What's new

Redirect Internet traffic option = Policy Rules (Strict) and Accept DNS Configuration = Exclusive =

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

mrmason

Occasional Visitor
I am using Merlin on an Asus AC56U router. I have setup OpenVPN client. Here is the issue:

Redirect Internet traffic option = All and Accept DNS Configuration = Exclusive, works fine. I can browse website, etc.

However, I need to use Policy based routing as there are some devices which need to be on WAN

So, I make a few tweaks to the settings to accommodate this:

Redirect Internet traffic option = Policy Rules (Strict) and Accept DNS Configuration = Exclusive

I turn on the VPN switch and it connects fine. I get an IP. However, I can not browse any websites now. They all just hang.

I believe it’s somehow a DNS issue, but don’t understand why it’s happening or how to fix it.
 
I am using Merlin on an Asus AC56U router. I have setup OpenVPN client. Here is the issue:

Redirect Internet traffic option = All and Accept DNS Configuration = Exclusive, works fine. I can browse website, etc.

However, I need to use Policy based routing as there are some devices which need to be on WAN

So, I make a few tweaks to the settings to accommodate this:

Redirect Internet traffic option = Policy Rules (Strict) and Accept DNS Configuration = Exclusive

I turn on the VPN switch and it connects fine. I get an IP. However, I can not browse any websites now. They all just hang.

I believe it’s somehow a DNS issue, but don’t understand why it’s happening or how to fix it.
Try accept dns strict this uses just the vpn providers dns servers. You would hope they don't track. FWIW If you are not paying for a VPN service it isn't private.
 
Strict works, but it only works because it is unable to use the DNS of the VPN so it's just using the WAN DNS. I choose Exclusive because I don't want to use WAN DNS. I want everything to enter the tunnel.

Note, I setup my own OpenVPN server, combined with Pihole and unbound in the cloud. So, it's private and this is why I want to use the DNS of my server rather than the DNS of the WAN. It defeats the purpose if I have to use Strict.

I have tested this because I have a pihole running on my LAN and also one on my OpenVPN server. When I use Strict, the pages work, but I can see the queries incrementing on the pihole dashboard of the LAN and no movement of the numbers on the pihole on the OpenVPN server. So, I know Strict is leaking and I don't want that.

Why shouldn't I be able to use Exclusive with Policy routing? It works fine if I select All
 
Strict = Use only the VPN provider DNS. For anything routing through the tunnel. I use this setting as I want no leaks and I don't want my traffic logged. I can't help with pihole but OVPN DNS settings I'm quite familiar with.
 
Oh man I made a mistake:oops:.....It is Exclusive. That is what you want. So sorry for the confusion.:confused: I was letting the dogs out.
 
Correct. Why does policy routing DNS not work with Exclusive? That's the big question. Is it a bug? I can't imagine it's by design as Merlin even recommends to use Exclusive in this configuration and he's the author of the software.

With DNS Strict mode
  • The DNS servers pushed by the VPN provider are added to your current DNS servers in dnsmasq at the top of the list of DNS servers
  • This means the VPN provider DNS servers will be tried first, but if they are slow or have errors, DNS leaks to your WAN DNS servers can occur.
 
Correct. Why does policy routing DNS not work with Exclusive? That's the big question. Is it a bug? I can't imagine it's by design as Merlin even recommends to use Exclusive in this configuration and he's the author of the software.

With DNS Strict mode
  • The DNS servers pushed by the VPN provider are added to your current DNS servers in dnsmasq at the top of the list of DNS servers
  • This means the VPN provider DNS servers will be tried first, but if they are slow or have errors, DNS leaks to your WAN DNS servers can occur.
I have no problem with policy routing using exclusive. I use policy(strict) and run two IPs through it.
 
That's good to hear. For me, the DNS shuts down when I switch to Policy from All. Literally every website just hangs. I can connect to the VPN fine, but then just no internet whatsoever. I know it's the DNS, but need help in figuring out why. FYI, Every other time I connect to the VPN from any other client, it works fine. For me, Strict is identical to Disabled because the DNS within the VPN doesn't work at all. The intended use case for Strict is to only use the WAN DNS as a fallback.

I'm looking for help in troubleshooting this to try and figure out what the issue is and then fix it. Thank you.
 
That's good to hear. For me, the DNS shuts down when I switch to Policy from All. Literally every website just hangs. I can connect to the VPN fine, but then just no internet whatsoever. I know it's the DNS, but need help in figuring out why. FYI, Every other time I connect to the VPN from any other client, it works fine. For me, Strict is identical to Disabled because the DNS within the VPN doesn't work at all. That's not really with keeping with the intended use of Strict, which is to only use WAN DNS as a fallback.
Are you by chance defining the DNS preference in the commands section as well. If you are you don't need it in your case.
 
No. Only these commands

sndbuf 524288
rcvbuf 524288
resolv-retry infinite
remote-cert-tls server
setenv opt block-outside-dns
 
No. Only these commands

sndbuf 524288
rcvbuf 524288
resolv-retry infinite
remote-cert-tls server
setenv opt block-outside-dns
What is the last command for? I would get rid of anything in regards to dns. Actually I would go back and get a config file from your vpn provider and get the vpn working, then add exclusive dsn, and test, then try routing.
 
I'm not using a commercial VPN provider. I'm using an OpenVpn server hosted on my own VPS. A script generates the .opvn file and that is what I am using.

Removing setenv opt block-outside-dns did not fix the problem.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top