What happens if you have openvpn configured on router AND have vpn app running on computer?

CaptainSTX

Part of the Furniture
Just to the PC running the 2nd connection or all devices connecting through the appliance as well?
Just to the PC that is running the second VPN and I am testing to.
 

Tech Junky

Very Senior Member
Just to the PC that is running the second VPN and I am testing to.
It's a bit odd to see that big of drop in speed with both of them using WG.

Considering how WG works with different providers you're introducing a whole lot of NAT'ing to the equation that has to be processed. The routing is being bounced around by the double VPN connection getting out the WAN and then back to your machine.

Nordlynx (WG) example would look something like this:

WAN <> Nordlynx 10.5.0.2 <> LAN

LAN 192.168.x.x <> 10.5.0.2 <> WAN

2nd WG being applied
192.168.x.x <> 10.5.0.2 <> 10.5.0.2 <> WAN

Now, if you were doing OVPN on either the router or the 2nd PC you'd have true translation happening as the OVPN uses something other than 10.5.0.2 usually tied to the server you're connected to.

192.168.x.x <> 10.5.0.2 <> 10..8.1 <> WAN
 

stargazer

Occasional Visitor
You will end up having the desktop VPN traffic tunneled through the router's VPN. The protocol or application used on the desktop doesn`t matter. Just make sure however you don`t connect to the same server, as many providers only allow one login per server.
So when I turn off openvpn in VPN Director for my local IP of my computer AND if my computer is connected to Nordlynx via app on my computer then I can bypass the router's VPN without conflicting VPN tunnels? Nord has you configure the router's WAN DNS server #1 to 106.86.96.100 and to server #2 106.86.99.100. In this configuration when running DNS leak tests and WebRTC leak tests on the COMPUTER running Nordlynx I get Nords assigned public IP and and DNS address the same (or very close with last 3 digits of both addresses a few numbers apart).

I contacted NORD and they said having two different VPNs running could cause a problem for the integrity of the VPN process. So I assume you can choose to utilize either the router's openvpn setup or say a computer on the network utilizing the router to get to the modem but not run both? Thanks.
 

RMerlin

Asuswrt-Merlin dev
So when I turn off openvpn in VPN Director for my local IP of my computer AND if my computer is connected to Nordlynx via app on my computer then I can bypass the router's VPN without conflicting VPN tunnels? Nord has you configure the router's WAN DNS server #1 to 106.86.96.100 and to server #2 106.86.99.100. In this configuration when running DNS leak tests and WebRTC leak tests on the COMPUTER running Nordlynx I get Nords assigned public IP and and DNS address the same (or very close with last 3 digits of both addresses a few numbers apart).

I contacted NORD and they said having two different VPNs running could cause a problem for the integrity of the VPN process. So I assume you can choose to utilize either the router's openvpn setup or say a computer on the network utilizing the router to get to the modem but not run both? Thanks.
Your configuration is all over the place, with way too many variables for anyone to accurately predict what will happen. You need to simplify your setup. Don't use two different VPN technology configured in two different location, and don't change your WAN DNS on top of it.
 

Kingp1n

Very Senior Member
Thanks.

That seems like a reasonable mitigation. But the bigger takeaway here is that the OpenVPN provider's instructions can NOT be trusted. And most end-users are naively going to assume they should be. And that's a big mistake.

Even if Strict worked as intended (i.e., the OpenVPN provider's DNS servers were prepended to /tmp/resolv.dnsmasq), that's no guarantee against DNS leaks. Even if the highest priority DNS server was that of the OpenVPN provider, if that server refuses to respond for any reason (e.g., temporarily overloaded), DNSMasq will move on to the next available DNS server. If you monitor connection tracking over time, you'll find the WAN's DNS servers being accessed, at least occasionally. It won't be the dominant choice, but it's NOT as if your DNS is leak proof. At best, it's leak resistant.

