Diversion Diversion not working with OpenVPN

[Maasamda]

Hi,

I have an AX86 with Merlin 386.3 Beta 3. I am using Diversion and Unbound. I also use OpenVPN.

I just can't manage to set up OpenVPN in such a way that Diversion and Unbound continue to work. I know that Accept DNS Configuration = Exclusive when using VPN director causes DNSMasq to be bypassed and therefore Diversion and Unbound don't work.

Is it possible to set it up so that I:

1. Can run almost all devices via OpenVPN (ExpressVPN), without DNS leaks taking place. While Diversion and Unbound continue to work.

And

2. Can run a small group of other devices outside of OpenVPN. While Diversion and Unbound continue to work here too.

I now have the following configuration:

OpenVPNclient1:

- Accept DNS configuration = Exclusive

- Redirect Internet Traffic through VPN= VPN Director Policy Rules

VPN Director:

- 192.168.50.0/24 OVPN1

- 192.168.50.1 (router) WAN

- 192.168.50.4 WAN

- 192.168.50.5 WAN

Router settings:

LAN --> DHCP --> DNS and WINS Setting:

- DSN server 1 and DNS server 2 = <Empty>

- Advertise router's IP in addition to user-specified DNS = No

DNS Filter:

- On

- Global Filter Mode = Router

WAN --> WAN DNS settings:

- Connect to DNS Server automatically = No

- DNS Server1 = 8.8.8.8

- DNS Server2 = 8.8.4.4

- Forward local domain queries to upstream DNS = No

- Enable DNS Rebind protection = No

- Enable DNSSEC support Yes = No

- Prevent client auto DoH = Yes

- DNS Privacy Protocol = None

I know the above setting ensures that Diversion/Unbound do not work due to the OpenVPN client configuration. I've tried all sorts of settings, but not with the desired result.

Does anyone know the solution?

 

[Zastoff]

This site has some good info with settings for vpn diversion and using DNS over TLS

Policy Rule Routing on Asuswrt-Merlin Firmware - x3mtek Blog Site

Create policy rule routing rules that define which clients, or which destinations, should be routed through either the WAN interface or OpenVPN Client tunnel usng Asuswrt-Merlin firmware.

x3mtek.com

 

[Maasamda]

This site has some good info with settings for vpn diversion and using DNS over TLS

Policy Rule Routing on Asuswrt-Merlin Firmware - x3mtek Blog Site

Create policy rule routing rules that define which clients, or which destinations, should be routed through either the WAN interface or OpenVPN Client tunnel usng Asuswrt-Merlin firmware.

x3mtek.com

Thnx, i will check.

 

[Maasamda]

This site has some good info with settings for vpn diversion and using DNS over TLS

Policy Rule Routing on Asuswrt-Merlin Firmware - x3mtek Blog Site

Create policy rule routing rules that define which clients, or which destinations, should be routed through either the WAN interface or OpenVPN Client tunnel usng Asuswrt-Merlin firmware.

x3mtek.com

I tested both mentioned options for accept dns configuration: strict and disabled. Both cause DNS leak to my ISP from the devices routed throughout the VPN…..

 

[chongnt]

I tested both mentioned options for accept dns configuration: strict and disabled. Both cause DNS leak to my ISP from the devices routed throughout the VPN…..

You can have a look here. This is pre 386.3 though.

GitHub - swinsonterry/Unbound_via_vpn: force unbound to use vpn interface on ASUS Merlin

force unbound to use vpn interface on ASUS Merlin - GitHub - swinsonterry/Unbound_via_vpn: force unbound to use vpn interface on ASUS Merlin

github.com

Unbound - Unbound DNS VPN Client w/policy rules

I have been using Unbound DNS for a long time as my primary DNS on my local network. Some of my client devices use NordVPN with Unbound as DNS. I have been wondering recently if Unbound can be configured so all DNS traffic for those specific VPN devices traverses over VPN interface/tunnel. As I...

www.snbforums.com

 

[Zastoff]

I tested both mentioned options for accept dns configuration: strict and disabled. Both cause DNS leak to my ISP from the devices routed throughout the VPN…..

Can try to change:
Tools/Other settings
Wan: Use local caching DNS server as system resolver (default: No) = Yes
That solved my wan dns from leaking when I used vpn

 

[kernol]

I tested both mentioned options for accept dns configuration: strict and disabled. Both cause DNS leak to my ISP from the devices routed throughout the VPN…..

I'm sure you realise that when using unbound - a dns leak test will report your router's public ip address as your DNS [and likely give it the same name as your Internet Service Provider]. That is not a leak but working as designed.

