1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN Question

Discussion in 'Asuswrt-Merlin' started by vpn4life, Mar 14, 2019.

  1. vpn4life

    vpn4life New Around Here

    Joined:
    Mar 14, 2019
    Messages:
    4
    I want to know how merlin got the dns to work automatically in the openconfig. I had a 86u, setting it up with the openvpn config files was super easy and you would get your ip and dns automatically served from your vpn provider without issues. In the pursuit of performance I switched to a custom box. I have tried both pfsense and untangle with expressvpn and cannot for the life of me get their dns to ever work, I get dns leaks per se. How did you do it?
     
  2. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,594
    Magic! :D:D:D
     
  3. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    6,096
    Location:
    United States
    It's handled in one of Merlin's scripts. When I was experimenting with pfsense I tried to port it over, but some of the code wasn't compatible with the FreeBSD shell, and I never got back to it.
     
    st3v3n and L&LD like this.
  4. vpn4life

    vpn4life New Around Here

    Joined:
    Mar 14, 2019
    Messages:
    4
    Is there no workaround? I've messaged expressvpn and they wont give me their dns listening addresses. The only DNS they provide openly is for streaming devices and game consoles. I'm honestly considering dropping express, and thinking of mullvad with wireshark, or protonvpn. To me, a dns leak is a big deal.
     
  5. st3v3n

    st3v3n Senior Member

    Joined:
    Feb 24, 2016
    Messages:
    499
    Location:
    Central US
    (L&LD, Magic, indeed. I believe in Magic, as released in '65 by the Lovin Spoonful.

    vpn4, you could always try to ask Merlin for the secrets to the magic DNS sauce:) Rather than messaging Express, you might try to restate your issue to company management. Without a better description of your configuration and systems setup, it's not likely Express is the cause of the DNS leaks you're experiencing. Anything's possible but they'd know if they were leaking. If you're using the Express app or client configs, they'd know if that was causing. Your post opens the deep, dark VPN rabbit-hole.

    Most VPNs are sensitive to their customer's issues, but have no control over router, system or device configuration problems which are where most DNS leaks originate (browser also contribute to leaks). VPNs want to protect their company infrastructure and customer's bits and bytes. If a provider mishandles customer's traffic, they'll lose those customers, hardly in their or their customer's best interests. Mitnick wannabes, script kiddies and the ever-growing legions of hostile state hackers and common crooks have always loved misusing the same VPNs everyone else now uses, only they still like paying with stolen financial data, an old story. There aren't as many quality, verifiable domestic VPN providers in free countries as there once were; none exit in Putin's Russia or in their best friends list, nor in red china or other like-minded controlled states, where all VPNs are outlawed. Detection of any attempted use of non-state controlled VPN apps have resulted in quite a few arrests and disappearances.

    In many countries state agents present security letters or warrants to a VPN owner, along with an gag order never to reveal their plight. Regardless of countless promises made by all VPNs to their customers, to end or relocate their business rather than compromise customer's privacy, never monitoring traffic, etc, VPNs aren't a silver bullet. No owner will risk immediate arrest and imprisonment, with an indefinite cramped prison lifestyle, camping with a new large, lonely cellmate. Customers may not learn of an incident for many years, if ever. The other VPNs you mention have their fans and a decent reputation. Any service advertising world-wide virtual servers is questionable so perform research before you really leave Express. It's difficult to locate most VPN's CEOs (they like their privacy too, even the legitimate guys), in order to sent them a proper letter to further explain your issues.

    Your situation seems complicated, but remain thankful you're not trying to exist in Venezuela. Their electrical grid failed catastrophically two weeks ago with no power, internet or other forms of communications services. No fuel is reaching the population, though a few news outlets are risking their sat-phones driving around to uplink video recorded by non-transmitting smart-phones (no cell service). All their electronics are recharged by their car or a small portable solar panel, and no adequate sanitary conditions exist anywhere. Except for the small amount of food and water the news folk bring in with them for their needs, no food, water, medicine, hospital or other medical services are available. An active war zone elsewhere isn't equal to the instant devastation that a complete power grid collapse brings to an otherwise modern country. An EMP attack as depicted in the novel, 'One Second After' would be the only way short of nuclear war, to send a 21st century country back to the dark ages, with the same amount of anarchy. Not a rant, and best of luck resolving your DNS leaks.
     
    Last edited: Mar 16, 2019
    L&LD likes this.
  6. umarmung

    umarmung Senior Member

    Joined:
    Apr 21, 2018
    Messages:
    247
    This is a relatively easy problem to fix. You do not have to use your provider's DNS. You can (should) use dnscrypt or other encrypted DNS options like DNS-over-TLS these days. That will work with any VPN service, ISP or your own VPS.