The only safe choice is Exclusive, since it forces the DNS server to be routed through the same OpenVPN routing table as everything else by those clients bound to the VPN. But it comes at a price; no access to DNSMasq features (local name resolution, caching, ad blocking, DoT, etc.). The advantage of using Strict was to maintain access to DNSMasq.

Seems to me it would be better if Strict only provided access to the OpenVPN provider's DNS servers, rather than merging w/ the WAN's DNS servers and trying to relying on strict-order. For anyone who wants the latter, they can use Relaxed (as it stands today, there really isn't much difference between the two anyway). Finally, Exclusive would be for the purposes of bypassing DNSMasq entirely, with the absolute assurance of using the OpenVPN provider's DNS over the VPN. That would make more sense to me. And if requires renaming these options, so be it.
@eibgrad

I noticed you used VPN Unlimited (KeepSolid) in the past. Do you have any special recommendations on how to setup as a VPN Client under OpenVPN or do you simply upload the opvn file that you download thru their website and upload it and call it a day?

Would you mind sharing any additional settings (if any) under Custom Configuration, I have default settings:
Code:
ping 5
ping-exit 30
remote-random
remote-cert-tls server
auth-nocache
route-metric 1
cipher AES-256-CBC

that you recommend i.e, to speed up things?

I have setup VPN Director with 2 rules:
Code:
192.168.1.1 = WAN
192.168.1.0/24 = VPN1

I also have disabled the "Accept the DNS configuration" and set DNSFilter "Router".

Any assistance is greatly appreciated.
 
Last edited:

eibgrad

Part of the Furniture
@eibgrad

I noticed you used VPN Unlimited (KeepSolid) in the past. Do you have any special recommendations on how to setup as a VPN Client under OpenVPN or do you simply upload the opvn file that you download thru their website and upload it and call it a day?

Would you mind sharing any additional settings (if any) under Custom Configuration, I have default settings:
Code:
ping 5
ping-exit 30
remote-random
remote-cert-tls server
auth-nocache
route-metric 1
cipher AES-256-CBC

that you recommend i.e, to speed up things?

You have to realize that may times when I mention a specific VPN provider, it's NOT because that's my daily driver. I have many such accounts solely for the purposes of testing. When writing scripts or doing analysis, I don't want to become fixated on how one particular VPN provider works or behaves and assume it applies to all. The fact that KeepSolid and FastestVPN have a nasty habit of pushing DNS servers outside the scope of the tunnel is a classic example. You rarely see this kind of thing from the major players (ExpressVPN, NordVPN, PIA, etc.).

I tend to stick w/ the major players for my own personal needs. As it happens though, I'm between VPN providers at the moment and using KeepSolid until I make a final decision. I will say that the performance ranges from mediocre (65Mbps) to satisfactory (100Mbps) on a good day (esp. if the server is close). But my ISP only provides 150Mbps anyway. So what's "good" is relative. And there's very little of anything you can do to speed things up. More likely it's the limits of your hardware. I'm using an ASUS RT-AC68U, which limits my OpenVPN speeds to ~30Mbps. And because of that, a few years ago I moved my OpenVPN client to a small form-factor PC to get better performance, using DD-WRT x86. The difference is like night and day.

Because I use DD-WRT to host my OpenVPN client, and that firmware doesn't have an import feature, I have to manually configure the OpenVPN based on downloaded .ovpn files from the VPN provider. Not a fun experience. But as a result, I don't enter a lot of the fields you see in the custom config field of Merlin's OpenVPN client because much of it is irrelevant and unnecessary. Most of it is already part of the default configuration. In a few cases, it may even do harm (e.g., reneg-sec 0). But more often than not, it's just benign.

I have setup VPN Director with 2 rules:
Code:
192.168.1.1 = WAN
192.168.1.0/24 = VPN1

I also have disabled the "Accept the DNS configuration" and set DNSFilter "Router".

