Express and NordVPN only accept DNS Exclusive.

[Brainstorm]

I'm trying to implement policy-based routing on my AC86U, but I've found as soon as I set "DNS Configuration" to anything but "Exclusive", DNS leaks occur. Does anyone know how to get around this?

 

[Brainstorm]

My 2 vpn providers won't work with any DNS settings other than Exclusive. Anyone got any ideas how to work around this?

 

[Brainstorm]

Sorry. Should have said I'm running Merlin 386.2.4

 

[eibgrad]

Difficult to imagine the VPN provider would be sensitive to the "Accept DNS configuration" setting given this option is only used to determine how the *local* DNSMasq process is reconfigured once the OpenVPN client gets connected. The VPN provider has no way of forcing you to use a specific DNS server. All he can do is make a suggestion by pushing one or more DNS servers to the OpenVPN client and letting it decide.

Also, the most common reason for DNS leaks in your scenario is due to the use of policy based routing, which has the side-effect of removing the router itself from the VPN. Hence, any processes the router is managing (including DNSMasq) are bound to the WAN/ISP by default.

So let's say the VPN provider pushes a *public* DNS server (e.g., 8.8.8.8) to the VPN client, rather than a *private* DNS server only accessible over the tunnel (e.g., 10.8.0.1), and the client is using Exclusive. That 8.8.8.8 DNS server will necessarily be accessed over the WAN/ISP, unless the VPN provider was smart enough to also include a route directive for 8.8.8.8 that binds it to the VPN (some do, many do NOT). At least that would *normally* work. But Merlin strips out such static routes for reasons I don't agree with.

Given the uncertainty, it's *my* recommendation that you specify "Disabled" for "Accept DNS configuration" and configure DNSMasq w/ your preferred DNS servers (e.g., Cloudflare, 1.1.1.1 and 1.0.0.1), which can be accomplished by configuring the WAN w/ custom servers. Then bind those servers (as destination IPs) to the VPN using policy based routing. Thus in all cases, you know w/ certainty which DNS servers are being used, and via which network interface. If you don't, then you're always going to face a certain level of risk regarding DNS leaks since you are not in control of the entire process.

Of course, another solution is to NOT use traditional DNS at all, but one of the DoT/DoH solutions (e.g., NextDNS). Now it doesn't matter whether DNS is accessed over the WAN or VPN, since in either case, the traffic is encrypted. Not unless you also have a need to obscure the fact you're using non-traditional DNS from your ISP (seems a bit extreme to me, but I suppose it might matter to some).

 

[Brainstorm]

Sorry eibgrad. I read and replied to your later post, didn't even see this one. Let me read and try to understand.....

 

[Brainstorm]

Difficult to imagine the VPN provider would be sensitive to the "Accept DNS configuration" setting given this option is only used to determine how the *local* DNSMasq process is reconfigured once the OpenVPN client gets connected. The VPN provider has no way of forcing you to use a specific DNS server. All he can do is make a suggestion by pushing one or more DNS servers to the OpenVPN client and letting it decide.

Also, the most common reason for DNS leaks in your scenario is due to the use of policy based routing, which has the side-effect of removing the router itself from the VPN. Hence, any processes the router is managing (including DNSMasq) are bound to the WAN/ISP by default.

So let's say the VPN provider pushes a *public* DNS server (e.g., 8.8.8.8) to the VPN client, rather than a *private* DNS server only accessible over the tunnel (e.g., 10.8.0.1), and the client is using Exclusive. That 8.8.8.8 DNS server will necessarily be accessed over the WAN/ISP, unless the VPN provider was smart enough to also include a route directive for 8.8.8.8 that binds it to the VPN (some do, many do NOT). At least that would *normally* work. But Merlin strips out such static routes for reasons I don't agree with.

Given the uncertainty, it's *my* recommendation that you specify "Disabled" for "Accept DNS configuration" and configure DNSMasq w/ your preferred DNS servers (e.g., Cloudflare, 1.1.1.1 and 1.0.0.1), which can be accomplished by configuring the WAN w/ custom servers. Then bind those servers (as destination IPs) to the VPN using policy based routing. Thus in all cases, you know w/ certainty which DNS servers are being used, and via which network interface. If you don't, then you're always going to face a certain level of risk regarding DNS leaks since you are not in control of the entire process.

