block-outside-dns but for ASUS Merlin?

[quarantinho]

Hey guys,

I'm accessing a VPN using the OpenVPN desktop client and everything works fine / is not reporting any DNS leaks.

However, I would like the entire traffic of my device to go through the tunnel without always starting the software. Since I have an ASUS router, I installed Merlin firmware and set up policy based routing that redirects all traffic of this specific device through the tunnel. I'm using exactly the same configuration file that I previously used on my PC, except the command "block-outside-dns".

In this configuration, without the missing command of "block-outside-dns", my VPN is having DNS leaks. Meaning that whenever I run a test in this configuration, my location is correctly identified which I want to avoid at all costs.

So my question is: Is there an equivalent for "block-outside-dns" that I can use on the client side in this configuration? Since my dad is the provider of the VPN from the server side, it would be great if I could configure the client side to achieve this (don't want to bother him if it's not necessary).

Any ideas?

Thanks in advance!

 

[RMerlin]

Set DNS mode to "Exclusive" on your OpenVPN client settings.

 

[quarantinho]

You mean here, correct?

I have set it like this currently and while my IP is from the same country the VPN is, a DNS leak test still reveals my actual location (at least I think that's what's happening?).

E.g. I live in Germany and the VPN is in Turkey, so ideally, the DNS Leak test shouldn't show this:

 

[RMerlin]

You mean here, correct?

View attachment 34869

I have set it like this currently and while my IP is from the same country the VPN is, a DNS leak test still reveals my actual location (at least I think that's what's happening?).

E.g. I live in Germany and the VPN is in Turkey, so ideally, the DNS Leak test shouldn't show this:
View attachment 34870

Try a different browser. Since it reports Cloudflare, it`s possible it`s your browser silently moving you to use DNS over HTTPS, which will bypass any VPN, and cannot be actively blocked.

DoH and DoT cannot be "blocked" at a VPN level, as they don't use regular port 53 DNS queries.

 

[quarantinho]

I see. Tried a different browser but getting the same results. But what's still very confusing to me is that I don't have this issue whenever using the openVPN desktop client instead on a windows PC, regardless of which browser I use. So I assume it has to be an issue with the different configuration files that I'm using between pc client/router.

 

[cptnoblivious]

If Firefox is one of the browsers you are trying, double check that it's no using DoH by going to:

Settings | Network Settings
And ensure that "Enable DNS over HTTPS" is NOT checked (last checkbox on the config page)

 

[quarantinho]

Thanks for the suggestion, I've gone ahead and tried that but no luck so far. There are still Hosts outside of the VPN's location showing up.

I've tried several setups now and it seems as though this one is doing the trick, at least for Firefox.

I don't quite understand what the difference between exclusive/strict is for the option to accept DNS configuration, but it seems to be working OK for now. Google Chrome sometimes still reveals my true location however so this solution is not quite as secure as just using the PC client I guess?