Any assistance is greatly appreciated.

Realize that when using the VPN Director, that removes the router itself from the VPN, and therefore any processes its running are bound to the WAN (e.g., DNSMasq). That's what sometimes leads to DNS leaks. Just depends on the rest of the configuration.

The '192.168.1.1 WAN' rule is actually superfluous. It won't do any harm, but it's not likely to provide any benefit either. The router rarely if ever uses the LAN interface (192.168.1.1) for internet access purposes. It's either the WAN or VPN. And that's because unlike the other LAN devices on that same network, the router is the one hosting those network interfaces. IOW, it's a special case. It's the other LAN devices that have to route to the internet via their LAN network interface (192.168.1.0/24), NOT the router. That's why that WAN rule just doesn't do what most ppl think it does.

If you have disabled Accept DNS Configuration and are using the VPN Director, you are at a higher risk for DNS leaks since you're relying on whatever DNS servers were established on the WAN, either ISP or custom. And setting DNSFilter to Router ensures the LAN clients are routed through DNSMasq, which defaults to whatever is defined on the WAN for DNS purposes. Not unless you've configured DoT on the WAN.
 

Kingp1n

Very Senior Member
You have to realize that may times when I mention a specific VPN provider, it's NOT because that's my daily driver. I have many such accounts solely for the purposes of testing. When writing scripts or doing analysis, I don't want to become fixated on how one particular VPN provider works or behaves and assume it applies to all. The fact that KeepSolid and FastestVPN have a nasty habit of pushing DNS servers outside the scope of the tunnel is a classic example. You rarely see this kind of thing from the major players (ExpressVPN, NordVPN, PIA, etc.).

I tend to stick w/ the major players for my own personal needs. As it happens though, I'm between VPN providers at the moment and using KeepSolid until I make a final decision. I will say that the performance ranges from mediocre (65Mbps) to satisfactory (100Mbps) on a good day (esp. if the server is close). But my ISP only provides 150Mbps anyway. So what's "good" is relative. And there's very little of anything you can do to speed things up. More likely it's the limits of your hardware. I'm using an ASUS RT-AC68U, which limits my OpenVPN speeds to ~30Mbps. And because of that, a few years ago I moved my OpenVPN client to a small form-factor PC to get better performance, using DD-WRT x86. The difference is like night and day.

Because I use DD-WRT to host my OpenVPN client, and that firmware doesn't have an import feature, I have to manually configure the OpenVPN based on downloaded .ovpn files from the VPN provider. Not a fun experience. But as a result, I don't enter a lot of the fields you see in the custom config field of Merlin's OpenVPN client because much of it is irrelevant and unnecessary. Most of it is already part of the default configuration. In a few cases, it may even do harm (e.g., reneg-sec 0). But more often than not, it's just benign.



Realize that when using the VPN Director, that removes the router itself from the VPN, and therefore any processes its running are bound to the WAN (e.g., DNSMasq). That's what sometimes leads to DNS leaks. Just depends on the rest of the configuration.

The '192.168.1.1 WAN' rule is actually superfluous. It won't do any harm, but it's not likely to provide any benefit either. The router rarely if ever uses the LAN interface (192.168.1.1) for internet access purposes. It's either the WAN or VPN. And that's because unlike the other LAN devices on that same network, the router is the one hosting those network interfaces. IOW, it's a special case. It's the other LAN devices that have to route to the internet via their LAN network interface (192.168.1.0/24), NOT the router. That's why that WAN rule just doesn't do what most ppl think it does.

If you have disabled Accept DNS Configuration and are using the VPN Director, you are at a higher risk for DNS leaks since you're relying on whatever DNS servers were established on the WAN, either ISP or custom. And setting DNSFilter to Router ensures the LAN clients are routed through DNSMasq, which defaults to whatever is defined on the WAN for DNS purposes. Not unless you've configured DoT on the WAN.
I appreciate the information.