Of course, another solution is to NOT use traditional DNS at all, but one of the DoT/DoH solutions (e.g., NextDNS). Now it doesn't matter whether DNS is accessed over the WAN or VPN, since in either case, the traffic is encrypted. Not unless you also have a need to obscure the fact you're using non-traditional DNS from your ISP (seems a bit extreme to me, but I suppose it might matter to some).

Just for my own peace of mind.....
Nordvpn is pushing a public DNS address:

PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.3.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.3.6 255.255.255.0,peer-id 4,cipher AES-256-GCM'

and

Express is pushing a private DNS address:

PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.44.0.1,comp-lzo no,route 10.44.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.44.1.170 10.44.1.169,peer-id 100,cipher AES-256-GCM'

So the route-gateway 10.8.3.1 command in the NORD PUSH is the route-directive binding you mentioned? NOT forcing the DNS down the vpn? If my assumption is correct, I can see why that doesn't work, without the router DNS being set to 103.86.96.100.

Express is pushing a private DNS, but the behavior is the same as NORD unless I put the 10.44.0.1 address in the WAN DNS setting. Is that something to with the "ifconfig 10.44.1.170 10.44.1.169" command? NOT forcing the 10.44.0.1 address down the vpn?

Or am I barking up the completely wrong tree?

 

[eibgrad]

As I said, if you're using policy based routing, that removes the router itself from the VPN, so all its processes are bound to the WAN/ISP by default, including DNSMasq, which gets reconfigured based on the "Accept DNS configuration" option.

If NordVPN returns a *public* DNS server (103.86.99.100), then it will be accessed over the WAN/ISP, because that's the default gateway for the router. However, if ExpressVPN returns a *private* IP (10.44.0.1, and when that happens, it's invariably within the same network scope as the tunnel (10.44.0.x)), it will be accessed over the VPN, but only because that network is *known* to be accessible over the VPN (unlike the public IP from NordVPN). IOW, the router doesn't need to rely on the default gateway setting in that case because it has a known, specific route to that IP, which is over the tunnel.

So if you want to force the NordVPN DNS server over the VPN, you'll need to use policy based routing and specify 103.86.99.100 as a destination IP. ExpressVPN does NOT require any further actions.

That's why dealing w/ DNS is so complicated. It's all these fine nuances that determine what DNS servers will be used, and over which network interface.

 

[Brainstorm]

Sorry I appear such a dunce. I think I may be labouring under a misapprehension.
Question:
Does loading Merlin mean I'm using split-tunnelling or policy based routing? Are they the same thing? I don't have x3mRouting loaded at the moment.

I tried Express vpn this morning. It didn't work with openvpn client set for "Strict", and no extra configuration.
Router Log following Express connection....
May 31 09:59:08 ovpn-client3[28879]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.40.0.1,comp-lzo no,route 10.40.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.40.1.38 10.40.1.37,peer-id 79,cipher AES-256-GCM'

I can see from the router log it's pushing a different DNS address (10.40.0.1) than it was a few days ago, and the ifconfig command shows 10.40.1.38. Different subnet, right?
From the Asus openvpn client page, "Service State" it shows me the same address as ifconfig, 10.40.1.38. That's the address of the tunnel, yes?
So the router/openvpn client does NOT know how to reach the DNS because the tunnel and DNS are in different subnets. Is that correct?

I've already realised that because of the Merlin/Express/Nord DNS constraints, this is NEVER going to work for me, but I would like confirmation that my assumptions to date are correct.

 

[eibgrad]

Sorry I appear such a dunce. I think I may be labouring under a misapprehension.
Question:
Does loading Merlin mean I'm using split-tunnelling or policy based routing? Are they the same thing? I don't have x3mRouting loaded at the moment.

Split tunneling and policy based routing refer to the same thing; routing only some traffic over the VPN, while other traffic continues to use the WAN.