I have the same settings as you and my unbound works perfectly as does Diversion ... EXCEPT on my OPVN4 client I am using VPNUnlimited and have my Accept DNS configuration set to "disabled" [meaning there is no redirection of my dns server away from my unbound on my router].

Incidentally - the exact same settings trying to use NordVPN fails - no idea why.

 

[Maasamda]

I'm sure you realise that when using unbound - a dns leak test will report your router's public ip address as your DNS [and likely give it the same name as your Internet Service Provider]. That is not a leak but working as designed.

I have the same settings as you and my unbound works perfectly as does Diversion ... EXCEPT on my OPVN4 client I am using VPNUnlimited and have my Accept DNS configuration set to "disabled" [meaning there is no redirection of my dns server away from my unbound on my router].

Incidentally - the exact same settings trying to use NordVPN fails - no idea why.

Thnx, this helps me out!

OpenVPN client configuration set to "Disabled" and results looked at in the right way Diversion & Unbound working now.

 

[Lynx]

With this arrangement where does the unbound related traffic go? Through WAN?

 

[Vertron]

I'm sure you realise that when using unbound - a dns leak test will report your router's public ip address as your DNS [and likely give it the same name as your Internet Service Provider]. That is not a leak but working as designed.

I have the same settings as you and my unbound works perfectly as does Diversion ... EXCEPT on my OPVN4 client I am using VPNUnlimited and have my Accept DNS configuration set to "disabled" [meaning there is no redirection of my dns server away from my unbound on my router].

Incidentally - the exact same settings trying to use NordVPN fails - no idea why.

Are you sure about this? If you bind the VPN to unbound and set redirect internet traffic to "yes" instead of "policy rules", it will show the VPN IP instead of the ISP IP when doing a DNS leak test, therefore unbound is in the tunnel. With policy rules enabled it shows the ISP IP instead, I assume that means unbound is no longer going through the tunnel and is exposed?

I'm currently reading about this script and think it might be the solution: https://www.snbforums.com/threads/unbound-dns-vpn-client-w-policy-rules.67370/

 

[kernol]

I'm sure you realise that when using unbound - a dns leak test will report your router's public ip address as your DNS [and likely give it the same name as your Internet Service Provider]. That is not a leak but working as designed.

I have the same settings as you and my unbound works perfectly as does Diversion ... EXCEPT on my OPVN4 client I am using VPNUnlimited and have my Accept DNS configuration set to "disabled" [meaning there is no redirection of my dns server away from my unbound on my router].

Incidentally - the exact same settings trying to use NordVPN fails - no idea why.

Are you sure about this? If you bind the VPN to unbound and set redirect internet traffic to "yes" instead of "policy rules", it will show the VPN IP instead of the ISP IP when doing a DNS leak test, therefore unbound is in the tunnel. With policy rules enabled it shows the ISP IP instead, I assume that means unbound is no longer going through the tunnel and is exposed?

I'm currently reading about this script and think it might be the solution: https://www.snbforums.com/threads/unbound-dns-vpn-client-w-policy-rules.67370/

We at cross purposes here ...

My first paragraph was in reference to ZERO VPN being used - just a reminder that dns leak test will show your public ip address as the DNS server address when using unbound [as opposed to the ISP's DNS etc];

My second paragraph was referencing when you indeed do go through a VPNClient [tunnel] BUT set the DNS Configuration [for the tunnel] as DISABLED ... in other words NOT using the DNS provided by the VPN service provider. In that case the DNS is still unbound on your router - with Diversion continuing to work.

Clearly - if you invoke the VPNClient tunnel and use option "Yes" - all [not with Policy Rules] ... my understanding is that you are now wanting the tunnel to adopt the DNS services provided by the tunnel - so Diversion will NOT work.

The thread you identify may well be the one to follow if what you are trying to do is push unbound down the VPN tunnel to continue acting as your DNS and retain Diversion in good working order.

 

[Vertron]

Hi,

I have an AX86 with Merlin 386.3 Beta 3. I am using Diversion and Unbound. I also use OpenVPN.

I just can't manage to set up OpenVPN in such a way that Diversion and Unbound continue to work. I know that Accept DNS Configuration = Exclusive when using VPN director causes DNSMasq to be bypassed and therefore Diversion and Unbound don't work.

Is it possible to set it up so that I:

1. Can run almost all devices via OpenVPN (ExpressVPN), without DNS leaks taking place. While Diversion and Unbound continue to work.

And

2. Can run a small group of other devices outside of OpenVPN. While Diversion and Unbound continue to work here too.

Does anyone know the solution?

I put together a quick guide on how to set this up, see post #198:
https://www.snbforums.com/threads/unbound-dns-vpn-client-w-policy-rules.67370/page-10