I did get VPN Unlimited (KeepSolid) when they offer a cheap lifetime deal. I wasn't aware they were pushing DNS servers outside of tunnel. Did you find out by looking thru router syslog?

I previously used PIA and my offer expires in Mar but it seems more & more websites/programs are failing due to blocking PIA IPs (pages normally show me "You're offline or DNS cannot be reached" errors). Once I turn off PIA everything works like normal so I am also trying to decide which VPN I would like to try next...decisions...decisions?? haha
People have reported to fix this issue is to change the PIA DNS to any built-in resolver (Cloudflare/Quad9 DNS) but since I use Unbound this does not work for me.

Forgot to mention that I'm using Unbound with the additional script below:

Code:
https://github.com/MartineauUK/Unbound-Asuswrt-Merlin/blob/dev/unbound_DNS_via_OVPN.sh

The added script basically allows for the router to resolve through the DNS provided in your WAN settings and everything else should resolve through unbound with your VPNs IP (DNS packets appear to originate off thru the VPN host provider & not the WAN ISP host provider).

I haven't noticed any leaks once the script is started. I also have added:
Code:
vpnclient1-route-pre-down
vpnclient1-route-up
 
Last edited:

eibgrad

Part of the Furniture
I did get VPN Unlimited (KeepSolid) when they offer a cheap lifetime deal. I wasn't aware they were pushing DNS servers outside of tunnel. Did you find out by looking thru router syslog?

Yes. But what got me looking there in the first place was the utility I'm working on to monitor DNS activity on the router (I plan to post a tutorial in the coming days about it). It tells me what DNS traffic is present and where it's being routed (WAN or VPN). What I noticed w/ KeepSolid is that their DNS server (usually 10.8.8.8, but I have seen 8.8.8.8 as well, depends on the server) was being routed out the WAN, at least w/ the VPN Director active. Given 10.8.8.8 is in the private space, you'd expect the tunnel itself to be something like 10.8.0.0/16, so the routing system would be sure to route it over the tunnel. But it wasn't. And when I checked the ifconfig for tun11 and the PUSH_REPLY in the syslog, I finally noticed it was using 10.16.0.0/16! Hence the DNS leak.

You learn a lot once you start monitoring DNS traffic in realtime. As I've said before, I suspect a LOT of ppl have DNS leaks and don't know it. Few ppl would notice the above by chance.

I previously used PIA and my offer expires in Mar but it seems more & more websites/programs are failing due to blocking PIA IPs (pages normally show me "You're offline or DNS cannot be reached" errors). Once I turn off PIA everything works like normal so I am also trying to decide which VPN I would like to try next...decisions...decisions?? haha
People have reported to fix this issue is to change the PIA DNS to any built-in resolver (Cloudflare/Quad9 DNS) but since I use Unbound this does not work for me.

Forgot to mention that I'm using Unbound with the additional script below:

Code:
https://github.com/MartineauUK/Unbound-Asuswrt-Merlin/blob/dev/unbound_DNS_via_OVPN.sh

The added script basically allows for the router to resolve through the DNS provided in your WAN settings and everything else should resolve through unbound with your VPNs IP (DNS packets appear to originate off thru the VPN host provider & not the WAN ISP host provider).

I haven't noticed any leaks once the script is started. I also have added:
Code:
vpnclient1-route-pre-down
vpnclient1-route-up

One of the problems w/ split tunneling is split DNS. Sometimes you'll run into problems if your DNS resolution is over interface X, but your use of the results of that name resolution are over interface Y. Certain websites and streaming services will NOT function properly when that happens. And it's why certain DNS configurations on the router can be problematic. Something like Exclusive tends to avoid such problems because it keeps this sort of thing "in order". Those bound to the WAN use it for DNS and general traffic, while those bound to the VPN use it for DNS and general traffic too. Things just tend to run more smoothly. But once you start this mix of VPN and WAN for the same LAN clients, things become more dicey.
 

stargazer

Occasional Visitor
Your configuration is all over the place, with way too many variables for anyone to accurately predict what will happen. You need to simplify your setup. Don't use two different VPN technology configured in two different location, and don't change your WAN DNS on top of it.
I suppose I'm not being clear on this as I am not as technologically sophisticated as many of the members on this forum. What I'm trying to say is can you turn on off an individual IP listed in Director (say a listed computer) and thus bypass OpenVPN and go straight to WAN when you are running a VPN app on say your computer?
 

