RT-AC86U / DNS config & OpenVPN question

[jonboyuk]

Hi all,

I'm currently using an Asus RT-AC86U router with Asuswrt-Merlin 384.9 (which is great by the way). I have a VPN configured, using internet traffic redirection (Policy Rules Strict) with all devices using the VPN bar two. My question is over the DNS behaviour.

Under my WAN settings, I have manually set the two DNS servers as suggested by my VPN. However I would like the two devices which are bypassing the VPN to use the IP's DNS.

I've set the "Accept DNS Configuration" to 'Exclusive', but if the WAN DNS settings are set to that of the VPN, where do I input a second set of DNS numbers (i.e. the IP ones)? Or does it just revert to auto, for those clients which are routed through WAN?

Sorry if it's a bit wordy! Thanks

 

[skeal]

Leave the vpn client at exclusive and change the dns on the WAN page to your isp dns. By using exclusive you ask the vpn provider to give you dns. The rest of the devices not using the vpn dns will in fact use the dns you set on the WAN page.

 

[jonboyuk]

Ah okay, so essentially I'm reverting the WAN DNS back to auto? That's straightforward enough!

How does the router know how to acquire the VPNs DNS? The guide on the VPNs website tells me that I need to enter it manually into the router?

On my PC for example, this is going via the VPN in the way described above. Is there anyway I can check a DNS to see if it's using the correct one? I did a check on https://ipleak.net/ and the DNS claims to be the same as the VPN IP. This is different from the one they suggest I should use...

Thanks Skeal.

 

[skeal]

Ah okay, so essentially I'm reverting the WAN DNS back to auto? That's straightforward enough!

How does the router know how to acquire the VPNs DNS? The guide on the VPNs website tells me that I need to enter it manually into the router?

On my PC for example, this is going via the VPN in the way described above. Is there anyway I can check a DNS to see if it's using the correct one? I did a check on https://ipleak.net/ and the DNS claims to be the same as the VPN IP. This is different from the one they suggest I should use...

Thanks Skeal.

In your case you may need to define the dhcp servers in the additional commands section.

dhcp-option DNS 8.8.8.8 (for client side)
push "dhcp-option DNS 8.8.8.8" (server side)

 

[skeal]

Use one or the other not both.

 

[jonboyuk]

Sorry, you've lost me on the last bit. One or the other?

And do you mean I need to put those lines of code into the Custom Configuration area of the VPN Client page?

 

[skeal]

Use this in the client. Replace the 8.8.8.8 with your vpn providers dns. Use two line if you have two servers from them.

dhcp-option DNS <put vpn provider dns here>

 

[jonboyuk]

Okay, I can do that - but last question. What do you mean by use this in the client? Sorry - being a bit stupid here, but I don't know where to stick those two lines (I have two servers to use).

 

[skeal]

Put these servers in the "custom configuration settings window". Client is when you are connecting to something. Server would be if you ran a vpn server that you want to connect to to access your own network.

 

[skeal]

Okay, I can do that - but last question. What do you mean by use this in the client? Sorry - being a bit stupid here, but I don't know where to stick those two lines (I have two servers to use).

You will have two lines then one for each vpn server.

 

[jonboyuk]

Great, I think I've done it correctly? Obviously I've entered the correct details instead of 8.8.8.8!

Although I've done this now, ipleak.net still just shows the VPN IP address, rather than the VPN DNS number I was expecting (the one I've entered into custom configuration).

On a side note, I've only just upgraded this f/w from the original Asuswrt (without resetting/factory defaulting the device). Is that recommended?

 

[skeal]

Great, I think I've done it correctly? Obviously I've entered the correct details instead of 8.8.8.8!

Although I've done this now, ipleak.net still just shows the VPN IP address, rather than the VPN DNS number I was expecting (the one I've entered into custom configuration).

On a side note, I've only just upgraded this f/w from the original Asuswrt (without resetting/factory defaulting the device). Is that recommended?

If you just made the move from stock f/w to merlin f/w then yes reset to defaults and hand configure back to normal. Do not import any kind of settings. do this the old fashion way.

 

[jonboyuk]

Oh no - it took me ages to upload little images for all my devices and give them all proper names. D'0h! Okay I'll do it and report back, thanks Was what I showed in the screenshot correct by the way?

 

[skeal]

Oh no - it took me ages to upload little images for all my devices and give them all proper names. D'0h! Okay I'll do it and report back, thanks Was what I showed in the screenshot correct by the way?

Yes it is. Just replace the numbers with the two servers you were given by the vpn provider. Your golden!

 

[RMerlin]

Note that for VPNs, you can use the Default buttons at the bottom to reset just your OpenVPN settings for that specific instance.

 

[jonboyuk]

Thanks Merlin. I've factory reset anyway (as painful as it was!) Seems to have fixed a couple of bugs I had in the VPN settings area.

 

[jonboyuk]

Thanks Merlin & Skeal for your help. Although I've done everything above, when I do the DNS leak test, it reports the DNS the same address as the IP (ie not the two I specified in the custom config box). I can see that it's not the ISP DNS however and the internet seems to work, so is that how it's supposed to be?

 

[RMerlin]

dhcp-option is a server option, I doubt it does anything in a client. You are bound to the DNS server that gets pushed by the server when using Exclusive.

 

[jonboyuk]

Does that mean the two lines of 'dhcp-option DNS 8.8.8.8' (which I've directed at the VPN DNS) aren't actually doing anything? If so, is it better to just use the VPN DNS in the WAN page and have devices connected to my ISP going through the VPN DNS? Sorry - bit confused here!

 

[RMerlin]

Does that mean the two lines of 'dhcp-option DNS 8.8.8.8' (which I've directed at the VPN DNS) aren't actually doing anything? If so, is it better to just use the VPN DNS in the WAN page and have devices connected to my ISP going through the VPN DNS? Sorry - bit confused here!

Just set DNS mode to Exclusive, and all your routed clients will use the VPN-provided DNS, unless you are leaking through IPv6, or are using split rules (i.e. you don't redirect a whole client through the tunnel but only for specific destinations).