Asus RT-AC86U wrong DNS Server (VPN)

[suxus]

Hello
I have a permanent connection to a NordVPN server (OpenVPN) on my router.

Accept DNS Configuration: Exclusive
Force Internet traffic through tunnel: Policy Rules

Here i have a few devices from my network recorded so they run on the VPN connection.
If i make a browserleaks.com/ip check on one of these devices, then i have the correct IP, but as DNS server i don't see the servers of NordVPN but of the Cloudflare server.
The Cloudflare server i registered on the router under WAN. Does anyone know what's wrong?
Many thanks

 

[Val D.]

The Cloudflare server i registered on the router under WAN. Does anyone know what's wrong?

Not sure what's wrong in your case, but you better disable their own DNS and use Cloudflare. Few months ago their DNS somewhere in Singapore stopped responding and took me some time to figure out what is happening. It is also much slower than Cloudflare, at least in North America. I don't use NordVPN DNS anymore, for example. No Man in Black at my door yet.

 

[suxus]

The problem for my is Netflix, i connect to a german VPN server, the IP correctly but the DNS is not from germany (Cloudflare is from switzerland) and so i can‘t watch Netflix.
When i use the same ovpn-File directly on my iPad (with OpenVPN App) then i have the right DNS and i can watch Netflix on this ovpn-File will not works on the router and i don‘t understand why.

 

[Val D.]

The problem for my is Netflix

I would reset OpenVPN Client to Default and set it up again using NordVPN provided file.
Check in router's System Log what DNS servers are mentioned during VPN connection process.

 

[suxus]

Ok i will try when i be at home, and you think the reset to the default and the a new load with the ovpn-File can help?

 

[Val D.]

Ok i will try when i be at home, and you think the reset to the default and the a new load with the ovpn-File can help?

I had to re-configure once my OpenVPN Client due to unexplained behavior. It takes 2min, worth trying.

 

[suxus]

Okay i try it and check also the log

 

[Xentrk]

Hello
I have a permanent connection to a NordVPN server (OpenVPN) on my router.

Accept DNS Configuration: Exclusive
Force Internet traffic through tunnel: Policy Rules

Here i have a few devices from my network recorded so they run on the VPN connection.
If i make a browserleaks.com/ip check on one of these devices, then i have the correct IP, but as DNS server i don't see the servers of NordVPN but of the Cloudflare server.
The Cloudflare server i registered on the router under WAN. Does anyone know what's wrong?
Many thanks

You can try setting Accept DNS Cofiguration = Strict. In the Custom Config section, define the tunnel to use NordVPN DNS as follows where the x.x.x.x is the NordVPN DNS:

dhcp-option DNS x.x.x.x

 

[suxus]

@Xentrk i try this for a few days, no success

 

[suxus]

Hello
I switch all VPN Settings to default and load the new ovpn File to the router and here is the Log.

