Xentrk
Part of the Furniture
I don't understand the concern. I don't see where it contradicts with the Wiki you quoted. If a client is defined to use the WAN interface, then it will use the DNS specified on the WAN page, or the ISP if a DNS was not specified, rather than the DNS of the VPN tunnel.Yes NordVPN push their DNS server through and it has the same IP as the main server but only when there are no exceptions to the basic rule which is:
All traffic 10.4.0.0/28 0.0.0.0 VPN
As soon as I introduce any exceptions such as:-
ntp Sydney 10.4.0.2 203.35.xx.xx WAN
then the DNS becomes that set on the WAN of the router for that device (10.4.0.2)
I notice that other devices on the network are not affected by this as long as they don't have any exceptions to the basic rule.
This is contrary to what is said here by Merlin himself:-
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
DNS behaviour
For best results it's recommended to configure "Accept DNS configuration" to Exclusive. When combined with Policy based routing, this means that all clients that are configured to go through the VPN will use the DNS servers provided by the VPN tunnel, but those configured to go through the WAN will keep using the ISP's DNS.
Note that if there are multiple rules for a given client's IP (for instance if it has one rule stating that all its traffic is to go through the VPN, and an exception rule stating that traffic for a specific destination IP is to be kept through the WAN), all of its name resolution will still go through the VPN server's specified DNS. This is because the router has no way of knowing if the DNS query is related to a specific destination. Therefore, the safest behaviour gets used, and all the queries done by that client will use the VPN server's DNS.
I note that there are others who have asked about this also and have been stumped...
I have never tested with specifying all of my lan clients using CIDR notation. With my use case, I have to list each client separately. I wrote a script to automate the process so I don't have to key them into the web gui page.
There are priorities in the routing rules.
Is the ntp Sydney 10.4.0.2 203.35.xx.xx WAN entry listed above the 10.4.0.0/28 0.0.0.0 VPN entry in the web gui?
What are the results of the ip rule command from SSH session? The lower the priority number in the first column, the higher the priority.
You can try a test. Here is my theory.
If 10.4.0.0/28 0.0.0.0 VPN entry has a lower prior number than the ntp Sydney 10.4.0.2 203.35.xx.xx WAN entry, it has a higher priority. In theory, 10.4.0.2 will first match the 10.4.0.0/28 rule, which will prevent 10.4.0.2 from traveling to the WAN interface.