What's new

VPN Strict DNS Local Clients Issues

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

danioj

New Around Here
Hi Guys,

I have been a user of the Merlin FW for my RT-AC88U for over a year now and I love it.

I do however have an issue, which searching the forum doesn't seem to help me resolve.

I have a setup like this:
  • Clients 1 to 10 > VPN Client 1
  • Clients 11 to 20 > VPN Client 2
  • Clients 21 to 30 > ISP Gateway
This works perfectly.

However, in order to prevent DNS leaks etc, I have the following options set (which after some isolation tests I believe are the culprit):
  • Accept DNS Configuration: Exclusive
  • Redirect Internet traffic: Policy Rules (strict)
As a result, I don't seem to be able to use local DNS names on my network (IP only). I don't think this is intended behaviour, BUT, I can't find a way to solve it.

My full VPN configuration is below (I have blocked out some of the specific settings). Any comments would be appreciated.

Thanks

D

General Settings

Start with WAN
Yes
Interface Type TUN
Protocol UDP
Firewall Automatic
Authorization Mode TLS
Username/Password Authentication Yes
Username username_is_here
Password Show password
Username / Password Auth. Only No
TLS control channel security (tls-auth / tls-crypt) Disabled
Auth digest SHA256
Create NAT on tunnel Yes

Advanced Settings

Log verbosity (0-6, default=3)
3
Poll Interval 0
Accept DNS Configuration Exclusive
Cipher Negotiation Enable
Negotiable ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
Legacy/fallback cipher AES-256-CBC
Compression LZO Adaptive
TLS Renegotiation Time (in seconds, -1 for default) -1
Connection Retry (in seconds, -1 for infinite) -1
Verify Server Certificate No
Redirect Internet traffic Policy Rules (strict)
Block routed clients if tunnel goes down Yes

Custom Configuration

persist-remote-ip
verify-x509-name server_name_here name
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
 
As a result, I don't seem to be able to use local DNS names on my network (IP only). I don't think this is intended behaviour, BUT, I can't find a way to solve it.
I think it is intended behaviour. You can't instruct the client to "exclusively use the DNS servers supplied by the VPN server" and then expect it to use the router's DNS server instead.
 
I think it is intended behaviour. You can't instruct the client to "exclusively use the DNS servers supplied by the VPN server" and then expect it to use the router's DNS server instead.

That seems reasonable. However, there is usually (in other router FW) a setting which allows you to bypass DNS for local network etc? A setting of this type would probably solve my problem.

Essentially, i'd like to maintain the exclusive DNS from the VPN server, except for my local network. Does anyone know how I would achieve this?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top