Important! things to know when using VPN and DNS with Merlin Firmware

[yorgi]

I wanted to make a post of my findings and hopefully people can benefit from this.

These tests where made with 66u 68u 87u ASUS routers

With the original ASUS firmware when a client connects to the VPN the router gets an IP from the server and its DNS
I made a few tests with PIA and OpenVPN software and a router with Tomato firmware.
When connecting with any of the above methods and you test with ipleak.net you will see that the IP and DNS address are the same as the VPN server.

when one connects with the Merlin firmware and VPN client the IP address is from the VPN but the DNS is not the same as the IP address it shows as the DNS from the VPN Server.

these tests where done with PIA. I messaged them and asked them if it was normal and they said as long as you have an IP and a DNS that is from PIA you are safe. so I guess this is not a bug but its just the way the dns is resolved with Merlin.

If you use selective routing and you have one or more clients enabled, when you go to Local ISP
the DNS will not be from your local internet provider but instead it is the one from the VPN provider.

I would assume that would be because with the original firmware from ASUS when you start a vpn client the dns is the VPN and when you close the VPN client the DNS is the local ISP therefore it makes sense that its hardwired that way and maybe its not doable to have 2 different DNS when more then one service is activated.

My work around is the following.
Place the following DNS address to your NIC adapter when using PIA VPN and when you go to ipleak.net you will see that you will get IP and DNS address as with PIA, openvpn software or tomato

for PIA the DNS is ;
209.222.18.218
209.222.18.222

If you are using selective routing and you go to your Local ISP
change the DNS to google DNS or whatever dns you like.
8.8.8.8
8.8.4.4

This way when you surf with Local ISP your DNS is not going to be from your VPN and when you surf with the VPN the DNS will work properly.

here is a script you can use for windows to switch from VPN to Local ISP
Change "Ethernet" to match your NIC adapters name.
I used 192.168.1.97 for selective routing in the router. so when I go to that IP its VPN
any other IP DHCP or static will fall into local ISP

The A: choice uses PIA DNS address. please change these address according to your VPN provider.
also I used google DNS for Local ISP
you can use Norton or OpenDNS, its as you please.
Copy the script to a txt file and rename it to VPN.bat and place it in your documents.
create a shortcut and run as admin and copy the shortcut to your desktop for easier use.

@echo off
echo Choose:
echo [A] VPN
echo Local ISP
echo.

:choice
SET /P C=[A,B,]?
for %%? in (A) do if /I "%C%"=="%%?" goto A
for %%? in (B) do if /I "%C%"=="%%?" goto B
goto choice

:A
@echo off
ipconfig /flushdns
netsh interface ip set address name = "Ethernet" source = static addr = 192.168.1.97 mask = 255.255.255.0 gateway = 192.168.1.1
netsh interface IPv4 set dnsserver "Ethernet" static 0.0.0.0 both
netsh interface ipv4 add dnsserver "Ethernet" 209.222.18.218 index=1
netsh interface ipv4 add dnsserver "Ethernet" 209.222.18.222 index=2
goto end

:B
@ECHO OFF
ipconfig /flushdns
netsh int ip set address name = "Ethernet" source = dhcp
netsh interface ipv4 add dnsserver "Ethernet" address=8.8.8.8 index=1
netsh interface ipv4 add dnsserver "Ethernet" address=8.8.4.4 index=2

goto end
:end
ipconfig /renew Ethernet

I also included a jpg of the configurations for VPN with PIA on merlin
in the Authorization mode click content of modifications of keys & certificates
and paste the certificate from your VPN provider in the certificate authority section.

if anyone has a better way to do this script I am open to suggestions
enjoy

 

[L&LD]

What makes this safer (or not)?

I find it hard to follow the logic here.

 

[yorgi]

If you are on your Local ISP and your IP shows a DNS of a VPN provider in my opinion that is not right.
When your on Local ISP your DNS should NOT be the VPN's DNS
and when you are on VPN the DNS should be the VPN and not something else.
If all the other software including PIA shows the DNS to be the IP address for VPN
then all I did is mimic it.
I never said that it was a bug, I am just stating that there are issues involved with Merlin firmware
that people should be aware of especially newbies

I believe that if you are surfing on Local ISP and you have DNS of VPN its not secure
You are just telling everyone hey I am using PIA but my VPN is down at the moment
it brings unwanted attention and therefore being a security risk and definitely not safe.

 

[RMerlin]

Accept DNS Configuration must be set to "Exclusive" if you want to ONLY use the DNS servers provided by the VPN service.

 

[L&LD]

If you are on your Local ISP and your IP shows a DNS of a VPN provider in my opinion that is not right.
When your on Local ISP your DNS should NOT be the VPN's DNS
and when you are on VPN the DNS should be the VPN and not something else.
If all the other software including PIA shows the DNS to be the IP address for VPN
then all I did is mimic it.
I never said that it was a bug, I am just stating that there are issues involved with Merlin firmware
that people should be aware of especially newbies

I believe that if you are surfing on Local ISP and you have DNS of VPN its not secure
You are just telling everyone hey I am using PIA but my VPN is down at the moment
it brings unwanted attention and therefore being a security risk and definitely not safe.