    Trickier problems are things like kill switches or failover ...
     
    Last edited: Mar 16, 2019
  7. vpn4life

    vpn4life New Around Here

    Joined:
    Mar 14, 2019
    Messages:
    4
    I understand and had been using DoT with pfsense but switched to untangle and they have yet to support it. I would prefer to use my VPN providers DNS though.
     
  8. Zonkd

    Zonkd Senior Member

    Joined:
    Oct 19, 2014
    Messages:
    466
    Please answer questions below and provide more info:
    1. You are using DoT? If so then it will circumvent ExpressVPN DNS thus dnsleak would happen.
    2. Please use dnsleaktest.com to run an extended test then post your results here.
    3. Please use expressvpn dns leak test page and post your full results here.
    4. Have you manually configured the DNS servers on the device network settings? If so, to what?
    5. How many different ways have you tried to observe and confirm dns leakage is actually happening? Have you tried inspecting dns traffic with Diversion by following the dnsmasq logs? Or in other words, have you used any form of network packet sniffing using a device not connected to vpn?

    Some personal notes from my research:

    ExpressVPN website claims they run their own DNS servers, however I'm unsure whether these are recursive dns servers or if these are fowarding dns servers. You can learn more about recursive servers here. Recursive causes only the vpn operated dns servers to appear in dnsleaktest results. You can test this using the IVPN public recursive DNS server. Forwarding on the other hand may cause all the upstream dns servers operated by third parties (eg google, opendns, cloudflare) to appear in dnsleaktest results. An example of this happening can be seen when using AdguardDNS, which uses forwarding, and someone raised this exact concern on their forums. The important thing to note is that so long as the dns queries are always sent through the vpn tunnel they will be encrypted and appear as originating from the IP address from your VPN provider and not attributable to your actual IP address. It's inevitable that your dns queries will be sent to an authoratative dns server not operated by your vpn.

    No accusations but could ExpressVPN be using transparent DNS proxy to redirect customers dns queries to their own dns servers? I notice they have no public dns server to provide an IP for, I don't think they have a static IP to provide for all their internal dns server/s, and their support docs -- setup dns servers for dd-wrt routers (quoted below) --- advises customers to manually set the Google DNS servers (with a permanent IP address of 8.8.8.8 and 8.8.4.4) or Neustar or Level3, with no other option given for customers to choose expressvpn operated dns servers. Ofcourse if they were proxying dns queries anyway then it wouldn't matter what the customer set. That would be easier and more flexible for them, and better for the customer because dns wouldn't break when the customer stopped using their vpn.

     
    Last edited: Mar 25, 2019
    pmm likes this.
  9. vpn4life

    vpn4life New Around Here

    Joined:
    Mar 14, 2019
    Messages:
    4
    I figured it out, someone sent me an article that helped immensely but I still spent a few hours ironing some things out. Documentation is piss poor when it comes to vpn client setups on pfsense. I plan to make some videos detailing how to do it correctly.
    https://imgur.com/a/AAk1MQV
    https://imgur.com/a/jNqLVP9
    [​IMG]
     
    Last edited: Apr 5, 2019
  10. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,288
    Location:
    The Land of Smiles
    The OpenVPN Client setup document that TorGuard has is also out of date. I emailed them about it nearly two years ago and it's still has not been updated. After I finish my current project on Asuswrt-Merlin, I plan to shift gears to pfSense how-to articles, including how to setup OpenVPN client and selective routing. But over the past 1.5 years, there have been some new blog posts on how to set up pfSense. Lawrence Systems has some great YouTube videos on pfSense that have helped me setup snort and other features. I highly recommend the videos. Check them out.

    Here are some other links:

    https://nguvu.org/pfsense/pfsense-baseline-setup/
    https://turbofuture.com/computers/How-to-Install-pfSense-From-a-Bootable-USB-Stick
    https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/
    https://www.infotechwerx.com/blog/Policy-Routing-Certain-Traffic-Through-OpenVPN-Client-Connection
    https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/
    http://supratim-sanyal.blogspot.com/2017/04/pfsense-pfblockerng-ultimate-list-of-ip.html
    https://nguvu.org/pfsense/pfsense-baseline-setup/
     
    L&LD likes this.
  11. Marin

    Marin Very Senior Member

    Joined:
    Sep 15, 2015
    Messages:
    680
    I cannot wait to see your pFsense materials and thanks for sharing these!


    Sent from my iPhone using Tapatalk