AMTM app(s) seem to cause DNS resolving issue [VPN split tunneling setup]

[gnoe]

Recently I replaced my n66u for an ac86u. I moved the config quite exactly, including the split tunneling OpenVPN config, where my Synology NAS bypasses the permanent OpenVPN tunnel directly to the WAN (so I can have hasselfree remote access to its apps/webservices).

This worked so far so good before and after the migration, until I installed Diversion/PixelServ/Skynet. After this, the synology couldn't resolve URL's anymore. Inbound connection is ok, I can access the webservices when I use the domain name that is attached to the WAN IP address.
Outbound connections fail, the DDNS of synology doesn't work (as my syno cannot resolve), and it gives error messages like: "Network error. Please check your DNS or network settings.

My Syno is configured to get IP (fixed by MAC)/DNS/gateway from the router. I tried to configure DNS manually on the Syno, but that didn't help. Temporarily disabling Diversion/Pixelserv/Skynet does not help either, so I'm wondering why DNS resolving is blocked for the Syno. What I tried more:
* restarting (router as well as Syno many times)
* Change "Accept DNS Configuration" from 'strict' to 'exclusive' (and back)
* Manually configured DNS in LAN section of router (OpenDNS ip's)
* Changing DNS in WAN section; from manual OpenDNS to automatic (to get ISP DNS)

I'm not very experienced with DNS troubleshooting, so I hope you can enlighten me to get this issue solved

PS: I just removed the bypass/exclusion, so also my Synology is routed through the VPN. Now it resolves DNS again...
So the question is: how do clients resolve, that are routed directly to the WAN interface?

 

[thelonelycoder]

The domain could be blocked in Diversion. Disable ad-blocking to see if that is the case.
If so, whitelist the blocked domain, which you can see by using f and take a good guess which one it is..

It could also be that Skynet blocks the IP.

 

[gnoe]

The domain could be blocked in Diversion. Disable ad-blocking to see if that is the case.
If so, whitelist the blocked domain, which you can see by using f and take a good guess which one it is..

It could also be that Skynet blocks the IP.

Well, an unwanted blocking was my 1st thought obviously. That is why I disabled Div/Pix/Sky but that didn't help.
I can try whitelisting, didn't do that yet.

 

[waeking]

I had an issue similar when I installed diversion before skynet where dns had trouble resolving. I had to install skynet first and then diversion and last was FreshJR_QOS. Now I have no issues.

 

[gnoe]

I had an issue similar when I installed diversion before skynet where dns had trouble resolving. I had to install skynet first and then diversion and last was FreshJR_QOS. Now I have no issues.

Ok, I'll try that. Problem isn't solved, but I am convinced that diversion or skynet is the cause. I'm not familiar with the whitelisting yet, so I have to dive into that also. To be continued and any tips are still welcome!

 

[Alfsu]

It seems the VPN client routing rules configuration could be the culprit here, can you share your routing rules here?

 

[gnoe]

It seems the VPN client routing rules configuration could be the culprit here, can you share your routing rules here?

Sure, although I don't think this is the problem. I removed the bypass rule of the synology and it still cannot resolve.

these are the relevant options & rules of my VPN client:

<<<<<<<<<<<<<<<<<<<<<<
Automatic start at boot time: Yes

Accept DNS Configuration: Strict
Create NAT on tunnel: Yes

Redirect Internet traffic: Policy rules (strict)
Block routed clients if tunnel goes down: Yes

Description Source IP Destination IP Iface
Router Bypass 192.168.88.1 0.0.0.0 WAN
All LAN to VPN 192.168.88.0/24 0.0.0.0 VPN
Work Laptop 192.168.88.184 0.0.0.0 WAN
TV Netflix 192.168.88.171 0.0.0.0 WAN
Humax PVR Ziggo 192.168.88.104 0.0.0.0 WAN
>>>>>>>>>>>>>>>>>>>>>>>>>>

As you can see, the last 3 rules are clients to bypass the VPN. This ruleset has worked successfully on my old router as well as on the new ac86u before installation of Diversion&Skynet. Curiously these clients don't seem to have problems. The Synology rule I removed was similar:
SYNOLOGY 192.168.88.100 0.0.0.0 WAN

 

[Alfsu]

Description Source IP Destination IP Iface
Router Bypass 192.168.88.1 0.0.0.0 WAN
All LAN to VPN 192.168.88.0/24 0.0.0.0 VPN
Work Laptop 192.168.88.184 0.0.0.0 WAN
TV Netflix 192.168.88.171 0.0.0.0 WAN
Humax PVR Ziggo 192.168.88.104 0.0.0.0 WAN
The Synology rule I removed was similar:
SYNOLOGY 192.168.88.100 0.0.0.0 WAN

Personally, I don't like the idea of sending all LAN traffic to the VPN and at the same time setting other rules to ignore it.

