What happens if you have openvpn configured on router AND have vpn app running on computer?

stargazer

Occasional Visitor
What happens if you have openvpn configured on router AND have vpn app running on computer? Let's say you have NordVPN setup on AX88U through openvpn as client running Merlin 386.4 AND have Nordlynx running on a network computer. Does the router set up for openvpn cause a problem for the computer running a non-openvpn app? If so what would be the proper settings to allow both to coexist on the network?
 

eibgrad

Part of the Furniture
There's no problem in having both at the same time. One does NOT interfere w/ or break the other. However, the OpenVPN client on the computer is going to take precedence over the OpenVPN client running on the router for that computer. So while it can be done, you wouldn't normally have both. Not unless you have a special reason.
 

stargazer

Occasional Visitor
Since Nordlynx on computer does not utilize openvpn does that make a difference?
 

stargazer

Occasional Visitor
No. The choice of VPN doesn't matter. It's just the fact the router and the computer are using a VPN, any VPN, that matters.
The reason I'm running Nordlynx on computer is because I noticed that without having it I have discovered DNS leaks when I depend solely on openvpn set on router.
 

eibgrad

Part of the Furniture
The reason I'm running Nordlynx on computer is because I noticed that without having it I have discovered DNS leaks when I depend solely on openvpn set on router.

I understand. But obviously the correct solution is to determine *why* you have DNS leaks on the router. Resorting to the client-side app is simply avoiding the issue.
 

stargazer

Occasional Visitor
My AX88U is setup per NORD's Merlin guide. I have no idea why when I run DNS leak test that I get 2 or 3 IPs other than the public IP given through the VPN. They may be a part of the NORD server system but when I run the same test running Nordlnx on the computer it reflects only the public IP.
 

Tech Junky

Very Senior Member
Nordlynx = faster
OVPN = slower

The benefits of using Nord diminish due to the bottleneck going through the OVPN profile at the router level.

Take a 1gbps connection for example.
OVPN speeds will be in the 400-500mbps range
Nord (WG) speeds have less overhead and can hit considerably higher as shown below.
1643127724184.png


Leaks....
What you're looking for is not to see any of your REAL IP information being exposed.


1643128025217.png

1643128262666.png


So, under ISP you see some entries and those should NOT reveal your ISP you're connected through. The whois results should display a different provider / location than where you're located.

1643128441925.png


In this example everything points to my location being Dallas but, that's not where I'm at. When running DNS tests you'll get multiple results btu, as you can see the providers listed don't come back to my actual provider. There are other measures like disabling IPv6 and WebRTC to prevent higher level leaks from browsers.
 

eibgrad

Part of the Furniture
My AX88U is setup per NORD's Merlin guide. I have no idea why when I run DNS leak test that I get 2 or 3 IPs other than the public IP given through the VPN. They may be a part of the NORD server system but when I run the same test running Nordlnx on the computer it reflects only the public IP.

Ok, but let's NOT conflate the issue of your public IP as seen through the VPN, vs. which DNS servers you're using, and whether they represent a DNS leak. Those are two different issues. So let's make sure we're on the same page here as to the actual problem.

And btw, by DNS leak, *I* mean anytime you're using your ISP's DNS server(s), OR, using some other DNS servers (e.g., NordVPN), but they can still be eavesdropped on by your ISP, or worse, hijacked, because they are still being routed over the WAN.
 

Tech Junky

Very Senior Member
If you're tunneling all of your traffic through a VPN all your ISP sees is the IP of the VPN and none of the traffic if everything is configured properly.

What a website can pick up from a browser leak is a different story but, it shouldn't be able to pinpoint you to your location.

1643131195648.png

 

eibgrad

Part of the Furniture
If you're tunneling all of your traffic through a VPN all your ISP sees is the IP of the VPN and none of the traffic if everything is configured properly.

Absolutely agree. But that's the 64k question. Is the VPN configured properly! THAT is the issue. Many times that's NOT the case. And many times it due to the VPN provider's own instructions.
 

RMerlin

Asuswrt-Merlin dev
What happens if you have openvpn configured on router AND have vpn app running on computer? Let's say you have NordVPN setup on AX88U through openvpn as client running Merlin 386.4 AND have Nordlynx running on a network computer. Does the router set up for openvpn cause a problem for the computer running a non-openvpn app? If so what would be the proper settings to allow both to coexist on the network?
You will end up having the desktop VPN traffic tunneled through the router's VPN. The protocol or application used on the desktop doesn`t matter. Just make sure however you don`t connect to the same server, as many providers only allow one login per server.
 

Tech Junky

Very Senior Member
Sidenote...

I use Nord as a whole house solution and have the app on my phone when not home. It won't work on top of each other simultaneously while already connected to the VPN.
 

RMerlin

Asuswrt-Merlin dev
Sidenote...

I use Nord as a whole house solution and have the app on my phone when not home. It won't work on top of each other simultaneously while already connected to the VPN.
Maybe the app has safeguards in place to prevent accidental double tunneling.
 