I tried Express vpn this morning. It didn't work with openvpn client set for "Strict", and no extra configuration.
Router Log following Express connection....
May 31 09:59:08 ovpn-client3[28879]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.40.0.1,comp-lzo no,route 10.40.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.40.1.38 10.40.1.37,peer-id 79,cipher AES-256-GCM'

I can see from the router log it's pushing a different DNS address (10.40.0.1) than it was a few days ago, and the ifconfig command shows 10.40.1.38. Different subnet, right?
From the Asus openvpn client page, "Service State" it shows me the same address as ifconfig, 10.40.1.38. That's the address of the tunnel, yes?
So the router/openvpn client does NOT know how to reach the DNS because the tunnel and DNS are in different subnets. Is that correct?

That appears to be a misconfiguration on the part of ExpressVPN. Because yes, the DNS server is NOT within the scope of the tunnel (assuming the netmask is /24). A rather unusual situation, and I can see why it's been confusing if that's been happening regularly.

As I stated initially, I use ExpressVPN myself, but I don't rely on the DNS servers from the VPN provider anyway. So it's not something I've noticed in my own usage. I just refer to my own preferred public DNS servers and bind them to the VPN using policy based routing. Because there's still the chance some VPN provider will refer to a public DNS server. And w/ policy based routing enabled, it will be routed over the WAN.

 

[Brainstorm]

To get Express working with "Strict", then, I must bind the DNS 10.40.0.1 to the VPN using pbr, AND put the 10.40.0.1 adddress in my router WAN DNS settings? Is that correct?

And you use your own preferred public DNS servers; bind them to the VPN using pbr; set "Accept DNS Configuration" to "STRICT", and also put your DNS address in the router WAN? Is that correct?

Every which way, if I want to use pbr (Merlin) with Express or Nord, I must change my router WAN DNS to whichever DNS I decide to use, because dnsmasq (I had to google that to find out what it is) and other router processes will then ALWAYS look to the WAN for a route out.

And thanks for clearing up my split tunnelling/pbr query.

x3mRouting is still pbr, just expanded so things like to domain names can be used as policy, yes?

 

[eibgrad]

To get Express working with "Strict", then, I must bind the DNS 10.40.0.1 to the VPN using pbr, AND put the 10.40.0.1 adddress in my router WAN DNS settings? Is that correct?

As you described the situation, the setting for "Accept DNS configuration" is NOT really the issue. If the VPN provider is specifying a DNS server that is NOT within the scope of the tunnel, then the DNS server is presumably unreachable! It's an invalid configuration on the part of the VPN provider, NOT you.

The reason Exclusive doesn't work in the above scenario is because that setting tells the router it should *only* use the DNS server being pushed by the VPN provider. But it's NOT working! So you lose DNS completely. OTOH, if you specify Strict, it will first *try* the VPN provider's DNS server, and if it fails, fall back to the default DNS server(s) defined on the WAN. So DNS will still be working, but you now have a DNS leak.

Either way, Strict or Exclusive, you end up NOT using the VPN provider's DNS server since it is misconfigured.

And you use your own preferred public DNS servers; bind them to the VPN using pbr; set "Accept DNS Configuration" to "STRICT", and also put your DNS address in the router WAN? Is that correct?

I specify 1.1.1.1 and 1.0.0.1 on the WAN as custom DNS servers. Then I set "Accept DNS configuration" to Disabled. I don't care about the VPN provider's DNS servers. I want to avoid all these problems w/ misconfigured DNS servers, sometimes the DNS server being in the public IP space rather than the private IP space of the tunnel, the implications that has when it comes to PBR, etc. I avoid all that nonsense by binding 1.1.1.1 and 1.0.0.1 to the VPN using PBR.

By doing the above, 1.1.1.1 and 1.0.0.1 are bound to the VPN whenever the VPN is active. When inactive, they are bound to the WAN. Simple. I don't have to worry about all these other issues.

x3mRouting is still pbr, just expanded so things like to domain names can be used as policy, yes?

That's my understanding. But I don't use it, so I'm no expert on it. But it's irrelevant to this discussion, unless you're using it in place of the GUI to implement PBR.

 

[Brainstorm]

I think we've got our wires crossed. Both Nord and Express are "Pushing" DNS addresses that are not in the same subnet as the tunnel address.
NORD:
PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.2.15 255.255.255.0,peer-id 13,cipher AES-256-GCM'

Express:
PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.198.0.1,comp-lzo no,route 10.198.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.198.1.186 10.198.1.185,peer-id 39,cipher AES-256-GCM'

And both work fine, when DNS is set to Exclusive.

