VPN Director DNS Leaks

Sean Rhodes

Regular Contributor
I see a lot of posts regarding VPN Director, but all seem more about configuration, but none about VPN Director DNS Leaks by failing to route DNS through VPN tunnel, or ignoring table routing entries.

I have been having constant DNS leaks, and found the WikI, although a great source for understanding, is missing several subtle points about what VPN Director does and doesn't do. It took me a while to fix this, so I thought I would comment here in case anyone else has a similar issue, or can offer a better solution than what I found.

My current setup is:
Asus RT-AX86U
Asus-Merlin v386.5_2 firmware
Using NordVPN on OVPN 1 with VPN Director selective routing.

Firstly, I performed a Nuclear Reset and Minimum Manual Configuration, to exclude entware and any of the addons (man do I see the difference now Diversion isn't running, that's definitely going back on).

I first setup OVPN1 with Nordvpn using a UK server as follows:
1. Accept DNS Configuration - Strict
2. Redirect internet traffic through tunnel - yes (to all)
3. adding NordVPN servers in custom configuration
Code:
dhcp-option DNS 103.86.96.100
dhcp-option DNS 103.86.99.100
push "dhcp-option DNS 103.86.96.100"
push "dhcp-option DNS 103.86.99.100"
I had these previously setup in my WAN DNS settings, but I was concerned these were being bypassed in my previous setting before factory defaulting.

The above setup works and using the DNSleaktest dot com extended test verified I had no DNS leaks.

Now the problem part, following the wiki and setting up selective routing:
I setup my Mac and AppleTV under VPN Director
AppleTV 10.0.1.60 0.0.0.0 OVPN1
iMac 10.0.1.80 0.0.0.0 OVPN1
Then I setup my VPN client as above, changing only the internet traffic to VPN Director (policy rules) and re-enabled the VPN

I checked for DNS leaks and instantly it is leaking, DNSleaktest showed it was only connecting to 1 server, but a US server, so the tunnel was Geo-blocked.

I tried switching to exclusive, that was worse, now DNSleaktest showed multiple servers.

I added the DNS servers back on the WAN page, but no difference, still leaking.

I re-read the Wiki, and decided to try a couple of changes to see if I could somehow force the DNS.

Under VPN Director, I added a new rule for my router:
Router 10.0.1.1 0.0.0.0 WAN
VPN Director1-edit.jpg


Under LAN, I enabled DNSFilter, I then added the NordVPN DNS to DNS1 and DNS2 and added my AppleTV and Mac and set to one of the DNS.
DNS Filter-cust.jpg


Selective routing is now working, finally.

I then used my Windows PC and DNSleak tested that to ensure it wasn't going through the tunnel and it was still fine using my local ISP DNS.

It seems, so far that this is the only way to get selective routing to work without a DNS leak. When I read the Wiki and multiple other posts, the assumption is selective routing just works. It doesn't, not correctly at least.

I would be interested to know if this is actually the firmware that's broken or not, and if anyone else had similar issues and managed to fix the DNS leak
 

eibgrad

Part of the Furniture

As I mention in the above thread, I have no idea what to make of online third-party DNS leak testing tools. There isn't even consensus on the definition of a DNS leak. Based on the NordVPN suggested setup for Merlin, it appears they assume if you're configured to only use their DNS servers, even if accessed over the WAN and "in the clear", this is NOT a DNS leak. But is that how these online DNS leak testing tools or YOU see it? I certainly don't. But that's exactly what's happening here once you use the VPN Director, since those DNS servers lie outside the scope of the VPN tunnel's IP network.

Frankly, I find it more useful to examine what's happening locally, something I can confirm w/ certainty. At least as a starting point. That's why I created the DNS monitor.

BTW, 0.0.0.0 is NOT what you want for Remote-IP. For *all*, either leave it blank (preferred), or specify 0.0.0.0/0.

Also, Strict is KNOWN to cause DNS leaks because it combines the ISP's DNS servers (or whatever you have configured on the WAN w/ custom servers) w/ those of the VPN provider. And given enough time, DNSMasq will use *all* available DNS servers, NOT just those of the VPN provider. The only thing that ensures the use of only the VPN provider's DNS servers is Exclusive. Of course, the exception being if you happen to only specify the VPN provider's DNS servers on the WAN. Then obviously Strict would actually work. But again, those NordVPN servers are outside the scope of the tunnel, and will always be routed over the WAN w/ the VPN Director active unless you take additional steps to *force* them to be routed over the VPN.