Aug  5 17:09:13 rc_service: httpd 796:notify_rc start_vpnclient2
Aug  5 17:09:13 ovpn-client2[8122]: OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019
Aug  5 17:09:13 ovpn-client2[8122]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.08
Aug  5 17:09:13 ovpn-client2[8123]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug  5 17:09:13 ovpn-client2[8123]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug  5 17:09:13 ovpn-client2[8123]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug  5 17:09:13 ovpn-client2[8123]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.143.230.224:1194
Aug  5 17:09:13 ovpn-client2[8123]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Aug  5 17:09:13 ovpn-client2[8123]: UDP link local: (not bound)
Aug  5 17:09:13 ovpn-client2[8123]: UDP link remote: [AF_INET]185.143.230.224:1194
Aug  5 17:09:13 ovpn-client2[8123]: TLS: Initial packet from [AF_INET]185.143.230.224:1194, sid=d00c2351 d4ea2eb7
Aug  5 17:09:13 ovpn-client2[8123]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug  5 17:09:13 ovpn-client2[8123]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Aug  5 17:09:13 ovpn-client2[8123]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA3
Aug  5 17:09:13 ovpn-client2[8123]: VERIFY KU OK
Aug  5 17:09:13 ovpn-client2[8123]: Validating certificate extended key usage
Aug  5 17:09:13 ovpn-client2[8123]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug  5 17:09:13 ovpn-client2[8123]: VERIFY EKU OK
Aug  5 17:09:13 ovpn-client2[8123]: VERIFY OK: depth=0, CN=de546.nordvpn.com
Aug  5 17:09:13 ovpn-client2[8123]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Aug  5 17:09:13 ovpn-client2[8123]: [de546.nordvpn.com] Peer Connection Initiated with [AF_INET]185.143.230.224:1194
Aug  5 17:09:14 ovpn-client2[8123]: SENT CONTROL [de546.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Aug  5 17:09:14 ovpn-client2[8123]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.3.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.3.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Aug  5 17:09:14 ovpn-client2[8123]: OPTIONS IMPORT: timers and/or timeouts modified
Aug  5 17:09:14 ovpn-client2[8123]: OPTIONS IMPORT: explicit notify parm(s) modified
Aug  5 17:09:14 ovpn-client2[8123]: OPTIONS IMPORT: compression parms modified
Aug  5 17:09:14 ovpn-client2[8123]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Aug  5 17:09:14 ovpn-client2[8123]: Socket Buffers: R=[524288->1048576] S=[524288->1048576]
Aug  5 17:09:14 ovpn-client2[8123]: OPTIONS IMPORT: --ifconfig/up options modified
Aug  5 17:09:14 ovpn-client2[8123]: OPTIONS IMPORT: route options modified
Aug  5 17:09:14 ovpn-client2[8123]: OPTIONS IMPORT: route-related options modified
Aug  5 17:09:14 ovpn-client2[8123]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug  5 17:09:14 ovpn-client2[8123]: OPTIONS IMPORT: peer-id set
Aug  5 17:09:14 ovpn-client2[8123]: OPTIONS IMPORT: adjusting link_mtu to 1657
Aug  5 17:09:14 ovpn-client2[8123]: OPTIONS IMPORT: data channel crypto options modified
Aug  5 17:09:14 ovpn-client2[8123]: Data Channel: using negotiated cipher 'AES-256-GCM'
Aug  5 17:09:14 ovpn-client2[8123]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  5 17:09:14 ovpn-client2[8123]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  5 17:09:14 ovpn-client2[8123]: TUN/TAP device tun12 opened
Aug  5 17:09:14 ovpn-client2[8123]: TUN/TAP TX queue length set to 1000
Aug  5 17:09:14 ovpn-client2[8123]: /bin/ip link set dev tun12 up mtu 1500
Aug  5 17:09:14 ovpn-client2[8123]: /bin/ip addr add dev tun12 10.8.3.2/24 broadcast 10.8.3.255
Aug  5 17:09:14 ovpn-client2[8123]: updown.sh tun12 1500 1585 10.8.3.2 255.255.255.0 init
Aug  5 17:09:14 openvpn-updown: Forcing 192.168.99.53 to use DNS server 103.86.96.100
Aug  5 17:09:14 rc_service: service 8228:notify_rc updateresolv
Aug  5 17:09:16 ovpn-client2[8123]: /bin/ip route add 185.143.230.224/32 via 77.56.248.1
Aug  5 17:09:16 ovpn-client2[8123]: /bin/ip route add 0.0.0.0/1 via 10.8.3.1
Aug  5 17:09:16 ovpn-client2[8123]: /bin/ip route add 128.0.0.0/1 via 10.8.3.1
Aug  5 17:09:16 openvpn-routing: Configuring policy rules for client 2
Aug  5 17:09:17 ovpn-client2[8123]: Initialization Sequence Completed

and i think this line

PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100

show that will be use the right DNS server (NordVPN), but when i make the browserleaks.com/ip check then i don't see this DNS server only Cloudflare Server with location switzerland and that's wrong then i connect to a german server.

I don't know what's wrong.

Thank you very huch for your help.

 

[suxus]

I think i find the problem now, but i don't know whats the solution!

On the router in the WAN section, i set
DNS Server 1 = 1.1.1.1
DNS Server 2 = 1.0.0.1

the DNS server from Cloudflare.

And in the LAN - DHCP Server
DNS Server 1 = IP-From-Pihole

On the Pihole self Settings - DNS section
IPv4 = Cloudflare Server
Listen only on interface eth0 = CHECKED
Never forward non-FQDNs = UNCHECKED
Never forward reverse lookups for private IP ranges = UNCHECKED
Use DNSSEC = UNCHECKED
Use Conditional Forwarding = CHECKED

So when i leave the DNS Server 1 in the LAN-DHCP section blank, then it's works (Pihole in inactive). But what's wrong when i set the Pihole, i think the router will use the right DNS settings from the provider, but the Pihole push the Cloudflare DNS.

 

[Xentrk]

I think i find the problem now, but i don't know whats the solution!