And so, if I set DNS to strict, and the first choice DNS is the one pushed by the vpn provider, why doesn't that work also?

 

[Brainstorm]

"No Answer" came the stern reply.
Am I just asking completely stupid questions?
Anyone?

 

[eibgrad]

I had to look a little deeper to make sure I understood what was happening, and that took some time. Here's what I'm seeing. At least when it comes to ExpressVPN (since it's my own VPN provider).

A fundamental problem here is that ExpressVPN is pushing a DNS server that is NOT within the scope of the tunnel (I don't know if it's true all the time, but even once is enough to be a concern). And although ExpressVPN is also pushing a route directive that tells the router to bind that IP address to the VPN, the router is NOT honoring it. It effectively ignores it. And I happen to know why. It's an issue I raised w/ @RMerlin a few months ago, to no avail.

DNS-over-TLS (NextDNS) & OpenVPN

You can't have the router automatically manage routes based on the webui config AND add your own custom routes and expect the router to magically guess which routes should be left untouched in main and which should be moved... Pick one method, not both. If you want the router's DoT queries to...

www.snbforums.com

I knew sooner or later it would come back to bite someone.

Now add the fact the router configures the router differently wrt DNS depending on whether you specify Exclusive or Strict for "Accept DNS configuration", and things get mighty confusing.

When I was testing and specified Exclusive (w/ Routing Policy set to Strict), I found the router would NOT reconfigure DNSMasq w/ the push'd DNS server from ExpressVPN. Instead, it would create a PREROUTING rule in the NAT table to force the source IPs defined in Policy Routing to use that DNS server. As a result, those clients NOT bound to the VPN would find DNS working, but it was bound to the ISP's DNS servers over the WAN. Meantime, because the router did NOT bind the DNS server pushed by ExpressVPN to the VPN (as I described above), those clients bound to the VPN did NOT having a working DNS.

If I then specified Strict for "Accept DNS configuration", the router reconfigured DNSMasq to use the DNS server pushed by ExpressVPN, so *all* clients would be affected. But again, the ExpressVPN DNS server was unreachable since it was not bound to the VPN. But at least DNS would work for all clients since the ISP's DNS servers were still available as a fallback.

If you are experiencing different behavior than the above, then I can't explain it. Something else must be different between you and me. In the end, I'm not sure it matters since it seems the real problem is the fact the push'd DNS server is NOT reachable.

It's always been my recommendation (even beyond this specific problem) that users define custom DNS servers on the WAN (e.g., 8.8.8.8 and 8.8.4.4), configure the VPN w/ "Accept DNS configuration" set to Disabled, and bind those same DNS servers using policy based routing (as destination IPs) to the VPN. So when the VPN is NOT active, 8.8.8.8 and 8.8.4.4 are accessed over the WAN. When the VPN is active, you're using the same servers, but they're now accessed over the VPN. It avoids all this nonsense w/ push'd DNS servers NOT being within the scope of the tunnel, the router refusing to bind them to the tunnel, this handling of DNS for VPN and non-VPN clients differently, etc. It just makes things simpler and more predictable.

 

[Brainstorm]

Top sleuthing eibgrad. Please forgive my impatience.
I'll do some more testing and come back to you.
As a matter of interest, how do you interrogate DNSMasq, NAT table etc? Are there gui tools, or is it on the command line?

 

[eibgrad]

I use ssh and the command line.

iptables -vnL
iptables -t nat -vnL
iptables -t nat -vnL DNSVPN1
cat /tmp/etc/dnsmasq.conf
cat /tmp/resolv.dnsmasq
...

 

[Brainstorm]

Very briefly took a look at this this morning, after reading DNS over TLS etc....I don't pretend to understand most of that discussion. Some I recognise...