A lot of the above can be gleaned from that link. IOW, a lot of this has already been discussed and analyzed exhaustively. So it's worth reading in its entirety.
 

Jumpstarter

Senior Member

As I mention in the above thread, I have no idea what to make of online third-party DNS leak testing tools. There isn't even consensus on the definition of a DNS leak. Based on the NordVPN suggested setup for Merlin, it appears they assume if you're configured to only use their DNS servers, even if accessed over the WAN and "in the clear", this is NOT a DNS leak. But is that how these online DNS leak testing tools or YOU see it? I certainly don't. But that's exactly what's happening here once you use the VPN Director, since those DNS servers lie outside the scope of the VPN tunnel's IP network.

Frankly, I find it more useful to examine what's happening locally, something I can confirm w/ certainty. At least as a starting point. That's why I created the DNS monitor.

BTW, 0.0.0.0 is NOT what you want for Remote-IP. For *all*, either leave it blank (preferred), or specify 0.0.0.0/0.

Also, Strict is KNOWN to cause DNS leaks because it combines the ISP's DNS servers (or whatever you have configured on the WAN w/ custom servers) w/ those of the VPN provider. And given enough time, DNSMasq will use *all* available DNS servers, NOT just those of the VPN provider. The only thing that ensures the use of only the VPN provider's DNS servers is Exclusive. Of course, the exception being if you happen to only specify the VPN provider's DNS servers on the WAN. Then obviously Strict would actually work. But again, those NordVPN servers are outside the scope of the tunnel, and will always be routed over the WAN w/ the VPN Director active unless you take additional steps to *force* them to be routed over the VPN.

A lot of the above can be gleaned from that link. IOW, a lot of this has already been discussed and analyzed exhaustively. So it's worth reading in its entirety.
The only way I know of this to being a DNS leak is if the OP does a traceroute and sees DNS queries are not traveling via way of VPS provider, but are traveling down the ISP pathway. Simply seeing cloudflare or google or some other big box dns provider does not indicate a true dns leak unless we are saying we are intending to only use the DNS server provided by the VPN provider. Even then this could still be a shot in the dark because whos to say the VPN provider doesn't use cloudflare or google on its path. As long as the DNS traffic is travelling way of VPN tunnel, everything should be good. The DNS service will observe only the traffic as if it came from the IP of the VPN.
 

RMerlin

Asuswrt-Merlin dev
The only way I know of this to being a DNS leak is if the OP does a traceroute and sees DNS queries are not traveling via way of VPS provider,
That would not work. When using DNS mode set to "Exclusive", redirection will only occur for traffic on port 53. A traceroute would skip that redirection.
 

Sean Rhodes

Regular Contributor
A big thanks to everyone, the information you provided is very helpful. I see there's much more to DNS leaks, and I used the term "DNS leak" rather tongue in cheek. In hindsight, I guess instead of saying:
I checked for DNS leaks and instantly it is leaking, DNSleaktest showed it was only connecting to 1 server, but a US server, so the tunnel was Geo-blocked.
I should have said:
my geo-location is being detected as originating outside the UK, since I get the dreaded "01192 error streaming content is not allowed outside the UK", the effect being the same, doesn't necessarily mean the cause is.

What I do not understand, is why last night I was detected as outside the UK when my VPN was set to "Exclusive" what else could be happening if the DNS servers are being passed in the VPN tunnel?

The only thing that ensures the use of only the VPN provider's DNS servers is Exclusive.

Having made the above statement I'm now going to contradict it, I re-ran the exact same tests this morning before re-posting, and "Exclusive" appears to be working fine.

I also disabled DNS filtering and rebooted the router, so now I have more confusion since the setups I tried last night that did not work, appear to be working.

Below are two screen grabs (103.86.96.100 and 103.86.99.100 are the VPN provided DNS), the first with the VPN set to strict:
strict.jpg


the second set to exclusive:
exclusive.jpg

It looks like something else was occurring in "Exclusive" last night that allowed the BBC servers to detect my origin is non-UK, but is not happening now.

It's difficult to pin down what appears to be a moving target.
 

Jumpstarter

Senior Member
That would not work. When using DNS mode set to "Exclusive", redirection will only occur for traffic on port 53. A traceroute would skip that redirection.
I was referring to setting VPN DNS to disable and routing all the specific client traffic via way of vpn. Not the actual redirection under exlcusive, but I do understand your point when talking about redirection and exclusive.
 

