Setting DNS for VPN hosts

[SpaceDog]

I really love this firmware. I've been able to find simple solutions for every situation I've come across so far.

My most recent issue was that I needed to set a specific DNS only for clients using VPN. I already have the OpenVPN client working on my router, and I've specified that only certain IP addresses on my LAN are to use the VPN (basically my Roku and other media servers).

At first I thought it was as simple as setting the DNS on the OpenVPN server and then setting "Exclusive" on the router's OpenVPN client. Well that didn't work well at all. It turns out that the DNS setting on the router affects only the DNS for the router, not the router clients (though indirectly it affects them too if they use the router for DNS). And even that is weird because the router was sending its DNS queries over the WAN, not the VPN, probably because I have "Redirect Internet Traffic" set to "Policy Rules" instead of "All Traffic" (though this still happened even if I listed the local IP of the router as one that should use VPN).

Since the VPN DNS I want to use (getflix.com.au) is restricted to a single user specified IP, and the allowed IP is that of my VPN server, the DNS wasn't working correctly.

So how was I to set the DNS for the router and most clients to be the DNS provided by my ISP, but set a different DNS for my VPN clients?

Turned out it was super easy. First I set the router's OpenVPN client "Accept DNS Configuration" to "Disabled". This leaves the router (which the clients default to using for DNS) setup with the DNS settings provided by the ISP.

Then I added these lines to file /jffs/configs/dnsmasq.conf.add:

dhcp-host=12:34:56:78:9A:BC,set:vpnhost
dhcp-option=tag:vpnhost,6,AA.BB.CC.DD

Where 12:34:56:78:9A:BC is the MAC of one of the VPN clients (I can add multiple dhcp-host lines as needed), and AA.BB.CC.DD is the DNS I want the VPN clients to use.

Rebooted and it worked perfectly. Awesome! Love this firmware.

 

[RMerlin]

Another method that's entirely based on the webui is to use DNSFilter. For every client that needs to be forced to a specific DNS, force them through it through DNSFilter.

 

[SpaceDog]

Another method that's entirely based on the webui is to use DNSFilter. For every client that needs to be forced to a specific DNS, force them through it through DNSFilter.

That's awesome. How great is it that there is even a way to do it via the UI?!

I've never even looked at the Parental Controls options before, but as you suggest it looks like the DNS-based filtering could do the trick just as well.

 

[somms]

Pushing DHCP options to clients

I take it you are unable to push DNS option via either using:
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

in the OpenVPN server config or:
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220

In the client config for example?

FWIW: The above OpenVPN server config works alright to specify the OpenDNS servers for my remote openvpn clients...

 

[SpaceDog]

Pushing DHCP options to clients

I take it you are unable to push DNS option via either using:
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

in the OpenVPN server config or:
dhcp-option DNS 208.67.222.222
dhcp-option DNS 208.67.220.220

In the client config for example?

FWIW: The above OpenVPN server config works alright to specify the OpenDNS servers for my remote openvpn clients...

I am completely able to do so, and already have. And that works if the client is directly connected to my OpenVPN server, for example when I use my Android phone when out and about.

However, when a network client connected to the router is using VPN via the router (which is then the client to the OpenVPN), the router itself receives the DNS setting, not the network client. This has the problems that I noted in the OP.

 

[SpaceDog]

Another method that's entirely based on the webui is to use DNSFilter. For every client that needs to be forced to a specific DNS, force them through it through DNSFilter.

Just gave this a try and it actually isn't working for me. Not sure why. Still investigating what the DNS Filter actually does (does it modify DNSMasq or routing??).

The DNS assigned to my test VPN client is still the router itself. So if it is supposed to be updating DNSMasq (the way I manually did) it is not working.

And if it is trying to do some sort of routing sleight of hand that does not appear to be working either, according to DNS leak test (www.dnsleaktest.com).

I'll investigate a little further but I may go back to my manual solution.

Thanks!

 

[RMerlin]

Just gave this a try and it actually isn't working for me. Not sure why. Still investigating what the DNS Filter actually does (does it modify DNSMasq or routing??).

The DNS assigned to my test VPN client is still the router itself. So if it is supposed to be updating DNSMasq (the way I manually did) it is not working.

And if it is trying to do some sort of routing sleight of hand that does not appear to be working either, according to DNS leak test (www.dnsleaktest.com).

I'll investigate a little further but I may go back to my manual solution.

Thanks!

View attachment 4698

DNSFilter works at the firewall level. It does not modify dnsmasq or your client. What it does is as the packet is about to leave your router, it gets redirected to the specified DNS server instead, regardless of what dnsmasq or your client has configured internally.

 

[SpaceDog]

DNSFilter works at the firewall level. It does not modify dnsmasq or your client. What it does is as the packet is about to leave your router, it gets redirected to the specified DNS server instead, regardless of what dnsmasq or your client has configured internally.

Okay, good to know. In any case it isn't working for my purposes for some reason. I'll try to check out the firewall rules it generates and see if I can figure out the issue later, but when I do a DNS leak test I'm getting 4 DNS servers that have nothing to do with the intended DNS server.

 

[terribell]

I'm trying to get this VPN (getflix.com.au) working on my RT-AC68U with Merlin firmware but I'm not having success.

I have the OpenVPN connection working fine on Windows PCs and Android devices but on the router I cannot get Netflix to work properly.
To configure I imported the *.ovpn file, set the user/password and redirect all internet traffic.

Is there any other option I need to select to get this working?
I already tried your script but didn't work anyway.

I'm really confused as it works perfectly on Win and Android and I cannot reproduce that behavior on the router.

@SpaceDog can you help?

Thanks in advance.

 

[SpaceDog]

At the moment I've just got "Accept DNS Configuration" set to "Exclusive". I haven't done any testing recently to see if there are any DNS leaks at this point, but it is working for my purposes at least.

 

[terribell]

@SpaceDog thanks for the update but I'm having problems in a much initial phase.

I'm not even having the VPN client working as expected...
Would you mind sharing your VPN client configuration, so I could compare?
In which version of Merlin FW do you have your RT-AC68U?

Thanks a lot

 

[SpaceDog]

Sure:

 

[terribell]

Do you still use Getflix or was the Getflix configuration similar?

 

[SpaceDog]

I do use Getflix still, although it no longer un-geoblocks Netflix so it is less useful than it once was (but I have a lifetime subscription, so I have no reason to not use it).

Configuring the VPN for Getflix is done at the OpenVPN server side of things, not on the router.

In my /etc/openvpn/server.conf file I have this line:

push "dhcp-option DNS 54.164.176.2"

That's the IP address of the Getflix server I chose to use.

 

[terribell]

Thanks for the help, I will try that when I get home.

Regarding the VPN, if you use a non-smart VPN it can geo-unblock.
I've been using that to connect to UK, Italy or Mexico on my Windows PC and Android devices, but still had no success using the router as client.

 

[SpaceDog]

Depends on the luck of the draw with your VPN provider. I run my own VPN on rented hardware in Florida, and I've found that the entire IP range of my ISP there has been tagged as "VPN" by Netflix. There is no way to work around it. Some VPN providers have been lucky so far, but there's every reason to believe that will not last. I'm thinking I may ask a friend there to let me set up a VPN through their house to bypass Netflix's IP-based VPN detection.

 

[terribell]

Regarding the Accept DNS Configuration for Getflix what have you set?
I've tried with exclusive and adding the parameter you recommended and still cannot get Netflix to play videos, I can browse but not play videos.

What is strange is if I use the same configuration on Win or Android machines everything works as expected.