Important tip for VPN services on OpenVPN

[paulbates]

If you are using or getting a VPN service, and configuring a client for it over OpenVPN on your Asus router, be aware of this necessary router configuration step that may not be in the provider's documentation:

After you load your VPN provider's .ovpn file and adding your credentials,
but before you click "Apply":

Scroll down to the "Accept DNS Config" setting and change it to "Exclusive"​

The default setting is "Disabled", and the impact to leaving it "Disabled" is that your DNS queries will route through of your VPN provider and right back to your ISP's DNS... exactly what you might be trying to avoid.... not only a performance hit, but also an opportunity for activity logging or injection attacks. If you had manually configured DNS under WAN, the DNS queries will go there with the "Disabled" setting.. typically you don't want this either, but rather a protected DNS controlled by your provider.

(If you are making this change after setting up the VPN, turn the Service State off first, make the change, then turn it back on)

You can validate proper DNS configuration state before and after, by visiting https://dnsleaktest.com. Ideally you should see only one DNS listed and its IP should be relatively close to your assigned VPN IP, and the ISP's name should be associated with your VPN provider... not comcast, etc.

Paul

 

[Martineau]

If you are using or getting a VPN service, and configuring a client for it over OpenVPN on your Asus router....

Ideally you should see only one DNS listed

Hmm really?

Unfortunately determining which DNS is used (ISP or VPN provider) can be confusing for users.

e.g. Assuming that 'Accept DNS configuration=Exclusive', what is the difference (if any! ;-) between the two 'WAN' target Policy Rules:

Everything   192.168.1.0/24 0.0.0.0 VPN
Via_WAN      0.0.0.0 xxx.xxx.xxx.xxx WAN
Via_WAN      192.168.1.123 xxx.xxx.xxx.xxx WAN

i.e. the intention is that ALL devices on the LAN should always use the WAN for accessing emails held on the ISP SMTP Server xxx.xxx.xxx.xxx

P.S. I prefer https://ipleak.net to "validate" my VPN connection etc.

 

[paulbates]

Hi Martineau
Fair comment and I should clarify I am in the 1% of VPN users you mentioned the other day in your response in another posting. I'm looking for all client traffic to be routed by default through the VPN and their DNS, the exception being devices like roku because netflix won't function via VPN.

When 'Accept DNS Configuration' was "Disabled", I ran a couple of the leak tests sites , that showed that my VPN routed clients were all assigned the ISP's, Comcast's, DNS. The clients were routing through the VPN provider, and through the internet back to comcast.

I rebooted the router and the devices, no change. If I left Accept DNS Configuration "disabled" and set the DNS to OpenDNS in the WAN tab, it showed that these same clients were pointing to OpenDNS.

When I set Accept DNS Configuration to "Exclusive", it showed that all VPN routed clients had the VPN provider's DNS. While I have iot devices in the house, and they run fine over VPN, I have servers but they do not need to service traffic initiated from the WAN:

Default to VPN    192.168.0.0/24    0.0.0.0    VPN
Roku to WAN       192.168.0.10      0.0.0.0    WAN
MBP WAN           192.168.0.11      0.0.0.0    WAN

As an edit to my original post, I would suggest at a minimum that after picking and configuring a VPN service, that a leak test be run to confirm that its meeting the objectives. (ipleak.com caused trend micro's malware warning to pop up so I did not try it).

Paul

 

[Martineau]

Default to VPN    192.168.0.0/24    0.0.0.0    VPN
Roku to WAN       192.168.0.10      0.0.0.0    WAN
MBP WAN           192.168.0.11      0.0.0.0    WAN

Yes I do know that you are the exception ...but unless you have manually removed/overidden your ISP DNS ('WAN DNS Setting->Connect to DNS Server automatically=No' etc.) then are you 100% sure the devices .10 & .11 are still using the VPN DNS exclusively?

Probably they are, but you should check using:

iptables -nvL DNSVPN1 --line -t nat

Also there will be a message in syslog for each device that is no longer using the VPN DNS:

Spoiler: Syslog

RT-AC68U user.warn openvpn-updown: Excluding xxx.xxx.xxx.xxx from forced DNS routing

(ipleak.com caused trend micro's malware warning to pop up so I did not try it).

P.S. It is https://ipleak.net not ipleak.com

 

[cybrnook]

I want to add that I personally at home route 3 x of my devices over the VPN tunnel running on my router. I use "policy based" routing, and my setup looks like this:

I then set a DNSFilter:

Which looks like this:

So I can leave DNS as "Disabled" in the VPN Client page, but also still ONLY push my VPN providers DNS servers to my VPN clients.

So yes, your topic is spot on. Doesn't make much sense to use a VPN if you are only going to route all your DNS queries outside of the tunnel.

For this I also use a Pi-Hole with DNSCrypt running on it so my DNS queries that are NOT over the VPN clients, are also encrypted:

 

[joegreat]

For this I also use a Pi-Hole with DNSCrypt running on it so my DNS queries that are NOT over the VPN clients, are also encrypted:

It's a detail but still important: DNSCyrpt is NOT encrypting your DNS requests but signing them to ensure that they are authentic from the DNS server (not manipulated) - the communication is clear text!

 

[Deleted member 28123]

It's a detail but still important: DNSCyrpt is NOT encrypting your DNS requests but signing them to ensure that they are authentic from the DNS server (not manipulated) - the communication is clear text!

That is incorrect. DNSCrypt secures and encrypts 'Last Mile' dns traffic between you and the DNSCrypt servers preventing eavesdropping and MiM attacks on your DNS traffic by your ISP / network operator.

Sent from my A0001 using Tapatalk

 

[RMerlin]

DNSSEC is the one that will sign DNS zone content, to ensure there's no tempering involved.

 

[cybrnook]

DNSSEC is the one that will sign DNS zone content, to ensure there's no tempering involved.

Which my chosen dnscrypt servers also support.