RMerlin

Asuswrt-Merlin dev
I suppose I'm not being clear on this as I am not as technologically sophisticated as many of the members on this forum. What I'm trying to say is can you turn on off an individual IP listed in Director (say a listed computer) and thus bypass OpenVPN and go straight to WAN when you are running a VPN app on say your computer?
Yes. VPN Director will let you enable/disable rules on-the-fly if you want control a specific client (if you have a rule with that client's IP).
 

stargazer

Occasional Visitor
Yes. VPN Director will let you enable/disable rules on-the-fly if you want control a specific client (if you have a rule with that client's IP).
Thank you for taking the time to respond. Peace
 

NB_8

Occasional Visitor
Found another solution as well (this is all based on 386.4; I can't speak to any prior version).

1. Define custom DNS servers of your choice (NordVPN or whatever you prefer, e.g., Cloudflare) on the WAN. For the rest of this example, we'll assume Cloudflare (1.1.1.1 and 1.0.0.1).

2. On the OpenVPN client, configure "Accept DNS Configuration" as Disabled, and add the WAN's custom DNS servers as static routes in the custom config field.

Code:
route 1.1.1.1
route 1.0.0.1

3a. If "Redirect Internet traffic through tunnel" is set to "Yes (all)", then you're done.
I'm still getting DNS leaks connecting to the majority of servers I've tried with this configuration - which is the same result I was getting with a prior configuration on 386.3 that had "Accept DNS configuration" to "strict", and no route entries in the custom config field.

As I understand it, when running a leak test the ISP should match the one displayed at the top of nord's homepage, and the IP address displayed in the leak test should closely match the IP displayed on nord's homepage (typically the last digit will be different when the ISPs are the same).

Therefore, I am describing a leak as when nord's homepage shows a protected status, and a leak test shows a different ISP and IP address.

I'm baffled at how, with identical configuration settings such as those eibgrad recommended for 386.4, some servers can be connected to without DNS leaks, while most others cannot.
 

L&LD

Part of the Furniture
It's not baffling. A lot of things have changed since 386.4.

The internet isn't a static entity, it is constantly evolving, shifting, and morphing itself into the future 'now'. Even as the base rules are (mostly) preserved.
 

Tech Junky

Very Senior Member
@NB_8
It also depends on where you're testing from.
https://www.expressvpn.com/dns-leak-test - this one shows a bunch of random IP's

Worrying about a leak test result is one thing but, data exposure is more important. Also, depends on the browser and if you're blocking other services from leaking info. For chrome I added WebRTC block specifically for one result that showed exposure. Shutting off things like "secure DNS" on the browser prevents things not following your rules. There's a setting for this in Chrome and Android. I had an issue recently with Chrome displaying ads after upgrading my phone to A12 from A11. It took me a couple of days to figure out the issue as nothing else had changed. I disabled the DNS setting on the phone and still had the issue but, turned out Chrome was bypassing the settings itself and also had a DNS setting that needed to be disabled. It's odd though because my laptop / chrome had the setting enabled as well but didn't have the issue of passing ads to my browser. Though IIRC when it was enabled DNS leaks looked different usually resulting in several results vs the test I just did now linked above.

There's a lot of different techniques from apps being used more recently to skim data to sell. i wouldn't have looked into the chrome setting if it hadn't been for the phone ads showing up.
 

