set 'accept dns config' to strict. but in your explanation of strict, you said it first pulls the dns servers provided by vpn provider then the ones specified in the DNS settings page of wan.

So if I do not want the VPN Provider's or ISP's DNS settings, but only the DNS settings i have specified under WAN, what is the correct configuration?
- Set 'accept dns configuration' to disabled int he vpn client page. and select 'connect to DNS server automatically' to no and specify the DNS servers i want in the WAN page?

 

[cosmoxl]

John thank you for the detailed explanation.

You asked brtravel to set 'accept dns config' to strict. but in your explanation of strict, you said it first pulls the dns servers provided by vpn provider then the ones specified in the DNS settings page of wan.

So if I do not want the VPN Provider's or ISP's DNS settings, but only the DNS settings i have specified under WAN, what is the correct configuration?
- Set 'accept dns configuration' to disabled int he vpn client page. and select 'connect to DNS server automatically' to no and specify the DNS servers i want in the WAN page?

that's correct. but if you use policy routing for the VPN client then DNS requests will be done by the router outside the tunnel. I don't think you want that.

 

[mirage22]

that's correct. but if you use policy routing for the VPN client then DNS requests will be done by the router outside the tunnel. I don't think you want that.

so will this work, if I do not want the VPN Provider's or ISP's DNS settings, but only the DNS settings i have specified under WAN, what is the correct configuration?

1) Created a rule for WAN access from 192.168.1.1 (destination empty)
2) Created a rule for VPN from 192.168.1.0/24 (destination empty)
3) Set 'accept dns configuration' to disabled int he vpn client page.
4) select 'connect to DNS server automatically' to no

and specify the DNS servers i want in the WAN page.

Will this work?

 

[brtravel]

Thank you for the replies, it seems that changing to 'Strict' did fix the DNS leaks according to those two checking sites. However I'm still having issues with some Google services/pages that I wonder if they're DNS related, but this is a good start and I'm happy to see the conversation continue.

 

[cosmoxl]

so will this work, if I do not want the VPN Provider's or ISP's DNS settings, but only the DNS settings i have specified under WAN, what is the correct configuration?

1) Created a rule for WAN access from 192.168.1.1 (destination empty)
2) Created a rule for VPN from 192.168.1.0/24 (destination empty)
3) Set 'accept dns configuration' to disabled int he vpn client page.
4) select 'connect to DNS server automatically' to no

and specify the DNS servers i want in the WAN page.

Will this work?

no, that won't work. when using policy routing the router itself cannot be routed through the VPN tunnel. thus, DNS requests sent to the router (and then to the actual DNS) will NOT be routed through the tunnel. Merlin must correct me if I'm wrong here.

if you use the openvpn client in "all traffic" mode the router itself will use the VPN tunnel. DNS requests will go from the router through the VPN tunnel. specify what DNS you want to use in the WAN page (or don't and use ISP provided).

If you want to use policy routing I suggest you specify DNS in the LAN/DHCP page. Those DNS will be passed to DHCP clients. The clients, whether routed through the VPN tunnel or clear WAN will then use those DNS.

 

[RMerlin]

If you want to use policy routing I suggest you specify DNS in the LAN/DHCP page. Those DNS will be passed to DHCP clients. The clients, whether routed through the VPN tunnel or clear WAN will then use those DNS.

I recommend using DNSFilter for these. Force only the clients you want to be routed through the tunnel, to use the DNS servers normally provided by the tunnel provider.

 

[mirage22]

I recommend using DNSFilter for these. Force only the clients you want to be routed through the tunnel, to use the DNS servers normally provided by the tunnel provider.

I want all clients, including guests who drop by to have their internet pass through VPN. So DNS filter will be tedious.

secondly, all of them should use say, OpenDNS. not the dns provided by my ISP or the VPN provider.

Finally, if the net goes down and a reconnection is established, all clients should be blocked till the ovpn connection is re-established with the vpn provider.

How would I tweak the settings to achieve this?

 

[RMerlin]

I want all clients, including guests who drop by to have their internet pass through VPN. So DNS filter will be tedious.

Set up a global DNSFilter then instead of a per-client basis.

Finally, if the net goes down and a reconnection is established, all clients should be blocked till the ovpn connection is re-established with the vpn provider.

That's unrelated to the DNS servers. That's what the option under VPN routing policy is for.

 

[mirage22]

Thank you merlin. n00b question: would that be custom 1 and the DNS server address? or router?

 

[Zhenya]

I might have misunderstood you, but if you are trying to connect from your (remote) phone back to your home network via a vpn encrypted tunnel, you need OpenVPN client on your phone (which you have) and OpenVPN server, not client, running on your router.

Martin,
Thank you for your response! I do in fact have the server running on my router and the client on my phone. The connection works as I can load the router management page when connected to VPN while on the cellular network with my phone. However, when I am connected to the VPN on my phone, and I go to dnsleaktest / ipleaktest, I see the mobile carrier IPs not that of my home network.

Thoughts?

 

[RMerlin]

Thank you merlin. n00b question: would that be custom 1 and the DNS server address? or router?

Custom means it will use the IP you enter in the Custom field below. Router would force clients to use the router's own IP, where it will use whatever DNS you have configured on the router (typically those provided by your ISP, unless you change them on the WAN page).

 

[martinr]

Martin,
....However, when I am connected to the VPN on my phone, and I go to dnsleaktest / ipleaktest, I see the mobile carrier IPs not that of my home network.
Thoughts?

Only 2 thoughts, I'm afraid: firstly, what happens if, instead of connecting via cellular, you connect remotely via wifi eg a public hotspot? What do you get then? Secondly, my advanced settings for the OpenVPN server has a "yes" against both "Respond to DNS" and "Advertise DNS to clients". If your settings are different, perhaps you could change them one at a time and see if that helps?

 

[barcote]

Sorry for hijacking an old thread. I've been trying to research and this thread seemed to come closest but i cant find a anything that deals exactly with my problem. I'm having an issue with openvpn and dns and I'm hoping someone more knowledgeable than i might have the answer. I'm running the latest merlin build on the 88u. I use policy based routing to direct certain devices through VPN but not others. This works great.

The problem i have is when i activate openvpn although the policy based routing does its job well, all connected devices use the VPNs DNS servers whether or not policy routed through the Vpn tunnel.

This has never been a problem until recently where it has become apparent that certain sites are blocking my Vpn DNS servers - e.g. PayPal so having openvpn Vpn switched on is preventing accessing PayPal and one or two other sites even on devices not routed through the Vpn. What i want to achieve is devices routed through Vpn use Vpn DNS whilst other devices continue to use DNS defined in wan settings as is the case when Vpn is turned off. I can't seem to achieve this easily.

I am aware that i can use DNS filter to force specific devices to use a specific DNS but this is inelegant as if i later route that device through the Vpn i have to also remember to turn off the filter for that device and also have to manually add any new device that connects. The global filtering setting seems to override the strict DNS vpn setting so that no device uses Vpn dns so this is no good either.

Is there a way to achieve Vpns DNS server use for devices policy routed through Vpn and wan defined DNS for all other clients without fiddling around each time with DNS filter. I should have thought this would be standard behaviour but it doesn't seem to be. Does the answer lie in the Vpn DNS settings - strict exclusive etc? Mine is set to strict.

Thank you in advance for any advice.