Menu
What's new
By:
Filters Better Search

VPN Client DNS Settings

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

D

dcsang

Regular Contributor
Requesting a little guidance with my VPN DNS settings.

WAN
Connect to DNS server automatically: No​
DNS Server1: 8.8.8.8​
DNS server2: 192.168.1.1​
VPN Client
Accept DNS Configuration: Exclusive​
Force Internet traffic through tunnel: Policy Rules (Strict)​
Block routed clients if tunnel goes down: No​
The IP address of my main workstation was added to the routing table specifying Iface VPN. If the router is restarted my main workstation connects and resolves with the VPN Client off. When the VPN client is started my workstation also connects and resolves without issue. After stopping the VPN client it appears that I lose DNS configuration. Restarting the VPN Client or restarting the router restores full connectivity.

My intention is to have all traffic and DNS requests from that workstation routed strictly through the VPN when it is active, but revert to WAN DNS settings otherwise. What am I doing wrong?
 
Not sure if this is the problem, but regardless, it makes no sense to specify the router itself (192.168.1.1) as a custom DNS server. Those custom DNS servers are used to tell DNSMasq (the router's DNS server @ 192.168.1.1) what servers should be used to resolve public IPs. By specifying 192.168.1.1, you've created a circular reference. In effect, you're telling DNSMasq to use DNSMasq to resolve public IPs. It would make more sense to use something else, say 8.8.4.4.
 
Thank you! After changing that to the suggested 8.8.4.4 and restarting the router I can freely (dis)connect to the VPN client and maintain full connectivity, including DNS.

The only reason I specified 192.168.1.1 in that secondary DNS setting is because I was receiving a message on another configuration page stating something like "...specifying an address other than the router's ip..." and that was the only way to clear the warning. I don't recall if that was during my attempts to set up DNSSEC but I just went through several settings and it's nowhere to be found.

Much appreciated!
 
Initial results were good, but I'm losing DNS again after disconnecting from VPN client.

UPDATE: I have roughly a 40% success rate of resolving the DNS issue by toggling the VPN client. Changing the secondary DNS as suggested definitely improved things.
 
Last edited:
Suggestion. Unless you have a specific reason for using the DNS server(s) provided by your VPN provider, why not set "Accept DNS configuration" to Disabled, and bind the 8.8.8.8 and 8.8.4.4 IPs to the VPN using policy based routing (as destination IPs). This eliminates any dependencies on the VPN provider for support of DNS, and constantly having to contend w/ implicit changes to DNSMasq every time the VPN is started/stopped. All that changes is how those same DNS servers get routed.
 
Thank you for that suggestion. Would you be able to elaborate more on binding the 8.8.8.8 and 8.8.4.4 IPs to the VPN using policy based routing?

I used the VPN provided DNS to fully secure the connection but I would like to explore the alternative you provided.
 
What I'm suggesting is that you define routing policy rules specifically for those DNS servers, where you specify only the destination IPs (8.8.8.8 and 8.8.4.4) and VPN network interface. When the VPN is NOT active, those DNS servers are accessed over the WAN. But once the VPN is active, they get routed over the VPN. Simple. In combination w/ "Accept DNS configuration" set to Disabled, this eliminates reconfiguration of DNSMasq every time the VPN is brought up and down (which seems to be the source of your problems).

This is the approach I use w/ my own VPN client. The only downside is if you require the DNS queries to never leave the VPN provider. Personally, I find that to be overkill, but I suppose it might matter to some ppl.
 
Nice approach. I never fully understood the usage of Destination IP routing but your example is quite clear. Thank you for the help, and lesson!
 
I just updated to 386.3 but the DNS issue remains present when stopping the VPN Client. As an alternative to eibgrad's suggestion I can restart the Internet Connection from scMerlin to refresh the DNS configuration rather than restarting the router.
 
Have you considered having a guest network set to a VPN client and just switching to that network when you want VPN?
 
You must log in or register to reply here.

Similar threads

E
VPN Killswitch not working on RT-AC68U 386.12_4
Replies
0
Views
338
eddy3702
E
B
Firewall lan - vpn?
Replies
0
Views
268
blast
B
C
How can I do this.. Router VPN Client to Server 2
Replies
3
Views
313
ComputerSteve
C
D
Solved Local DNS and VPN Clients
Replies
1
Views
380
data303
D
H
WireGuard DNS Traffic From All Clients Sent Over First WireGuard Client Connection
Replies
7
Views
1K
HarryMuscle
H
Similar threads
Thread starter Title Forum Replies Date
C How can I do this.. Router VPN Client to Server 2 Asuswrt-Merlin 3
G VPN Client with Public IP, split tunnel web server over VPN and other traffic not on the VPN Asuswrt-Merlin 4
johndoe85 VPN site to site with additional VPN client to hide IP Asuswrt-Merlin 14
C VPN Client KillSwitch/Automatic Start at Boot Failures Asuswrt-Merlin 3
D How to restrict VPN network access to certain IP Range or Hosts for specific VPN client Asuswrt-Merlin 8
G [Help] Routing VPN server through VPN client (external VPN Provider) Asuswrt-Merlin 14
Quan Wireguard performance on ASUS XT8 running VPN client Asuswrt-Merlin 1
H WireGuard VPN PreUp Option to Run Command Before Client Connects? Asuswrt-Merlin 3
B VPN Client Problem Asuswrt-Merlin 4
S Multicast routing SSDP to Wireguard VPN client(s) Asuswrt-Merlin 5

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 978 (members: 34, guests: 944)
Top