VPN Client does not update DNS settings

[gjf]

Hi all.

Asus routers (tested on RT-AC68U and RT-AC66U) with latest Merlin firmware (380.69) do not allow to use DNS change when OpenVPN clients are used.

For instance I need to change DNS from 8.8.8.8 to 77.88.8.8 when OpenVPN client is connected. Unfortunately it does not happen and all connected devices still use 8.8.8.8.

push "dhcp-option DNS 77.88.8.8"

in additional parameters of router client does not help. The only way is manually change DNS in DHCP settings.

Is there any solution for this problem?

 

[Martineau]

Hi all.

Asus routers (tested on RT-AC68U and RT-AC66U) with latest Merlin firmware (380.69) do not allow to use DNS change when OpenVPN clients are used.

For instance I need to change DNS from 8.8.8.8 to 77.88.8.8 when OpenVPN client is connected. Unfortunately it does not happen and all connected devices still use 8.8.8.8.

push "dhcp-option DNS 77.88.8.8"

in additional parameters of router client does not help. The only way is manually change DNS in DHCP settings.

Is there any solution for this problem?

Check '/etc/openvpn/serverX/config.ovpn' for 'push' conflicts...

i.e. Ensure in the OpenVPN Server GUI 'Respond to DNS=NO', otherwise on the connecting client you will see the router's DNS being pushed ahead of your override DNS
e.g. Client OpenVPN log:

DNS Server:10.88.8.1,77.88.8.8,Domain:null

NOTE: On the OpenVPN client ensure you do NOT enable 'Override DNS Settings by Server' (as available on the Android OpenVPN client app) or similar.

 

[gjf]

Thanks for the answer.
Possibly it's my mistake - I didn't explain everything clearly. So once again.

1. My router is working as OpenVPN client - and it uses appropriate tab in settings.
2. VPN server is external, I have attached ovpn file (just change extension from txt to ovpn).
3. VPN server works like a charm when native PC OpenVPN client is used - so no problems with server.
4. VPN client in Asus Merlin connects to the VPN server OK.
5. Clients of Asus Merlin router (I mean all devices connected to the router) still use DNS from DHCP - DNS tab that did not change after OpenVPN client connection (but it should).

 

[skeal]

Thanks for the answer.
Possibly it's my mistake - I didn't explain everything clearly. So once again.

1. My router is working as OpenVPN client - and it uses appropriate tab in settings.
2. VPN server is external, I have attached ovpn file (just change extension from txt to ovpn).
3. VPN server works like a charm when native PC OpenVPN client is used - so no problems with server.
4. VPN client in Asus Merlin connects to the VPN server OK.
5. Clients of Asus Merlin router (I mean all devices connected to the router) still use DNS from DHCP - DNS tab that did not change after OpenVPN client connection (but it should).

I'm not sure if this will help but put your dns settings under the WAN tab and test. Don't put dns in the dhcp area this can be problematic.

 

[Martineau]

Thanks for the answer.
Possibly it's my mistake - I didn't explain everything clearly. So once again.

1. My router is working as OpenVPN client - and it uses appropriate tab in settings.
2. VPN server is external, I have attached ovpn file (just change extension from txt to ovpn).
3. VPN server works like a charm when native PC OpenVPN client is used - so no problems with server.
4. VPN client in Asus Merlin connects to the VPN server OK.
5. Clients of Asus Merlin router (I mean all devices connected to the router) still use DNS from DHCP - DNS tab that did not change after OpenVPN client connection (but it should).

Set 'Accept DNS Configuration=EXCLUSIVE' and check correct directive syntax is in the VPN ClientX GUI

# Custom Configuration
dhcp-option DNS 77.88.8.8

exists in '/etc/openvpn/clientX/config.ovpn' if you wish to manually override the exclusive DNS pushed by the VPN ISP.

 

[gjf]

Set 'Accept DNS Configuration=EXCLUSIVE' and check correct directive syntax is in the VPN ClientX GUI

# Custom Configuration
dhcp-option DNS 77.88.8.8

exists in '/etc/openvpn/clientX/config.ovpn'

This option should work theoretically, but neither "strict" nor "exclusive" does not help.

# Automatically generated configuration
daemon
client
dev tun12
proto tcp-client
remote vpn.zaborona.help 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
script-security 2
route-delay 2
route-up vpnrouting.sh
route-pre-down vpnrouting.sh
verb 3
up updown.sh
down updown.sh
ca ca.crt
cert client.crt
key client.key
status-version 2
status status 5

# Custom Configuration
remote-cert-tls server
setenv opt ncp-ciphers AES-128-GCM
setenv opt block-outside-dns

 

[skeal]

This option should work theoretically, but neither "strict" nor "exclusive" does not help.

