vpn uses wan dns servers?

[cooloutac]

it seems that whether i set accept dns to strict or exclusive it still seems to depend on what is set in the wan dns section, even though i have dns options set in the advanced config by the .opvn file. am i doing something wrong or misunderstanding something? I wonder if this explains why i'm blocked less by networks using merlin then when i am on stock firmware with openvpn connections.

 

[Xentrk]

There was a recent discussion about VPN and DNS settings in these threads that may be of help.

Merlin: VPN + PiHole/Adguard + YazFi - Avoiding DNS Leaks

This is a continuation of the thread here: https://www.snbforums.com/threads/issue-with-accept-dns-configuration-strict-and-diversion-yazfi-vpn.58031/ due to the new policy regarding six month old threads. This is a thread to discuss Asus Routers running Merlin, using the inbuilt VPN and...

www.snbforums.com

Issue with Accept DNS Configuration strict and Diversion/YazFi/VPN

Hi, I have Asus Merlin 384.13 on a RT-AC68U. My LAN network is 192.168.2.0/24 I have two other networks created by YazFi (192.168.3.0/24 and 192.168.4.0/24) and they are used for VNP. I have installed diversion and I have followed the recommendation from merlin page to use DNS configuration...

www.snbforums.com

 

[cooloutac]

thanks for your reply. just finished reading that second thread you posted and my eyes are still rolling around in the back of my head. i'm pretty noob so had a hard time following. I assumed i had the opposite issue from those two guys where everything when set to strict was using my wan dns entries including those clients going through the vpn, but maybe i had it backwards. i'm also using ac68u firmware. Basically i get the same dns problems when using vpn on stock firmware if that is any clue into the issue. same issue on ac86u as well. setting dns option in the .opvn file also does not help on the tock firmware either. Its the reason i'm using merlin firmware basically for that accept dns exclusive setting for policy rules.

i don't ssh into the router and didn't do any thorough tests. but my other issue is that when changing the wan dns entries or setting dns in dhcp settings it also causes the same exact problems. for example using pi-hole. Which is why i assumed i had the exact opposite effect then what was discussed in that thread. the vpn clients seem to rely on whats set in the wan or dhcp settings.

i gave up on pi-hole though, it doesn't even block most of the ads on youtube which is the only reason i wanted to try it so its pretty worthless to me. The query log is of no help. i'm just going back to accept dns exclusive and policy rules strict and going to assume the vpn leaks info and can't be trusted. my threat model is not that high. from what i gather from that thread i can try to specify every single client's dns in dns filter/router entries, but we talking over 30 devices.... i guess i can try and do it for only the vpn clients that break but thats still a pain. i should also note they are also on a guest network.

my raspberry pi is going to go back to collecting dust till I find another use for it, and all my devices i browse the web with will continue to use the vpn apps at their o/s level. This is part of the reason i returned my ac86u besides the instability. disappointing.

i think when i decide to build a real router/firewall i will try to make my pi a unifi controller lol.

 

[cooloutac]

i'm depressed now.

 

[cooloutac]

well i didn't want my pi to go to waste since i set it all up lol. i first tried to use yazfi to see if that changed anything and it was a horrifying experience for many reasons that deserves its own thread i probably won't even go into. i ended up having to fomat the jfss partition.

so what i did in the end was change the dns server option in the .opvn file to use the pi-hole address for dns. everything on my guest network is vpn so thats all that needed to be done especially since the guest network doesn't properly isolate lol. might not matter though but i have pi-hole on ethernet. i then removed the pi-hole entry and router domain name from dhcp settings, since that starts breaking some of the vpn clients dns if anything is listed there. I then used dnsfilter and just manually set every device i had forwarded to wan in policy rules to use the custom 1 i set as the pi-hole address wih global router setting. and it seems to be working. only problem is everything going through the vpn shows up as router in the pi-hole query log but its better then nothing at this point.

let me know if you foresee any problems with my setup besides horrible dns leaks. I could just not use pi-hole for the vpn guest wifi i guess.

i think i will now tinker and try to set up dnscrypt on the pi-hole.

 

[Jack Yaz]

well i didn't want my pi to go to waste since i set it all up lol. i first tried to use yazfi to see if that changed anything and it was a horrifying experience for many reasons that deserves its own thread i probably won't even go into. i ended up having to fomat the jfss partition

Please share. You're the first person to report needing to do a format as a result of YazFi.

