Chromecast + VPN DNS Issues

[CJDias]

I have set up my N66U running the latest Merlin fork with Astrill VPN which comes with a handy router applet that takes care of VPN connectivity (Uses OpenVPN ). All my devices on the network (Phones/PCs) are able to use this VPN tunnel perfectly well with the exception of my Chromecast. After extensive email exchanges with Astrill I have narrowed down the problem to configuration issues that aren't able to redirect 100% of Google DNS queries to the Astrill DNS server (since the Chromecast is hard-coded to use Google DNS). Here's what I've tried so far;

Iptables rules to forward all google dns queries to the VPN provider's DNS server x.x.x.x (this is a dynamic IP on the VPN tunnel network segment once VPN gets connected)

iptables -I PREROUTING -t nat -p udp -d 8.8.4.4 --dport 53 -j DNAT --to-destination x.x.x.x
iptables -I PREROUTING -t nat -p udp -d 8.8.8.8 --dport 53 -j DNAT --to-destination x.x.x.x

Does anyone have an idea of what could be causing the Chromecast to get a DNS resolution bypassing the above?

 

[peraburek]

change 192.168.x.x with IP of your choosen device you want to divert through VPN tunnel
change 192.168.y.y. with IP address of remote IP range if you want to access it (ping etc.)

this example is for VPN Client 1 (interface tun11), VPN Client 2 use interface tun12, so beware
add these lines to your OpenVPN Client custom config:
route-nopull
route-up /jffs/scripts/vpn-route-1.sh

#!/bin/sh
# This script goes in /jffs/scripts/vpn-route-1.sh
# Add the following 2 lines to the OpenVPN configs
# route-nopull
# route-up /jffs/scripts/vpn-route-1.sh

# clear tun11 (VPN client 1) table, if exists
ip route flush table 11
ip route del default table 11

# not strictly necessary but speeds up routing changes
ip route flush cache

# get tunnel ip
tun11_ip=$(ifconfig tun11 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

# routing remote IP range 192.168.y.y/24 via tun11_ip
#ip route add 192.168.y.y/24 via $tun11_ip

# routing table for tun11 with divert rule (192.168.x.x is IP of specific device in your local LAN)
ip route add default via $tun11_ip dev tun11 table 11
ip rule add from 192.168.x.x table 11

# not strictly necessary
ip route flush cache

# force vpn to default to custom dns - in this case OpenDNS
DNS_SERVER="208.67.222.222 208.67.220.220"
for ip in $DNS_SERVER
do
iptables -t nat -A PREROUTING -s 192.168.x.x -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -A PREROUTING -s 192.168.x.x -p tcp --dport 53 -j DNAT --to $ip
done

# vpn kill switch (optional) in case your VPN tunnel goes down, traffic is blocked
#iptables -I FORWARD ! -o tun11 -s 192.168.x.x -j DROP

exit 0

don't forget chmod 755 /jffs/scripts/vpn-route-1.sh to make your script executable
reboot and test

 

[CJDias]

Thanks for your reply. I already have the VPN connection taken care of (it uses a custom application installed on the router, not the built-in OpenVPN client) so won't be able to use that script. The part I am stuck with is figuring out how the Chromecast is bypassing all my attempts to block Google DNS lookup.

Today I tried setting a static route redirecting all traffic bound for 8.8.8.8 and 8.8.4.4 back to the router (i.e. ping test to those Google DNS IPs from my desktop fails). But the chromecast persists somehow and I get the dreaded "you are using an anonymous proxy tool" message. Wish someone could shed some light on how the Chromecast does this....

 

[Martineau]

Thanks for your reply. I already have the VPN connection taken care of (it uses a custom application installed on the router, not the built-in OpenVPN client) so won't be able to use that script. The part I am stuck with is figuring out how the Chromecast is bypassing all my attempts to block Google DNS lookup.

Today I tried setting a static route redirecting all traffic bound for 8.8.8.8 and 8.8.4.4 back to the router (i.e. ping test to those Google DNS IPs from my desktop fails). But the chromecast persists somehow and I get the dreaded "you are using an anonymous proxy tool" message. Wish someone could shed some light on how the Chromecast does this....

Although this is for Roku I assume you have tried the technique(s) in this post (substituting 'Chromecast' for Roku)

http://www.snbforums.com/threads/dn...ac68u-asuswrt-merlin.23694/page-3#post-179262

and there are some observations in the thread on how Netflix/Roku etc. are attempting to enforce their DNS lookup.

 

[CJDias]

Thanks for your response... Those are useful tips. My vpn provider managed to fix issue in the end by blocking/re-routing additional DNS traffic from the Chromecast at their end.

Sent from my Nexus 5 using Tapatalk