On the router in the WAN section, i set
DNS Server 1 = 1.1.1.1
DNS Server 2 = 1.0.0.1

the DNS server from Cloudflare.

And in the LAN - DHCP Server
DNS Server 1 = IP-From-Pihole

On the Pihole self Settings - DNS section
IPv4 = Cloudflare Server
Listen only on interface eth0 = CHECKED
Never forward non-FQDNs = UNCHECKED
Never forward reverse lookups for private IP ranges = UNCHECKED
Use DNSSEC = UNCHECKED
Use Conditional Forwarding = CHECKED

So when i leave the DNS Server 1 in the LAN-DHCP section blank, then it's works (Pihole in inactive). But what's wrong when i set the Pihole, i think the router will use the right DNS settings from the provider, but the Pihole push the Cloudflare DNS.

I was going to suggest removing pi-hole entry from LAN DNS as the next step. Looks like it worked.

There has been several threads about the LAN DNS vs WAN DNS setting. See https://www.snbforums.com/threads/wan-dns-and-lan-dns.29940/ for an example.

https://www.google.com/search?q=lan dns site:snbforums.com will lead you to more topics on the forum.

If you can't figure out how to make it work with pi-hole, then I suggest using Diversion ad blocker. The only thing you don't get is the graphs.

 

[suxus]

Hi
When i remove the IP (Pihole) from the LAN setting then it‘s works. I think the Pihole is the problem he push the Cloudflare Server to the VPN Connection (Device).

 

[Xentrk]

Hi @suxus

It appears the NordVPN is using their DNS as a DNS Proxy to get around Netflix VPN restrictions (they block known/shared VPN servers). Express VPN does the same. That is why Netflix doesn't work when you use another DNS. My provider offers Private IP addresses. Netflix doesn't care what DNS you are using.

Your client device DNS setting will take precedence over the DNS setting on the router unless you have enabled the rule to force all devices to use the router's DNS on the LAN -> DNSFilter tab as follows:

That is why Netflix worked when using the VPN client on your iPad.

If it helps, I wrote a program to allow you to route Netflix traffic thru the WAN or one of the OpenVPN interfaces.

Even if you used Diversion to block ads instead of pi-hole, it won't work on the VPN tunnel when you have Accept DNS Configuration = Exclusive and Policy Rules are enabled. The DNS will exclusively use the DNS of the VPN provider and dnsmasq is bypassed.

 

[suxus]

@Xentrk thank you, you say your provider offers private IP, what provider is that and then works Netflix? When yes, works that also with german Netflix?
I see your script for selective routing, but i don't know is this i bit to much for my, SSH is no problem but i see i need a special USB, works this script also for german?

At the moment is it so, i turn on the VPN Connection on my iPad (to NordVPN) and then i can watch it, i make this with VPN on Demand profiles. That's at the moment the only way that Netflix running on the router i find no solution at the moment.

 

[Xentrk]

@Xentrk thank you, you say your provider offers private IP, what provider is that and then works Netflix? When yes, works that also with german Netflix?
I see your script for selective routing, but i don't know is this i bit to much for my, SSH is no problem but i see i need a special USB, works this script also for german?

At the moment is it so, i turn on the VPN Connection on my iPad (to NordVPN) and then i can watch it, i make this with VPN on Demand profiles. That's at the moment the only way that Netflix running on the router i find no solution at the moment.

I've had some people in the EU using the script. Most people want all their devices to use a VPN and use x3mRouting to get around the Netflix VPN blocks by routing Netflix traffic to the WAN interface.

Having a USB on the router will open up more features for you and the ability to super charge your router and install open source code written by forum members. The first thing to do is install AMTM. AMTM has a feature to format the USB. Or, you can download free client software to format the USB such as Ease US or Mini Tool Partition. You can replace pi-hole with Diversion and free up the device for another project and Netflix will work over the VPN client.

 

[suxus]

Hello, I am still struggling with my DNS server problem with active VPN connection.

under WAN:
DNS Server 1: 1.1.1.1
DNS Server 2: 1.0.0.1

under LAN
DNS server 1: blank
DNS server 2: blank

At 192.168.99.2 is DIVERSION active. And under VPN Client is a VPN connection to NordVPN (Germany) active and this connection is used by a few devices (devices are registered under Rules for routing client traffic through the tunnel).

