OpenVPN domain based DNS routing with DNSFilter On

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

sputnikk

Occasional Visitor
Hi all,

I have an always on VPN tunnel to work, over which I'm exposing Active Directory for domain traffic for external laptops. This works fine with OpenVPN clients direct on the laptop.

Ported to Merlin, this also works fine. Routing, DNS, AD, etc. is provided to all my local LAN clients over the split-tunnel VPN, just like when the laptops ran their own OpenVPN client.

EXCEPT, if I want to also provide DNS filtering services to my clients who get their internet locally (NOT through VPN), even if I set "DNSFilter" to Router mode - the DNS Hijacking being performed prevents my laptop clients from reaching out to the domain controllers for my internal DNS.

I've done some googling, I have the following in my OpenVPN config:

resolv-retry 20
keepalive 10 60
mute-replay-warnings
ns-cert-type server
max-routes 500
explicit-exit-notify 1
cipher AES-128-CBC
#DNS
dhcp-option DOMAIN mysecret.domain
dhcp-option DNS 192.168.x.112
dhcp-option DNS 192.168.y.181

#required when in dual wan mode
local wan0


I also see its taking effect as this file is created :

[email protected]:/tmp/etc/openvpn/client1# cat client.resolv
server=192.168.1.112
server=/my.secret.domain/192.168.x.112
server=192.168.0.181
server=/my.secret.domain/192.168.y.181


No, my local LAN hanging off the ASUS does not overlap (192.168.23.x). The only way my 23.x local clients are able to nslookup against 192.168.1.112 or 192.168.0.181 is if I toggle the "DNSFilter" option completely OFF in Merlin UI.
 

sputnikk

Occasional Visitor
Solved: I forgot to put "Accept DNS Configuration" into "Exclusive" mode. Once doing so and respinning the VPN configuration quoted above + ENABLING Dns filtering (using Quad9 as an example but I'll be using Diversion and setting this to Router mode soon) - split DNS tunnelling for mysecret.domain is working.


Ugh. That's twice in a week with a self answer but at least I'm coming back to say so.


P.S. This + Dual WAN load balancing coupled with Wifi 6 has made me fall in love with this router. Awesome job Asus.
 

sputnikk

Occasional Visitor
Update:

I got a USB flash drive now to install Diversion on and after noticing that dnsmasq.log wasn't catching any traffic, I realized my "Exclusive" VPN configuration was forcing all my local WiFi clients to use the split-tunnels VPN DNS server for ALL DNS traffic (despite the fact they are getting their internet locally).

I'm lost now as to how to make the ASUS split its DNS queries for domains defined in openvpn :(
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top