NB_8

Occasional Visitor
It's not baffling. A lot of things have changed since 386.4.

The internet isn't a static entity, it is constantly evolving, shifting, and morphing itself into the future 'now'. Even as the base rules are (mostly) preserved.
If you know what might explain the variation I've discussed I'm interested in knowing.
 

NB_8

Occasional Visitor
@NB_8
It also depends on where you're testing from.
https://www.expressvpn.com/dns-leak-test - this one shows a bunch of random IP's

Worrying about a leak test result is one thing but, data exposure is more important. Also, depends on the browser and if you're blocking other services from leaking info. For chrome I added WebRTC block specifically for one result that showed exposure. Shutting off things like "secure DNS" on the browser prevents things not following your rules. There's a setting for this in Chrome and Android. I had an issue recently with Chrome displaying ads after upgrading my phone to A12 from A11. It took me a couple of days to figure out the issue as nothing else had changed. I disabled the DNS setting on the phone and still had the issue but, turned out Chrome was bypassing the settings itself and also had a DNS setting that needed to be disabled. It's odd though because my laptop / chrome had the setting enabled as well but didn't have the issue of passing ads to my browser. Though IIRC when it was enabled DNS leaks looked different usually resulting in several results vs the test I just did now linked above.

There's a lot of different techniques from apps being used more recently to skim data to sell. i wouldn't have looked into the chrome setting if it hadn't been for the phone ads showing up.
Some good info here. As I understand it, with DNS leaks a user's actual IP address and every site they connect to is exposed, which to me is data exposure. It seems you might be indicating something else, however (please forgive my lack of experience in this area).

Assuming it's not browser related, I'm wondering if the settings Eibgrad recommended for 386.4 would still apply to the latest version of Merlin.
 

Tech Junky

Very Senior Member
@NB_8

Can't speak to Asus but the point is it shouldn't tie back to your real ISP info. If you see your ISP DNS then something isn't working correctly.
 

L&LD

Part of the Furniture
I don't follow such nebulous variations. Your best bet is to study the changelogs of the router and all the other hardware software being used. Good luck with changelogs on that second set. 'Improvements' are what is most noted, with precious little information given.

Including understanding fully the tests/site limitations you're using to test for DNS leaks too.

The point is that this isn't a field in a known/stable state today. It is constantly being challenged, constantly changing, and what was known yesterday, rewritten today.

To me, this all goes back to 'if you're online, you're not private', at all. Act like your mother is watching you.

Even when/if something is offered that is bulletproof in this area, I'll still be extremely skeptical. If me and my friends ran the internet, I'd buy it. Since I don't, the best stance is don't trust anything or anyone. Particularly if you're required to pay for this 'protection'.
 

Tech Junky

Very Senior Member
'if you're online, you're not private',
Very true. The most you can do is plug the holes in the dam with a layered approach to mitigate leaks.

VPN - disguise your IP / location - I change which servers I'm connected to a couple times per day
Browser - disable things like secure DNS
Services - disable anything you don't actively need running from the WAN >> LAN
DNS - I opt not to use the ISP or VPN provider DNS but use Pihole to funnel things and change the DNS frequently within Pihole

Pihole can also be your friend to find out which devices are trying to hit the internet and where they're trying to go. Logs are valuable in closing holes opened by dumb devices. Think thermostat, soundbar, fridge, TV, chromecast, etc. They all reach out to remote servers.
 

L&LD

Part of the Furniture
A layered approach is always superior.

Changing servers a few times a day seems like underkill. Nobody is tracking anyone manually. Changing servers a few times a second seems most prudent. But even then, you're still trackable by the traffic you're generating, even if the endpoint(s) are seemingly shifting.

My issue? I don't trust that server isn't bought/paid for by whoever is wanting to track me or anyone else. No point using it at all if that question isn't answered satisfactorily to me (and the only correct answer is I own and manage it, myself).
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top