# Automatically generated configuration
daemon
client
dev tun12
proto tcp-client
remote vpn.zaborona.help 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
script-security 2
route-delay 2
route-up vpnrouting.sh
route-pre-down vpnrouting.sh
verb 3
up updown.sh
down updown.sh
ca ca.crt
cert client.crt
key client.key
status-version 2
status status 5

# Custom Configuration
remote-cert-tls server
setenv opt ncp-ciphers AES-128-GCM
setenv opt block-outside-dns

Here is an example of @Martineau suggestion only try pushing it with:

push "dhcp-option DNS x.x.x.x"
push "dhcp-option DNS 8.8.4.4" example

 

[gjf]

Here is an example of @Martineau suggestion only try pushing it with:

push "dhcp-option DNS x.x.x.x"
push "dhcp-option DNS 8.8.4.4" example

Please read the very first post in this thread.

 

[skeal]

Please read the very first post in this thread.

Whoops!! My humble apologies.....

 

[Martineau]

This option should work theoretically, but neither "strict" nor "exclusive" does not help.

'Accept DNS Configuration=EXCLUSIVE' will force your LAN devices to automatically use the VPN connection and the VPN ISP DNS servers if you have 'Redirect Internet traffic=Policy Rules' enabled and the LAN devices are defined in the VPN Client GUI.

Is this what you want?

Use of DNSFILTER is another option, however, for v382.xx the priority of the DNSFILTER rules has changed depending on 'Accept DNS Configuration=EXCLUSIVE/STRICT etc.'

 

[gjf]

'C=EXCLUSIVE' will force your LAN devices to automatically use the VPN connection and the VPN ISP DNS servers if you have 'Redirect Internet traffic=Policy Rules' enabled and the LAN devices are defined in the VPN Client GUI.

Is this what you want?

Use of DNSFILTER is another option, however, for v382.xx the priority of the DNSFILTER rules has changed depending on 'Accept DNS Configuration=EXCLUSIVE/STRICT etc.'

OK, let me explain.
"Zaborona VPN" works as VPN server for a number of hosts those are blocked in some countries.
This VPN is working not for all hosts, but only fro blocked ones. The list of them is here. So the policy rules are defined in server itself and I don't want to change them.
In other way the providers are blocking hosts by DNS also simply returning incorrect IP.

I thought "Accept DNS Configuration" works always, not only when "Redirect Internet Traffic" is applied.

Does it mean I need to put both "Accept DNS Configuration" = strict and "Redirect Internet Traffic" = all to make it work in the way it should?

 

[gjf]

Does it mean I need to put both "Accept DNS Configuration" = strict and "Redirect Internet Traffic" = all to make it work in the way it should?

By the way in this case the whole connection comes down.

 

[gjf]

I think I found the difference why Asus Merlin OpenVPN client does not work in the same way like PC OpenVPN client:

Jan 9 16:42:08 openvpn[13380]: Unrecognized option or missing or extra parameter(s) in config.ovpn:30: block-outside-dns (2.4.3)

It means the present version of OpenVPN client used in latest Asus Merlin firmware does not understand "setenv opt block-outside-dns" in user config leading to improper work with VPN DNS.

So I believe developers should comment it.

 

[RMerlin]

I think I found the difference why Asus Merlin OpenVPN client does not work in the same way like PC OpenVPN client:


It means the present version of OpenVPN client used in latest Asus Merlin firmware does not understand "setenv opt block-outside-dns" in user config leading to improper work with VPN DNS.

So I believe developers should comment it.

This option only works under Windows, it doesn't work under Linux.

 

[gjf]

This option only works under Windows, it doesn't work under Linux.

I found your reply in Github already concerning this.
But how to solve my problem in this case without changing DNS at LAN page?
Adding "Redirect internet traffic"="Policy rules" and redirecting everything from 129.168.1.1/24 to 0.0.0.0/0 through VPN leads to everything except this is unreachable - because VPN server does not forward traffic that is not blocked, and the router does not know how to connect to all other sites.
Creating routes manually instead of using server-side is double-work and real pain-in-the-butt because blocked IPs could change.

 

[Martineau]

Creating routes manually instead of using server-side is double-work and real pain-in-the-butt because blocked IPs could change.

Hmm doesn't appear to be too much work to automate the process and ensure that any server-side IP changes are taken into account?

So whilst not perfect, a quick'n'dirty script (assuming Selective 'Policy Rules' is enabled with 'Accept DNS=Exclusive' and a dummy entry in the appropriate VPN Client list)

/jffs/scripts/Zabarona.sh

#!/bin/sh

#      $1 is the VPN Client instance  # Required
#      $2 is the LAN source/subnet    # Optional - default is 'all'

if [ -z "$1" ];then
   logger -st "($(basename $0))" $$ "Missing VPN Client arg1"
   exit 999
fi

SRC='all'
if [ ! -z "$2" ];then
   SRC=$2
fi

for IP in $(curl https://zaborona.help/ips.txt -s | grep -v ":" | grep -v "^#" | grep .)
 do
  ip rule del from $SRC to $IP table ovpnc$1 prio 8000 2> /dev/null > /dev/null
  ip rule add from $SRC to $IP table ovpnc$1 prio 8000
 done

and call it from the openvpn-event vpnclientX-route-up.sh, which should force any LAN device that references any of the 'blocked' IPs via the VPN.