Still don't see the safety issue or not.

What I'm reading is that using a VPN is not safe in any event.

 

[yorgi]

Accept DNS Configuration must be set to "Exclusive" if you want to ONLY use the DNS servers provided by the VPN service.

Doesnt make a difference. Still the same issues apply even with Exclusive
try it for yourself and see

 

[yorgi]

Still don't see the safety issue or not.

What I'm reading is that using a VPN is not safe in any event.

Hmm so why reply to this thread if you think that VPN is not safe?
I am just trying to help people who are new to VPN's
I see people all the time asking these kinds of questions don't I have the right to help?

All I have to say is that you are paying for a service its not free.
there are free services out there and people get destroyed
I messaged PIA and asked them if when we are on a VPN tunnel through them if there is security from attempted Hacks via peers on the same VPN
and they told me that they have incorporated security where that can't happen.
I have that in writing.
Say what you want, VPN's work. especially when you pay for them. My ISP doesn't bother me for stupid reasons anymore.
Prior to getting a VPN I got emails from ISP. 2 years now with PIA and never had another problem

read their privacy policy. and if you don't think its a good idea then don't get one
I prefer to get dressed when its cold outside, not freeze because I didn't put enough layers of clothes on

And one last thing L&LD if you make statements back them up with some proof yea!
At least I am doing my best to do that
what you are reading is a bunch of trollers saying stuff without any proof.
Talk is cheep,

peace out

 

[L&LD]

Hmm so why reply to this thread if you think that VPN is not safe?
I am just trying to help people who are new to VPN's
I see people all the time asking these kinds of questions don't I have the right to help?

All I have to say is that you are paying for a service its not free.
there are free services out there and people get destroyed
I messaged PIA and asked them if when we are on a VPN tunnel through them if there is security from attempted Hacks via peers on the same VPN
and they told me that they have incorporated security where that can't happen.
I have that in writing.
Say what you want, VPN's work. especially when you pay for them. My ISP doesn't bother me for stupid reasons anymore.
Prior to getting a VPN I got emails from ISP. 2 years now with PIA and never had another problem

read their privacy policy. and if you don't think its a good idea then don't get one
I prefer to get dressed when its cold outside, not freeze because I didn't put enough layers of clothes on

And one last thing L&LD if you make statements back them up with some proof yea!
At least I am doing my best to do that
what you are reading is a bunch of trollers saying stuff without any proof.
Talk is cheep,

peace out

Okay, I'm asking for clarification and you go off on a tangent.

What does your original post have to do with my questions?

(And no, VPN is not as secure as you think it is. Unless you control both ends. And with a 'paid' VPN service, you don't).

 

[RMerlin]

Your original post is confusing me, because you talk about what seems to be two different issues:

a) DNS-related leakage (which can be resolved by setting the DNS to Strict - you can even confirm it by looking at the resolv.conf file generated for dnsmasq)
b) the inability to use different nameservers for different clients when using selective routing (which is normal, and not a security problem since by default, you would still be using the tunnel provider's IPs).

I would assume that would be because with the original firmware from ASUS when you start a vpn client the dns is the VPN and when you close the VPN client the DNS is the local ISP therefore it makes sense that its hardwired that way and maybe its not doable to have 2 different DNS when more then one service is activated.

That is correct - you cannot have clients using different DNS servers. You can either force them all to use the tunnel provider's DNS by setting the DNS to Strict (in which case dnsmasq will ONLY use the DNS servers from the tunnel provider, resolving your leak issues), or use DNSFilter to force specific clients to use specific DNS servers (which is the recommended method, and documented in a couple of posts).

I cannot test your particular scenario because I don't have a tunnel provider account with "leak tests" sites. But last time I worked on the DNS integration, I tested all four scenarios to confirm that dnsmasq was using the correct nameservers. Also don't forget that resolvers will cache results - if you re-test a DNS lookup without flushing all related caches, your results will be skewed, as you will obtain cached results.

In any case, it's not a problem with the implementation, simply that you are expecting a different configuration (selective routing) to work the same way as another configuration (Asus stock without selective routing). The router's resolver cannot use different nameservers based on the requesting client - that's a limitation of dnsmasq.

 

[yorgi]

Okay, I'm asking for clarification and you go off on a tangent.

What does your original post have to do with my questions?

(And no, VPN is not as secure as you think it is. Unless you control both ends. And with a 'paid' VPN service, you don't).