In the router log i see this

Aug  7 18:59:04 rc_service: httpd 824:notify_rc start_vpnclient2
Aug  7 18:59:04 ovpn-client2[13293]: OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019
Aug  7 18:59:04 ovpn-client2[13293]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.08
Aug  7 18:59:04 ovpn-client2[13294]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug  7 18:59:04 ovpn-client2[13294]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug  7 18:59:04 ovpn-client2[13294]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug  7 18:59:04 ovpn-client2[13294]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.143.230.224:1194
Aug  7 18:59:04 ovpn-client2[13294]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Aug  7 18:59:04 ovpn-client2[13294]: UDP link local: (not bound)
Aug  7 18:59:04 ovpn-client2[13294]: UDP link remote: [AF_INET]185.143.230.224:1194
Aug  7 18:59:04 ovpn-client2[13294]: TLS: Initial packet from [AF_INET]185.143.230.224:1194, sid=0e01faec 72c991b6
Aug  7 18:59:04 ovpn-client2[13294]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug  7 18:59:04 ovpn-client2[13294]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Aug  7 18:59:04 ovpn-client2[13294]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA3
Aug  7 18:59:04 ovpn-client2[13294]: VERIFY KU OK
Aug  7 18:59:04 ovpn-client2[13294]: Validating certificate extended key usage
Aug  7 18:59:04 ovpn-client2[13294]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug  7 18:59:04 ovpn-client2[13294]: VERIFY EKU OK
Aug  7 18:59:04 ovpn-client2[13294]: VERIFY OK: depth=0, CN=de546.nordvpn.com
Aug  7 18:59:04 ovpn-client2[13294]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Aug  7 18:59:04 ovpn-client2[13294]: [de546.nordvpn.com] Peer Connection Initiated with [AF_INET]185.143.230.224:1194
Aug  7 18:59:06 ovpn-client2[13294]: SENT CONTROL [de546.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Aug  7 18:59:06 ovpn-client2[13294]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.1.12 255.255.255.0,peer-id 22,cipher AES-256-GCM'
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: timers and/or timeouts modified
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: explicit notify parm(s) modified
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: compression parms modified
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Aug  7 18:59:06 ovpn-client2[13294]: Socket Buffers: R=[524288->1048576] S=[524288->1048576]
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: --ifconfig/up options modified
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: route options modified
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: route-related options modified
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: peer-id set
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: adjusting link_mtu to 1657
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: data channel crypto options modified
Aug  7 18:59:06 ovpn-client2[13294]: Data Channel: using negotiated cipher 'AES-256-GCM'
Aug  7 18:59:06 ovpn-client2[13294]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  7 18:59:06 ovpn-client2[13294]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  7 18:59:06 ovpn-client2[13294]: TUN/TAP device tun12 opened
Aug  7 18:59:06 ovpn-client2[13294]: TUN/TAP TX queue length set to 1000
Aug  7 18:59:06 ovpn-client2[13294]: /bin/ip link set dev tun12 up mtu 1500
Aug  7 18:59:06 ovpn-client2[13294]: /bin/ip addr add dev tun12 10.8.1.12/24 broadcast 10.8.1.255
Aug  7 18:59:06 ovpn-client2[13294]: updown.sh tun12 1500 1585 10.8.1.12 255.255.255.0 init
Aug  7 18:59:06 (updown.sh): 13298 Starting custom /jffs/scripts/x3mRouting/updown-client.sh script execution
Aug  7 18:59:06 (updown.sh): 13298 Ending custom /jffs/scripts/x3mRouting/updown-client.sh script execution
Aug  7 18:59:08 ovpn-client2[13294]: /bin/ip route add 185.143.230.224/32 via 77.56.248.1
Aug  7 18:59:08 ovpn-client2[13294]: /bin/ip route add 0.0.0.0/1 via 10.8.1.1
Aug  7 18:59:08 ovpn-client2[13294]: /bin/ip route add 128.0.0.0/1 via 10.8.1.1
Aug  7 18:59:08 openvpn-routing: Configuring policy rules for client 2
Aug  7 18:59:08 (vpnrouting.sh): 13365 ip rule add from 192.168.99.53   table ovpnc2 priority 10301
Aug  7 18:59:08 (vpnrouting.sh): 13365 x3mRouting Checking Custom fwmark/bitmask
Aug  7 18:59:08 (vpnrouting.sh): 13365 x3mRouting Adding OVPNC2 RPDB fwmark rule 0x2000/0x2000 prio 9994
Aug  7 18:59:08 ovpn-client2[13294]: Initialization Sequence Completed

I see that the NordVPN DNS servers are pushed (dhcp-option DNS 103.86.96.100, dhcp-option DNS 103.86.99.100). But if i make with the iPad (that use the VPN connection)

browserleaks.com/ip

then the DNS servers are not listed as NordVPN DNS servers, but as DNS servers by Cloudflare (Location: Switzerland). If i make the VPN connection directly on the iPad (IKEv2) and then carry out the check, then one server is listed as a DNS server (with Location Germany) and so works Netflix on the iPad. However, i do not want to build the VPN connection on the iPad, but on the router that i have also bought it.