If I set Express to Exclusive. it works, unblocks the streams I want.
Set to Exclusive, I cannot ping or traceroute the pushed DNS, 10.40.0.1.
Using iptables -t nat -vnL, I can see an entry for DNSVPN3, which is my Express vpn (please excuse the woody cut and paste)

Chain PREROUTING (policy ACCEPT 1466 packets, 255K bytes)
pkts bytes target prot opt in out source destination
3 180 DNSVPN3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
460 31493 DNSVPN3 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
42 2512 DNSVPN4 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3640 249K DNSVPN4 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
4759 194K ACCEPT all -- eth0 * 0.0.0.0/0 224.0.0.0/4
28 1371 GAME_VSERVER all -- * * 0.0.0.0/0 100.64.45.208
28 1371 VSERVER all -- * * 0.0.0.0/0 100.64.45.208

Once I set it to Strict, it no longer works, and the Chain PREROUTING entry for DNSVPN3 disappears...

I use DDNS to facilitate the Express Mediastreamer option. If my vpn is off, in my account it registers my actual IP Address, and DNS leak test points me at a USA DNS, operated by them.
Once I activate a vpn, I see this message in my account....

"Looks like you’re connected to ExpressVPN with the app. All ExpressVPN IP addresses are automatically registered for DNS, so you don’t have to register this specific IP address."

Does that have any bearing on how the vpn is working despite the fact the pushed DNS is a different network address to the tunnel, and appears unreachable?
The more I look, the more confused I become....

 

[RMerlin]

You need Exclusive Mode. Otherwise, clients that use an hardcoded DNS (like the Android version of Netflix) will not use the DNS server that you want, and will use an hardcoded DNS server. Netflix is hardcoded to use 8.8.8.8.

The only other alternative is to use DNSFilter to bypass that - this is basically what Exclusive mode does, by using the same redirection technology as DNSFilter.

 

[eibgrad]

Very briefly took a look at this this morning, after reading DNS over TLS etc....I don't pretend to understand most of that discussion. Some I recognise...

If I set Express to Exclusive. it works, unblocks the streams I want.
Set to Exclusive, I cannot ping or traceroute the pushed DNS, 10.40.0.1.
Using iptables -t nat -vnL, I can see an entry for DNSVPN3, which is my Express vpn (please excuse the woody cut and paste)

Chain PREROUTING (policy ACCEPT 1466 packets, 255K bytes)
pkts bytes target prot opt in out source destination
3 180 DNSVPN3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
460 31493 DNSVPN3 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
42 2512 DNSVPN4 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3640 249K DNSVPN4 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
4759 194K ACCEPT all -- eth0 * 0.0.0.0/0 224.0.0.0/4
28 1371 GAME_VSERVER all -- * * 0.0.0.0/0 100.64.45.208
28 1371 VSERVER all -- * * 0.0.0.0/0 100.64.45.208

Once I set it to Strict, it no longer works, and the Chain PREROUTING entry for DNSVPN3 disappears...

I use DDNS to facilitate the Express Mediastreamer option. If my vpn is off, in my account it registers my actual IP Address, and DNS leak test points me at a USA DNS, operated by them.
Once I activate a vpn, I see this message in my account....

"Looks like you’re connected to ExpressVPN with the app. All ExpressVPN IP addresses are automatically registered for DNS, so you don’t have to register this specific IP address."

Does that have any bearing on how the vpn is working despite the fact the pushed DNS is a different network address to the tunnel, and appears unreachable?
The more I look, the more confused I become....

If you recall, I suggested you change your configuration to specify your preferred DNS servers on the WAN, then bind those to the VPN using routing policy, as well as setting "Accept DNS configuration" to Disabled. By doing so, you will eliminate the DNS leaks (which was the point of your original post), eliminate this issue w/ the ExpressVPN DNS server NOT being reachable, as well as get away from this issue of Exclusive vs. Strict (which seems to be a secondary issue).

Why haven't you tried this?

 

[Brainstorm]

I HAVE tried it. When you suggested it.
Works with Express, but although I haven't measured the speed, everything seems noticeably slower.
However, that approach doesn't work with Nordvpn at all. Weird results with Netflix (Most of my stuff was no longer available), Prime knew I was using a vpn, BBC the same. And NORD is much better with some applications than Express, so I really want to use both.
And I tried all sorts of combinations of DNS filtering (not at the same time as setting the DNS as you suggested). That left me with "No connection to the Internet" a lot of the time...