VPN Client DNS Settings

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

dcsang

Occasional Visitor
Requesting a little guidance with my VPN DNS settings.

WAN
Connect to DNS server automatically: No​
DNS Server1: 8.8.8.8​
DNS server2: 192.168.1.1​
VPN Client
Accept DNS Configuration: Exclusive​
Force Internet traffic through tunnel: Policy Rules (Strict)​
Block routed clients if tunnel goes down: No​
The IP address of my main workstation was added to the routing table specifying Iface VPN. If the router is restarted my main workstation connects and resolves with the VPN Client off. When the VPN client is started my workstation also connects and resolves without issue. After stopping the VPN client it appears that I lose DNS configuration. Restarting the VPN Client or restarting the router restores full connectivity.

My intention is to have all traffic and DNS requests from that workstation routed strictly through the VPN when it is active, but revert to WAN DNS settings otherwise. What am I doing wrong?
 

eibgrad

Very Senior Member
Not sure if this is the problem, but regardless, it makes no sense to specify the router itself (192.168.1.1) as a custom DNS server. Those custom DNS servers are used to tell DNSMasq (the router's DNS server @ 192.168.1.1) what servers should be used to resolve public IPs. By specifying 192.168.1.1, you've created a circular reference. In effect, you're telling DNSMasq to use DNSMasq to resolve public IPs. It would make more sense to use something else, say 8.8.4.4.
 

dcsang

Occasional Visitor
Thank you! After changing that to the suggested 8.8.4.4 and restarting the router I can freely (dis)connect to the VPN client and maintain full connectivity, including DNS.

The only reason I specified 192.168.1.1 in that secondary DNS setting is because I was receiving a message on another configuration page stating something like "...specifying an address other than the router's ip..." and that was the only way to clear the warning. I don't recall if that was during my attempts to set up DNSSEC but I just went through several settings and it's nowhere to be found.

Much appreciated!
 

dcsang

Occasional Visitor
Initial results were good, but I'm losing DNS again after disconnecting from VPN client.

UPDATE: I have roughly a 40% success rate of resolving the DNS issue by toggling the VPN client. Changing the secondary DNS as suggested definitely improved things.
 
Last edited:

eibgrad

Very Senior Member
Suggestion. Unless you have a specific reason for using the DNS server(s) provided by your VPN provider, why not set "Accept DNS configuration" to Disabled, and bind the 8.8.8.8 and 8.8.4.4 IPs to the VPN using policy based routing (as destination IPs). This eliminates any dependencies on the VPN provider for support of DNS, and constantly having to contend w/ implicit changes to DNSMasq every time the VPN is started/stopped. All that changes is how those same DNS servers get routed.
 

dcsang

Occasional Visitor
Thank you for that suggestion. Would you be able to elaborate more on binding the 8.8.8.8 and 8.8.4.4 IPs to the VPN using policy based routing?

I used the VPN provided DNS to fully secure the connection but I would like to explore the alternative you provided.
 

eibgrad

Very Senior Member
What I'm suggesting is that you define routing policy rules specifically for those DNS servers, where you specify only the destination IPs (8.8.8.8 and 8.8.4.4) and VPN network interface. When the VPN is NOT active, those DNS servers are accessed over the WAN. But once the VPN is active, they get routed over the VPN. Simple. In combination w/ "Accept DNS configuration" set to Disabled, this eliminates reconfiguration of DNSMasq every time the VPN is brought up and down (which seems to be the source of your problems).

This is the approach I use w/ my own VPN client. The only downside is if you require the DNS queries to never leave the VPN provider. Personally, I find that to be overkill, but I suppose it might matter to some ppl.
 

dcsang

Occasional Visitor
Nice approach. I never fully understood the usage of Destination IP routing but your example is quite clear. Thank you for the help, and lesson!
 

dcsang

Occasional Visitor
I just updated to 386.3 but the DNS issue remains present when stopping the VPN Client. As an alternative to eibgrad's suggestion I can restart the Internet Connection from scMerlin to refresh the DNS configuration rather than restarting the router.
 

Brenneke

Regular Contributor
Have you considered having a guest network set to a VPN client and just switching to that network when you want VPN?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top