Does anyone have an idea what's wrong?

Many thanks for the help

 

[Xentrk]

Hello, I am still struggling with my DNS server problem with active VPN connection.

under WAN:
DNS Server 1: 1.1.1.1
DNS Server 2: 1.0.0.1

under LAN
DNS server 1: blank
DNS server 2: blank

At 192.168.99.2 is DIVERSION active. And under VPN Client is a VPN connection to NordVPN (Germany) active and this connection is used by a few devices (devices are registered under Rules for routing client traffic through the tunnel).

In the router log i see this

Aug  7 18:59:04 rc_service: httpd 824:notify_rc start_vpnclient2
Aug  7 18:59:04 ovpn-client2[13293]: OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019
Aug  7 18:59:04 ovpn-client2[13293]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.08
Aug  7 18:59:04 ovpn-client2[13294]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug  7 18:59:04 ovpn-client2[13294]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug  7 18:59:04 ovpn-client2[13294]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug  7 18:59:04 ovpn-client2[13294]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.143.230.224:1194
Aug  7 18:59:04 ovpn-client2[13294]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Aug  7 18:59:04 ovpn-client2[13294]: UDP link local: (not bound)
Aug  7 18:59:04 ovpn-client2[13294]: UDP link remote: [AF_INET]185.143.230.224:1194
Aug  7 18:59:04 ovpn-client2[13294]: TLS: Initial packet from [AF_INET]185.143.230.224:1194, sid=0e01faec 72c991b6
Aug  7 18:59:04 ovpn-client2[13294]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug  7 18:59:04 ovpn-client2[13294]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Aug  7 18:59:04 ovpn-client2[13294]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA3
Aug  7 18:59:04 ovpn-client2[13294]: VERIFY KU OK
Aug  7 18:59:04 ovpn-client2[13294]: Validating certificate extended key usage
Aug  7 18:59:04 ovpn-client2[13294]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug  7 18:59:04 ovpn-client2[13294]: VERIFY EKU OK
Aug  7 18:59:04 ovpn-client2[13294]: VERIFY OK: depth=0, CN=de546.nordvpn.com
Aug  7 18:59:04 ovpn-client2[13294]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Aug  7 18:59:04 ovpn-client2[13294]: [de546.nordvpn.com] Peer Connection Initiated with [AF_INET]185.143.230.224:1194
Aug  7 18:59:06 ovpn-client2[13294]: SENT CONTROL [de546.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Aug  7 18:59:06 ovpn-client2[13294]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.1.12 255.255.255.0,peer-id 22,cipher AES-256-GCM'
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: timers and/or timeouts modified
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: explicit notify parm(s) modified
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: compression parms modified
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Aug  7 18:59:06 ovpn-client2[13294]: Socket Buffers: R=[524288->1048576] S=[524288->1048576]
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: --ifconfig/up options modified
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: route options modified
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: route-related options modified
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: peer-id set
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: adjusting link_mtu to 1657
Aug  7 18:59:06 ovpn-client2[13294]: OPTIONS IMPORT: data channel crypto options modified
Aug  7 18:59:06 ovpn-client2[13294]: Data Channel: using negotiated cipher 'AES-256-GCM'
Aug  7 18:59:06 ovpn-client2[13294]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  7 18:59:06 ovpn-client2[13294]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  7 18:59:06 ovpn-client2[13294]: TUN/TAP device tun12 opened
Aug  7 18:59:06 ovpn-client2[13294]: TUN/TAP TX queue length set to 1000
Aug  7 18:59:06 ovpn-client2[13294]: /bin/ip link set dev tun12 up mtu 1500
Aug  7 18:59:06 ovpn-client2[13294]: /bin/ip addr add dev tun12 10.8.1.12/24 broadcast 10.8.1.255
Aug  7 18:59:06 ovpn-client2[13294]: updown.sh tun12 1500 1585 10.8.1.12 255.255.255.0 init
Aug  7 18:59:06 (updown.sh): 13298 Starting custom /jffs/scripts/x3mRouting/updown-client.sh script execution
Aug  7 18:59:06 (updown.sh): 13298 Ending custom /jffs/scripts/x3mRouting/updown-client.sh script execution
Aug  7 18:59:08 ovpn-client2[13294]: /bin/ip route add 185.143.230.224/32 via 77.56.248.1
Aug  7 18:59:08 ovpn-client2[13294]: /bin/ip route add 0.0.0.0/1 via 10.8.1.1
Aug  7 18:59:08 ovpn-client2[13294]: /bin/ip route add 128.0.0.0/1 via 10.8.1.1
Aug  7 18:59:08 openvpn-routing: Configuring policy rules for client 2
Aug  7 18:59:08 (vpnrouting.sh): 13365 ip rule add from 192.168.99.53   table ovpnc2 priority 10301
Aug  7 18:59:08 (vpnrouting.sh): 13365 x3mRouting Checking Custom fwmark/bitmask
Aug  7 18:59:08 (vpnrouting.sh): 13365 x3mRouting Adding OVPNC2 RPDB fwmark rule 0x2000/0x2000 prio 9994
Aug  7 18:59:08 ovpn-client2[13294]: Initialization Sequence Completed