I run diversion/pixelserv-tls/skynet and have some devices routed to 2 separate VPN tunnels plus others to the WAN and it all just works.

In my setup I use separate IP blocks to be assigned to the devices depending on their routing destination.

Your routing rules suggest you could use IP range 192.168.x.64 to ..126 on the DHCP server, so any DHCP client can be routed to the VPN, and it would just need one rule for routing 192.168.x.64/26 to the VPN; and do manual assignments with IPs outside of this block for the devices which you want routed to the WAN, these won't need any rules for routing whatsoever.

 

[gnoe]

Personally, I don't like the idea of sending all LAN traffic to the VPN and at the same time setting other rules to ignore it.

OK, I have simply followed an instruction (I think here on sbnforums) for this ruleset and it seemed to me like common practice. Is there any guidance or do/don'ts available in defining these rules?

Your routing rules suggest you could use IP range 192.168.x.64 to ..126 on the DHCP server, so any DHCP client can be routed to the VPN, and it would just need one rule for routing 192.168.x.64/26 to the VPN; and do manual assignments with IPs outside of this block for the devices which you want routed to the WAN, these won't need any rules for routing whatsoever.

My dynamic DHCP range is .101 -.254.
.100 and below is for static IP's based on MAC address assigned by the routers DHCP server.

I like your idea of routing all dynamic/DHCP assigned IP's through the VPN. In the fixed IP range I want some through the WAN and 10~15 devices also though the VPN tunnel.
So I should best create individual rules for all these static IP devices?

EDIT: I found the policy guidelines of Merlin and I am quite sure I have used this document before to define my rules. The first 2 lines are similar to mine, though in the opposite order.

 

[Alfsu]

EDIT: I found the policy guidelines of Merlin and I am quite sure I have used this document before to define my rules. The first 2 lines are similar to mine, though in the opposite order.

You probably missed this bit:

Note that if there are multiple rules for a given client's IP (for instance if it has one rule stating that all its traffic is to go through the VPN, and an exception rule stating that traffic for a specific destination IP is to be kept through the WAN), all of its name resolution will still go through the VPN server's specified DNS. This is because the router has no way of knowing if the DNS query is related to a specific destination. Therefore, the safest behaviour gets used, and all the queries done by that client will use the VPN server's DNS.

 

[Martineau]

You probably missed this bit:

Note that if there are multiple rules for a given client's IP (for instance if it has one rule stating that all its traffic is to go through the VPN, and an exception rule stating that traffic for a specific destination IP is to be kept through the WAN), all of its name resolution will still go through the VPN server's specified DNS.
This is because the router has no way of knowing if the DNS query is related to a specific destination. Therefore, the safest behaviour gets used, and all the queries done by that client will use the VPN server's DNS.

I believe the Wiki wording is now incorrect given this thread?
How to Setup a VPN client including Policy Rules for PIA and other VPN providers 384.5 07.10.18

 

[gnoe]

You probably missed this bit:

No I didn't miss that bit . It wouldn't be a problem if all clients simply resolved through the VPN's DNS. In fact, all clients do except the Synology for some unclear reason
So I kept the policy rules unchanged and I manually assigned OpenDNS IP's in the network config of the Syno. VPN is working fine now; traffic of the Synology is routed through the tunnel and it resolves IP's by the manually assigned OpenDNS's.

Now I have another issue: when the VPN is active, the Squeezeboxes in my network are invisible in Spotify Connect (the SB's have an internet connection and are also routed through the tunnel). Maybe it has something to do with the different DNS's.

I have a Spotty plugin for Logitech Media Server on the Synology to enable Spotify Connect on my Squeezeboxes.