Dude this post was intended on people who already use VPN or want to use one with their Merlin Firmware. READ THE TITLE!
I never claimed to be an expert on what makes it safer or not.
I am talking about DNS issues with the Router and hopefully people who are using Merlin Firmware that have tons of problems getting connected will look at this thread
and help fix their issues!
i guess you need to go to a thread where they talk about security
and I am not being tangent you are just trying to find answers that don't exist here
peace

 

[yorgi]

Your original post is confusing me, because you talk about what seems to be two different issues:

a) DNS-related leakage (which can be resolved by setting the DNS to Strict - you can even confirm it by looking at the resolv.conf file generated for dnsmasq)
b) the inability to use different nameservers for different clients when using selective routing (which is normal, and not a security problem since by default, you would still be using the tunnel provider's IPs).



That is correct - you cannot have clients using different DNS servers. You can either force them all to use the tunnel provider's DNS by setting the DNS to Strict (in which case dnsmasq will ONLY use the DNS servers from the tunnel provider, resolving your leak issues), or use DNSFilter to force specific clients to use specific DNS servers (which is the recommended method, and documented in a couple of posts).

I cannot test your particular scenario because I don't have a tunnel provider account with "leak tests" sites. But last time I worked on the DNS integration, I tested all four scenarios to confirm that dnsmasq was using the correct nameservers. Also don't forget that resolvers will cache results - if you re-test a DNS lookup without flushing all related caches, your results will be skewed, as you will obtain cached results.

In any case, it's not a problem with the implementation, simply that you are expecting a different configuration (selective routing) to work the same way as another configuration (Asus stock without selective routing). The router's resolver cannot use different nameservers based on the requesting client - that's a limitation of dnsmasq.

I never meant it to be confusing
I guess you have a point when you say two different issues but in reality its the same because its all going through the same router.

Your tests where all right. The IP resolves to the VPN server and DNS the only difference is that with PIA, OpenVPN and TomatoUSB the IP address and the DNS address are the same

example :
PIA with merlin IP 172.12.34.56 and DNS 209.222.18.218
PIA with OpenVPN, Tomato and PIA software IP 172.12.34.56 DNS 172.12.34.56
IP are fictitious but the DNS 209 is actual DNS of PIA

So when I go to Local ISP I get IP address of ISP but the DNS is 209.222.18.218
which makes sense as you explained before.

This is why I created other scripts to do the DNS from the computer and not from the router.

or use DNSFilter to force specific clients to use specific DNS servers (which is the recommended method, and documented in a couple of posts)

Thanks that did the trick for devices that I wanted to be on Local ISP like phones or tablets.
I can now give them the DNS i choose weeeeee
I never thought of looking in parental control for that
but makes sense!
As far as Devices that I want to have local and VPN services I continue using the scripts I provided. Easy workaround and keep peace of mind knowing that at least the DNS and IP are resolving to their proper place

 

[Nullity]

Okay, I'm asking for clarification and you go off on a tangent.

What does your original post have to do with my questions?

(And no, VPN is not as secure as you think it is. Unless you control both ends. And with a 'paid' VPN service, you don't).

Apologies for the pedantry, but modern VPNs (IPsec/OpenVPN) are secure (nobody has practically cracked AES). The topic we thrash about on this forum is whether the VPN services protect our privacy...

 

[yorgi]

Apologies for the pedantry, but modern VPNs (IPsec/OpenVPN) are secure (nobody has practically cracked AES). The topic we thrash about on this forum is whether the VPN services protect our privacy...

With all do respect I agree with you
this is why I never claimed to be an expert in privacy or security I was trying to resolve some problems that I was having and thanks to Merlin he opened the door to a cool way of doing it
My intention was for educational purpose that is why I was not getting into no dispute about topics of trash
Although if you want my opinion as long as I don't get any emails from service provider saying that I am downloading material blah blah blah I have nothing to really hide
and besides. If people keep up to date with security patches and OS updates it always makes it harder for the Hackers or anyone to spy on us.
We are lamb of slaughter to technology and until someone provides me with a better way I will be happy with my VPN

 

[sfx2000]

Apologies for the pedantry, but modern VPNs (IPsec/OpenVPN) are secure (nobody has practically cracked AES). The topic we thrash about on this forum is whether the VPN services protect our privacy...

Folks just need to look for entries and exits - all packets land somewhere... and for folks in the middle, it's all pattern recognition - things are predictable, and when they aren't (like Tor), folks that want to make things predictable generally will put resources into places where it's easy...

VPN/Tor - they have their purposes, but most folks get compromised at some point if they're expecting privacy...

 

[Nullity]

Folks just need to look for entries and exits - all packets land somewhere... and for folks in the middle, it's all pattern recognition - things are predictable, and when they aren't (like Tor), folks that want to make things predictable generally will put resources into places where it's easy...

VPN/Tor - they have their purposes, but most folks get compromised at some point if they're expecting privacy...

My ego fights me, but I agree with your post. I like your wording; "expectations of privacy".

What's that old idiom; hope in one hand...