I see that the NordVPN DNS servers are pushed (dhcp-option DNS 103.86.96.100, dhcp-option DNS 103.86.99.100). But if i make with the iPad (that use the VPN connection)

browserleaks.com/ip

then the DNS servers are not listed as NordVPN DNS servers, but as DNS servers by Cloudflare (Location: Switzerland). If i make the VPN connection directly on the iPad (IKEv2) and then carry out the check, then one server is listed as a DNS server (with Location Germany) and so works Netflix on the iPad. However, i do not want to build the VPN connection on the iPad, but on the router that i have also bought it.

Does anyone have an idea what's wrong?

Many thanks for the help

Post the output of these commands:

iptables --line -t nat -nvL DNSVPN2

iptables --line -t nat -nvL PREROUTING | grep DNSVPN

nvram get vpn_client2_adns

Post the contents of this file:

/tmp/etc/openvpn/fw/client2-dns.sh

 

[suxus]

Hello

Here the results from the commands.

admin@RT-AC86U-3588:/# iptables --line -t nat -nvL DNSVPN2
iptables: No chain/target/match by that name.

admin@RT-AC86U-3588:/# iptables --line -t nat -nvL PREROUTING | grep DNSVPN
1        0     0 DNSVPN1    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2       73  4943 DNSVPN1    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

admin@RT-AC86U-3588:/# nvram get vpn_client2_adns
3

admin@RT-AC86U-3588:/# nano /tmp/etc/openvpn/fw/client2-dns.sh

File is empty

And at the moment x3mRouting is complete uninstall.

If you need more information, please let me know.

Thank you very much

Update: After uninstall x3mRouting i restart the router and check my VPB-Connections.

Connection 1 (NordVPN Switzerland): IP okay / DNS okay (Switzerland / Location Switzerland)
Connection 2 (NordVPN Germany): IP okay / DNS okay (Germany / Location Germany)

For me it now looks like everything is ok in terms of DNS, if you see something in my commands posts.

 

[Xentrk]

Hello

Here the results from the commands.

admin@RT-AC86U-3588:/# iptables --line -t nat -nvL DNSVPN2
iptables: No chain/target/match by that name.

admin@RT-AC86U-3588:/# iptables --line -t nat -nvL PREROUTING | grep DNSVPN
1        0     0 DNSVPN1    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2       73  4943 DNSVPN1    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

admin@RT-AC86U-3588:/# nvram get vpn_client2_adns
3

admin@RT-AC86U-3588:/# nano /tmp/etc/openvpn/fw/client2-dns.sh

File is empty

And at the moment x3mRouting is complete uninstall.

If you need more information, please let me know.

Thank you very much

Update: After uninstall x3mRouting i restart the router and check my VPB-Connections.

Connection 1 (NordVPN Switzerland): IP okay / DNS okay (Switzerland / Location Switzerland)
Connection 2 (NordVPN Germany): IP okay / DNS okay (Germany / Location Germany)

For me it now looks like everything is ok in terms of DNS, if you see something in my commands posts.

I think you had Method 1 installed which was causing the DNS issue. Your feedback was helpful to me as I was able to duplicate the issue and quickly determine the cause. The faulty code has since been patched.