 

[cooloutac]

Please share. You're the first person to report needing to do a format as a result of YazFi.

hello sir. well to keep it brief first the webui was no saving any settings. i had to ssh in and edit the config file. then it would only work for a little while and then drop everything from the wifi. it also never used the correct subnet so maybe was not working correctly at all. i'm using ac68u firmware 384.19. i was setting to force through vpn as the only setting i was changing. then i figured i'd do a reboot maybe that would fix it and then yazfi just totally disappeared from the gui altogether. still showed up as installed when using ssh to terminal. but then i couldn't change any settings. before rebooting i noticed that enable jffss partition was not enabled. even though when i installed yazfi with amtm it said it had enabled that. i didn' double check. so i enabled and rebooted and tried again rebooted again but was having same issues so i ended up reformatting the jfss partition to get the wifi working again. i couldn't disabled it when when setting to false.

i wonder if i would of been better off not using amtm to install it and making sure enabled jfss partition before doing any settings and rebooting first? i apologize that i didn't not investigate further but i don't think it was the right solution to my vpn dns problems, since i only have vpn clients on guest wifi. although it seemed like a good solution for better guest network isolation with minor hole poking for some functions so i might try again in the future.

 

[Jack Yaz]

hello sir. well to keep it brief first the webui was no saving any settings. i had to ssh in and edit the config file. then it would only work for a little while and then drop everything from the wifi. it also never used the correct subnet so maybe was not working correctly at all. i'm using ac68u firmware 384.19. i was setting to force through vpn as the only setting i was changing. then i figured i'd do a reboot maybe that would fix it and then yazfi just totally disappeared from the gui altogether. still showed up as installed when using ssh to terminal. but then i couldn't change any settings. before rebooting i noticed that enable jffss partition was not enabled. even though when i installed yazfi with amtm it said it had enabled that. i didn' double check. so i enabled and rebooted and tried again rebooted again but was having same issues so i ended up reformatting the jfss partition to get the wifi working again. i couldn't disabled it when when setting to false.

i wonder if i would of been better off not using amtm to install it and making sure enabled jfss partition before doing any settings and rebooting first? i apologize that i didn't not investigate further but i don't think it was the right solution to my vpn dns problems, since i only have vpn clients on guest wifi. although it seemed like a good solution for better guest network isolation with minor hole poking for some functions so i might try again in the future.

If jffs scripts weren't enabled then that would explain most, if not all, of the issues!

 

[cooloutac]

If jffs scripts weren't enabled then that would explain most, if not all, of the issues!

I assumed so as well. Wonder how many others ran into the problem when using amtm. It tells you it enables the partition but it seems that is not true. I still suspect other issues but that would probably explain why it disappeared from gui and was then corrupted after a reboot.

 

[cooloutac]

well i was mistaken it seems with my current setup all dns queries show up as the router in the pi-hole. not just the vpn devices but also the wan devices set up with dns filter. lame.

 

[cooloutac]

@Jack Yaz tried it again. this time enabling jffs partition scripts in router settings before installing yazfi. gui this time allowed settings to be saved. though i made the initial settings from command line. i rebooted router and everything was still there in gui. but it is still not creating separate subnets. devices after the forced reconnect still have previous ip addresses. not sure yazfi is actually changing anything at all.

actually it is doing something because i disabled policy routing in vpn settings and set force over vpn in he yazfi and he guest devices are behind the vpn.

 

[cooloutac]

@Xentrk could my issue just be a device limit maybe? its not making any sense to me for example why half my ring devices on the guest network have internet after making the dhcp changes, but half of them don't. tring to reconnect them doesn't help. i have over 20 devices on the guest network and i wonder if its just too much for the router to handle with the advanced dhcp settings? when i use dns filter for the forwarded wan devices on main network it is only about 8 devices i'm setting up that way. the router actually shows all the devices connected, but they are just not getting internet. if i remove the dhcp settings they then all get internet again. any thoughts?

 

[cooloutac]

@Xentrk think i found another solution. i removed the entries in dhcp wins dns settings and removed the domain name. i just used the option to force dns in the manually assigned ips in the dhcp settings and that seems to work. so all the guestnetwork devices are getting internet and i can see the wan devices i set there on the pi-hole with their respective domain names /ip/mac. i can still use dns option in vpn advance/.opvn setting to force all the guest network to the pi-hole if i want. even thought those will still just come up as router on the pi-hole at least the wan devices are not which the dns filter causes them to do.

 

[cooloutac]

stopped the dns leaks now when using the pi-hole. I set up the dnscrypt on the pi-hole. and I use the quad9 doh no log, filter dnssec server and it works great. no leak at all. When using quad9 dnscrypt server I had lots of leaks as well as other providers like adguard. but the quad 9 doh ip4 server is good to go. also make sure you disable ipv6.

 

[cooloutac]

welp the quad 9 proxy is showing up again in a dns leak test and I don't know why. at least its only one server. and I can't even get openvpn to work on the pi so I give up. pi-hole is noting but a useless cool tech experiement. it doesn't block ads that you would want it to block. its just not practical and it throws your privacy out the window.