Jumpstarter

Senior Member
A big thanks to everyone, the information you provided is very helpful. I see there's much more to DNS leaks, and I used the term "DNS leak" rather tongue in cheek. In hindsight, I guess instead of saying:

I should have said:
my geo-location is being detected as originating outside the UK, since I get the dreaded "01192 error streaming content is not allowed outside the UK", the effect being the same, doesn't necessarily mean the cause is.

What I do not understand, is why last night I was detected as outside the UK when my VPN was set to "Exclusive" what else could be happening if the DNS servers are being passed in the VPN tunnel?



Having made the above statement I'm now going to contradict it, I re-ran the exact same tests this morning before re-posting, and "Exclusive" appears to be working fine.

I also disabled DNS filtering and rebooted the router, so now I have more confusion since the setups I tried last night that did not work, appear to be working.

Below are two screen grabs (103.86.96.100 and 103.86.99.100 are the VPN provided DNS), the first with the VPN set to strict:
View attachment 40750

the second set to exclusive:
View attachment 40751
It looks like something else was occurring in "Exclusive" last night that allowed the BBC servers to detect my origin is non-UK, but is not happening now.

It's difficult to pin down what appears to be a moving target.
Have you tried setting accept dns configuration to disabled? ( this should still allow client dns to travel via vpn)
 

eibgrad

Part of the Furniture
A big thanks to everyone, the information you provided is very helpful. I see there's much more to DNS leaks, and I used the term "DNS leak" rather tongue in cheek. In hindsight, I guess instead of saying:

I should have said:
my geo-location is being detected as originating outside the UK, since I get the dreaded "01192 error streaming content is not allowed outside the UK", the effect being the same, doesn't necessarily mean the cause is.

What I do not understand, is why last night I was detected as outside the UK when my VPN was set to "Exclusive" what else could be happening if the DNS servers are being passed in the VPN tunnel?



Having made the above statement I'm now going to contradict it, I re-ran the exact same tests this morning before re-posting, and "Exclusive" appears to be working fine.

I also disabled DNS filtering and rebooted the router, so now I have more confusion since the setups I tried last night that did not work, appear to be working.

Below are two screen grabs (103.86.96.100 and 103.86.99.100 are the VPN provided DNS), the first with the VPN set to strict:
View attachment 40750

the second set to exclusive:
View attachment 40751
It looks like something else was occurring in "Exclusive" last night that allowed the BBC servers to detect my origin is non-UK, but is not happening now.

It's difficult to pin down what appears to be a moving target.

Based on everything you've posted so far, here's what I see.

As I said, using Exclusive will always guarantee that those devices bound to the VPN w/ the VPN Director will result in having *all* their traffic routed through the VPN, whether it's DNS or anything else. And if you look closely at the output from dnsmon, you'll see DNS traffic from 10.0.1.60 and 10.0.1.80 is indeed accessing the VPN provider's DNS servers over the VPN.

But once you use Strict, you can NOT make that same guarantee.

On some side notes ...

The following is pointless in custom config.

Code:
dhcp-option DNS 103.86.96.100
dhcp-option DNS 103.86.99.100
push "dhcp-option DNS 103.86.96.100"
push "dhcp-option DNS 103.86.99.100"

The OpenVPN server is already pushing these same servers. That's why they end up in DNSMasq *twice* (as shown by dnsmon).

Also, there's no need explicitly bind the router (10.0.1.1) to the WAN w/ the VPN Director, since by default, once you use the VPN Director, the router itself is automatically removed from the VPN.

You can also remove the DNS filters for 10.1.0.60 and 10.1.0.80 since the use of Exclusive is effectively doing this already, both for DNS and all other protocols for those devices.

IOW, all the above is redundant, and just makes for a confusing configuration.