CaptainSTX

Part of the Furniture
On StrongVPN running WireGuard on my VPN appliance and also running a VPN app on my PC which is also using WireGuard it drops by speed from 650 Mbps download to 75 Mbps. My IP location is the geographic location is of the VPN client on the VPN appliance.
 

eibgrad

Part of the Furniture
Getting back to the DNS leaks …

I decided to take a closer look @ NordVPN, esp. their instructions, and the results I got when following them, to the letter.

Oddly, NordVPN recommends you configure the WAN w/ their DNS servers (103.86.96.100 and 103.86.99.100). That suggests to me that perhaps their servers are NOT pushing these to the OpenVPN client. OTOH, they do advise you specify Strict for "Accept DNS Configuration". So something seems odd there.

I assigned their DNS servers on the WAN as instructed, which shows up in /tmp/etc/resolv.conf as expected.

Code:
[email protected]:/tmp/home/root# cat /tmp/etc/resolv.conf
nameserver 103.86.96.100
nameserver 103.86.99.100

DNSMasq then copies that file to its own servers file, /tmp/resolv.dnsmasq.

Code:
[email protected]:/tmp/home/root# cat /tmp/resolv.dnsmasq
server=103.86.96.100
server=103.86.99.100

So far, all as expected.

I then configured the OpenVPN client w/ one of their .ovpn files, set the OpenVPN client to Strict, and connected. Note, I'm using the VPN Director and the following rule.

Code:
192.168.1.0/24 <blank> OVPN3

The syslog clearly shows their server pushing the same DNS servers.

Code:
Jan 25 12:26:55 ovpn-client3[11001]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.1.4 255.255.255.0,peer-id 2,cipher AES-256-GCM'

Because Strict was specified, their DNS servers will be prepended to those already in /tmp/resolv.dnsmasq. But since they are the same DNS servers, they just end up as duplicates.

Code:
[email protected]:/tmp/home/root# cat /tmp/resolv.dnsmasq
server=103.86.96.100
server=103.86.99.100
server=103.86.96.100
server=103.86.99.100

So now I dump both the main and OpenVPN client's routing table (ovpnc3).

Code:
[email protected]:/tmp/home/root# ip route
103.86.96.100 via 192.168.63.1 dev eth0  metric 1
103.86.99.100 via 192.168.63.1 dev eth0  metric 1
192.168.63.1 dev eth0  proto kernel  scope link
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
10.8.1.0/24 dev tun13  proto kernel  scope link  src 10.8.1.4
192.168.63.0/24 dev eth0  proto kernel  scope link  src 192.168.63.102
192.168.61.0/24 via 192.168.63.1 dev eth0  metric 1
127.0.0.0/8 dev lo  scope link
default via 192.168.63.1 dev eth0

[email protected]:/tmp/home/root# ip route show table ovpnc3
103.86.96.100 via 192.168.63.1 dev eth0  metric 1
103.86.99.100 via 192.168.63.1 dev eth0  metric 1
193.160.245.211 via 192.168.63.1 dev eth0
192.168.63.1 dev eth0  proto kernel  scope link
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
10.8.1.0/24 dev tun13  proto kernel  scope link  src 10.8.1.4
192.168.63.0/24 dev eth0  proto kernel  scope link  src 192.168.63.102
192.168.61.0/24 via 192.168.63.1 dev eth0  metric 1
127.0.0.0/8 dev lo  scope link
default via 10.8.1.1 dev tun13

Notice something very interesting here. Starting w/ 386.4, ASUS is now binding the WAN DNS servers to the WAN! When the OpenVPN client then gets connected, those static routes are copied down to the OpenVPN client's routing table (ovpnc3). Because static routes always take precedence over the default gateway, any device bound to that VPN (LAN client or even the router) will access those DNS servers over the WAN, NOT the VPN! A traceroute to either of those DNS servers from a LAN client will prove it.

Even if you attempt to force those DNS servers over the VPN w/ routing policy (i.e., as destination/remote IPs), it won't work, since the OpenVPN client's routing table contains the same static routes that point to the WAN.

Even if you don't use routing policy, but "Yes (all)", the NordVPN DNS servers are bound to the WAN like glue.

For my money, that's a DNS leak. The fact you're still using the VPN provider's DNS server(s) is NOT sufficient. They should be routed over the VPN to prevent DNS eavesdropping and hijacking. That's why most OpenVPN providers push DNS servers within the same *private* IP space as the tunnel (e.g., 10.8.0.0/24). Once you start using public IPs, you create these types of problems. Of course, it's exacerbated by the fact the DNS servers are now bound to the WAN.

Also, I believe I know why NordVPN has you configure their DNS servers on the WAN. As I've reported in other threads, the Strict option is NOT working as intended. Instead of prepending the VPN provider's DNS servers to the WAN's DNS servers in /tmp/resolv.dnsmasq, it's appending them. And since the whole purpose of using Strict is to have DNSMasq access the servers in that file, in order, it effectively means the WAN's DNS servers still get priority! But since they shoved their own DNS servers into the WAN anyway, the net effect is that theirs get used, even if the OpenVPN client isn't running.