Obviously you could save the IPs to the appropriate NVRAM GUI variable

nvram set vpn_clientX_clientlist='<Zabarona>xxx.xxx.xxx.xxx>0.0.0.0>VPN........'

but since there is a limit in the number of available NVRAM/GUI Selective Routing entries per VPN Client, it would probably be best to create the RPDB rules direct.

 

[gjf]

Hmm doesn't appear to be too much work to automate the process and ensure that any server-side IP changes are taken into account?

Thanks for script but as I told you I don't see any use to parse VPN server list while VPN server performs routing by itself.
And I really wonder why Merlin VPN client cannot overcome default DNS settings by design. If "Access DNS" setting works with enabled "Redirect internet traffic" - why it's active at all when traffic is not redirected? Quite useless setting in this case!

 

[Martineau]

I really wonder why Merlin VPN client cannot overcome default DNS settings by design. If "Access DNS" setting works with enabled "Redirect internet traffic" - why it's active at all when traffic is not redirected? Quite useless setting in this case!

I would have to disagree, but you are entitled to your rant born out of frustration.

NOTE: There doesn't appear to be any reference to specific DNS settings in this tutorial:

Zaborona Install on AsusWRTMerlin

but the first step requires IPv6 'native' to be enabled, then once the Zabonora.ovpn file is imported (containing the inappropriate 'setenv opt' directives) and the VPN client connects, it can be seen from the screen shots in the Syslog message window, multiple 'ip route add xxx.xxx.xxx.xxx via 192.168.244.1' commands are issued.

So it appears that it doesn't matter which DNS is used to resolve say

nslookup mamba.ru

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      mamba.ru
Address 1: 193.0.170.23 mamba.ru
Address 2: 193.0.170.24 mamba.ru

as the route to 193.0.170.23 or 193.0.170.24 is already defined on your router when the Zabonora VPN was established.
However, if your intention is to prevent VPN DNS leaks then there are many working suggestions in the forum.

NOTE: Clearly you have a strange DNS issue if you have no internet connection when using 'Accept DNS Configuration=Strict' and 'Redirect Internet Traffic=ALL' together.

Good luck.

 

[gjf]

I would have to disagree, but you are entitled to your rant born out of frustration.

I am absolutely cool, calm and collected - no frustration at all! But it looks like you missed some key points as well as skeal before. So I will pay your attention at:

1. There is a configuration without IPv6. Sure you missed it because of Russian - but whatever.

2. The author created ovpn files for all clients - and they work. Yes, block-outside-dns option is not working at *nix, but it does not break functionality.

3. Routes are defined for IPs, not host names - so:

4. ...once again: the problem is with resolving blocked resources. Your example is not good because:

• nslookup uses default DNS that is set at LAN page. In my case it is provider's DNS when used in local network changes the response:

when used outside local network:

$ nslookup www.yandex.ru 194.50.85.5
╤хЁтхЁ: dns-5.la.net.ua
Address: 194.50.85.5

╚ь : www.YANDEX.ru
Addresses: 2a02:6b8:a::a
77.88.55.50
5.255.255.77
77.88.55.60
5.255.255.50

when used inside local network:

$ nslookup www.yandex.ru 194.50.85.5
╤хЁтхЁ: dns-5.la.net.ua
Address: 194.50.85.5

╚ь : www.yandex.ru
Address: 194.50.85.44

I believe you see the difference - when I try to reach blocked host provider's DNS returns a fake IP, so I cannot connect it even when VPN allows such connection.

I cannot use other DNS because in this case some local network features will break.

That's why I wished to use VPN DNS according "strict" policy rules - when VPN DNS is priority 1 DNS, but if some resource is not available - the system will use provider's DNS (for local network features).

P.S. The only my "frustration" is to make Merlin firmware better So I'm a little bit concerned with options ("Access DNS" in this case) those do not work as should or work in unclear manner. As I remember this option works in Tomato without need to add redirect policy rules.

 

[gjf]

Also - one more issue to be considered when trying to redirect traffic on router using custom scripts.
Actually it is described here, but again in Russian
Briefly: some blocked resources (Yandex, Mail.ru) started to use Cloudflare and Amazon IPs to overcome blockage. In fact it does not work because main providers found a way to block them also very quickly - but it complicates VPN access because to route all Cloudflare and Amazon traffic means to flood the server.
That's why VPN DNS also used - when it sees a query for Yandex or Mail.ru it simply returns a correct IP that has a route rather then one of many IPs provided by Cloudflare or Amazon.

So it looks like if Merlin cannot work with such DNS rules - it is necessary to install a local dnsmasq with priority rues inside. Too bad.