You do (apparently) has some *rogue* devices using 8.8.8.8 and 8.8.4.4. That's a case where you might find the use of DNS filters handy, at least if you want them to use the router's local DNS proxy (DNSMasq) like every other device NOT bound to the VPN.
 

learning_curve

Regular Contributor
A big thanks to everyone, the information you provided is very helpful. I see there's much more to DNS leaks, and I used the term "DNS leak" rather tongue in cheek. In hindsight, I guess instead of saying:

I should have said:
my geo-location is being detected as originating outside the UK, since I get the dreaded "01192 error streaming content is not allowed outside the UK", the effect being the same, doesn't necessarily mean the cause is.

~~~
Just one question? The answer may or may not assist / help you. Are you using IPv6? On your router/on your devices etc? Including all options e.g. enabled on router but disabled on device etc

That ^ question, is because... IPv6 might be a DNS / Geo-Location leak from within your VPN.
I was doing something similar to what you are aiming to do. My own challenge, was and still is... preventing all of my local IPv6 data, including IPv6 DNS, being sent via VPN and/or VPN Director.

However THIS POST by Merlin came to my attention (I simply didn't know this previously) and then, in the recent "preview" of 386_6.* provided my Merlin (although this was for two specific routers, it will be provided on all in due course, but it maybe on the 386_7.* series of releases by Merlin) there is a line in the change-log, that will make all the difference in terms of IPv6 & VPN ie:
- NEW: Added NAT support for OpenVPN servers in IPv6 mode.
This allows to redirect IPv6 Internet traffic
through your OpenVPN server.
Note that in this excellent POST / THREAD by @eibgrad which I've used very effectively, it does clearly state that this is not (yet) fully function for IPv6, (perhaps even more so, if it's IPv6 via VPN)

So, IF you are using IPv6, the only easy way currently... to NOT send all of your local IPv6 data via VPN Director (which is my choice) is to completely disable IPv6 on the device that's on your LAN.
 

RMerlin

Asuswrt-Merlin dev
However THIS POST by Merlin came to my attention (I simply didn't know this previously) and then, in the recent "preview" of 386_6.* provided my Merlin (although this was for two specific routers, it will be provided on all in due course, but it maybe on the 386_7.* series of releases by Merlin) there is a line in the change-log, that will make all the difference in terms of IPv6 & VPN ie:
This support is for servers, not for clients.
 

learning_curve

Regular Contributor
This support is for servers, not for clients.
Just... when it appeared that the "fix" was en-route! :D but thank you for that clarification. The original text does clearly say 'servers' but, I had (perhaps in eternal hope!) wrongly assumed it would also apply to clients too. My error.

That does mean the obvious next question though... Support for OVPN Clients on the router? Is that a possible future add-on? Plus in the interim, IS the only real workable option; Modifications to ip6tables, as part of the custom config setup in VPN Director? It's the only thing I've not tried - yet.

I've tried everything seen in this thread, plus many other variables / options so far (that I could find, in this and several other OPVN forums) but none, other than; "the only easy way" that I mentioned above, actually works here. That's okay, but it's NOT ideal, if, you want to run IPv6 on a device when VPN Director is not in use, as means enabling / disabling IPv6 Services each and every time.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
That does mean the obvious next question though... Support for OVPN Clients on the router? Is that a possible future add-on?
I don't know. Anything related to IPv6 is a fairly low priority on my ToDo list because it requires me to do a complicated setup just to test anything related to IPv6.
 

learning_curve

Regular Contributor
I don't know. Anything related to IPv6 is a fairly low priority on my ToDo list because it requires me to do a complicated setup just to test anything related to IPv6.
Okay. Don't want to hijack this thread as I have a separate one on this subject. I'll investigate further and post on there, not here. It's quite ironic that if you use a third party or official OVPN or Wireguard Client on a device, on the LAN, you can do this with great ease, yet with the current OVPN Client that's on the router, you cannot (or at least, it's been impossible to do this, so far...)
 

RMerlin

Asuswrt-Merlin dev
It's quite ironic that if you use a third party or official OVPN or Wireguard Client on a device, on the LAN, you can do this with great ease, yet with the current OVPN Client that's on the router, you cannot (or at least, it's been impossible to do this, so far...)
Those clients are developed by teams of multiple developers. Asuswrt-Merlin is done by one single person, and that person has to develop for more than just a single OpenVPN client, it's basically a whole miniature operating system. Work has to be prioritized.
 

learning_curve

Regular Contributor
Those clients are developed by teams of multiple developers. Asuswrt-Merlin is done by one single person, and that person has to develop for more than just a single OpenVPN client, it's basically a whole miniature operating system. Work has to be prioritized.
Yep, fully understand that. There was no intention of criticism. Only spotting the irony, that's all. IPv6 isn't as popular / relevant as IPv4 is, in many countries - yet (unlike the one I'm in), so it will always be a lower priority for many users / developers / projects etc anyway, for quite a while.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top