As I say time and again, managing DNS on the router is very difficult. There are way too many "chefs in the DNS kitchen", each of whom are capable of spoiling the DNS soup. I'm convinced many users have DNS leaks and don't even know it. I just knew this latest change by ASUS to bind the WAN's DNS servers to the WAN was going to be trouble.
 
Last edited:

BlackIce

New Around Here
Since it appears they are pushing DNS servers...Try changing the setting from Strict to EXCLUSIVE (in VPN CLIENT) and remove any DNS Settings in WAN and LAN. I found after upgrading to the new version (Starting with the Alphas) I had to change my VPN provider's settings to EXCLUSIVE and remove DNS settings in WAN (and/or LAN)...This should resolve it if the VPN Provider is pushing the DNS. Then try without using the VPN App on the computer and check for DNS Leaks on ipleak.net (or similar sites).
 
Last edited:

eibgrad

Part of the Furniture
Since it appears they are pushing DNS servers...Try changing the setting from Strict to EXCLUSIVE (in VPN CLIENT) and remove any DNS Settings in WAN and LAN. I found after upgrading to the new version (Starting with the Alphas) I had to change my VPN provider's settings to EXCLUSIVE and remove DNS settings in WAN (and/or LAN)...This should resolve it if the VPN Provider is pushing the DNS. Then try without using the VPN App on the computer and check for DNS Leaks on ipleak.net (or similar sites).

Thanks.

That seems like a reasonable mitigation. But the bigger takeaway here is that the OpenVPN provider's instructions can NOT be trusted. And most end-users are naively going to assume they should be. And that's a big mistake.

Even if Strict worked as intended (i.e., the OpenVPN provider's DNS servers were prepended to /tmp/resolv.dnsmasq), that's no guarantee against DNS leaks. Even if the highest priority DNS server was that of the OpenVPN provider, if that server refuses to respond for any reason (e.g., temporarily overloaded), DNSMasq will move on to the next available DNS server. If you monitor connection tracking over time, you'll find the WAN's DNS servers being accessed, at least occasionally. It won't be the dominant choice, but it's NOT as if your DNS is leak proof. At best, it's leak resistant.

The only safe choice is Exclusive, since it forces the DNS server to be routed through the same OpenVPN routing table as everything else by those clients bound to the VPN. But it comes at a price; no access to DNSMasq features (local name resolution, caching, ad blocking, DoT, etc.). The advantage of using Strict was to maintain access to DNSMasq.

Seems to me it would be better if Strict only provided access to the OpenVPN provider's DNS servers, rather than merging w/ the WAN's DNS servers and trying to relying on strict-order. For anyone who wants the latter, they can use Relaxed (as it stands today, there really isn't much difference between the two anyway). Finally, Exclusive would be for the purposes of bypassing DNSMasq entirely, with the absolute assurance of using the OpenVPN provider's DNS over the VPN. That would make more sense to me. And if requires renaming these options, so be it.
 

eibgrad

Part of the Furniture
Found another solution as well (this is all based on 386.4; I can't speak to any prior version).

1. Define custom DNS servers of your choice (NordVPN or whatever you prefer, e.g., Cloudflare) on the WAN. For the rest of this example, we'll assume Cloudflare (1.1.1.1 and 1.0.0.1).

2. On the OpenVPN client, configure "Accept DNS Configuration" as Disabled, and add the WAN's custom DNS servers as static routes in the custom config field.

Code:
route 1.1.1.1
route 1.0.0.1

3a. If "Redirect Internet traffic through tunnel" is set to "Yes (all)", then you're done. Whether it's the router or any of the LAN clients, the Cloudflare DNS servers will be accessed over the VPN (at least while the OpenVPN client is active).

3b. If "Redirect Internet traffic through tunnel" is set to "VPN Director", then you need to bind the custom DNS servers on the WAN to the VPN using the VPN Director.

Code:
Cloudflare (primary) <blank> 1.1.1.1 OVPN1
Cloudflare (backup)  <blank> 1.0.0.1 OVPN1

Note: Normally using the VPN Director takes the router itself (and its access to the custom DNS servers on the WAN) off the VPN. But w/ the above rules, while the router will still be off the VPN for all other purposes, any reference to the custom DNS servers by the router or DNSMasq (on behalf of the LAN clients) will be routed over the VPN.

In short, following these procedures force your custom DNS servers to always be routed over the VPN whenever it's active. No exceptions.

Using Exclusive as described by @BlackIce is another option, and has its own unique advantages; for one, VPN and non-VPN LAN clients only use the VPN or WAN (respectively) for name resolution. That can be useful at times. But as I said before, this means you lose access to DNSMasq and its features. So you decide.

Realize this situation/solution isn't unique to NordVPN. NordVPN simply exposes an underlying problem that affects *all* OpenVPN providers, at least when using Strict. You simply can't rely on that setting to route all your DNS over the VPN. Not unless someday the developers decide to stop merging the WAN's DNS servers w/ those of the VPN provider. And who knows if and when that might happen.

So for now, you're just better off to ignore the OpenVPN provider's DNS servers w/ Disabled, define your preferred DNS servers on the WAN, and take measures to ensure they're bound to the VPN whenever the VPN is active. Or else use Exclusive (while understanding its own limitations).
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top