Issue with Accept DNS Configuration strict and Diversion/YazFi/VPN

[adid]

Hi,

I have Asus Merlin 384.13 on a RT-AC68U.
My LAN network is 192.168.2.0/24
I have two other networks created by YazFi (192.168.3.0/24 and 192.168.4.0/24) and they are used for VNP.

I have installed diversion and I have followed the recommendation from merlin page
to use DNS configuration strict and add a DNS in the settings like
dhcp-option DNS 1.1.1.1 (in fact I used my VPN's DNS servers instead of 1.1.1.1).

All works well and ads are blocked for both VPN and non-vpn clients but there is an issue.

The non-VPN clients with the above configuration, they get as DNS the VPN DNS when I test the ip and DNS server.
I tried to switch to 1.1.1.1 but again the non-VPN clients get the VPN DNS!

I can not understand how this is possible and I suspect some issue with strict not working correctly?

Generally I wouldn't mind this happening (like the non VPN clients using the VPN DNS) but the issue is that in this case Netflix doesn't work for some reason (all other sites works fine).

Any help would be really appreciated

 

[Xentrk]

Hi,

I have Asus Merlin 384.13 on a RT-AC68U.
My LAN network is 192.168.2.0/24
I have two other networks created by YazFi (192.168.3.0/24 and 192.168.4.0/24) and they are used for VNP.

I have installed diversion and I have followed the recommendation from merlin page
to use DNS configuration strict and add a DNS in the settings like
dhcp-option DNS 1.1.1.1 (in fact I used my VPN's DNS servers instead of 1.1.1.1).

All works well and ads are blocked for both VPN and non-vpn clients but there is an issue.

The non-VPN clients with the above configuration, they get as DNS the VPN DNS when I test the ip and DNS server.
I tried to switch to 1.1.1.1 but again the non-VPN clients get the VPN DNS!

I can not understand how this is possible and I suspect some issue with strict not working correctly?

Generally I wouldn't mind this happening (like the non VPN clients using the VPN DNS) but the issue is that in this case Netflix doesn't work for some reason (all other sites works fine).

Any help would be really appreciated

DNS Behavior
The Accept DNS Configuration setting determines DNS behavior for clients connected to the OpenVPN Client.

“Accept DNS Configuration” set to “Exclusive”
When combined with Policy Rules based routing, all clients configured to use the VPN will use the DNS servers provided by the VPN tunnel. LAN Clients configured to go through the WAN will use the DNS configured in the WAN Settings Screen.

The disadvantage of setting “Accept DNS configuration” to “Exclusive” when using Policy Rules is that DNSMASQ will be bypassed since the VPN tunnel will exclusively use the DNS of the VPN Provider. The popular Diversion ad blocker program, written for the Asuswrt-Merlin firmware, will not work since Diversion requires the features of DNSMASQ. Diversion will work over the VPN tunnel when “Accept DNS configuration” is set to “Exclusive” and Policy Rules are disabled by setting “Redirect Internet Traffic” to “All”.

There are two options available if you want the OpenVPN client to use DNSMASQ when using Policy Rules. This is done by setting “Accept DNS Configuration” to either “Strict” or “Disabled”.

“Accept DNS Configuration” set to “Strict”
If you set Accept DNS Configuration to “Strict”, you must then specify the DNS server for the VPN tunnel to use by adding the dhcp-option DNS command in the Custom Configuration section per the example below.

dhcp-option DNS 1.1.1.1

“Accept DNS Configuration” set to “Disabled”
My preferred recommendation is to set “Accept DNS Configuration” to “Disabled” and install Stubby DNS over TLS. Stubby DNS over TLS will encrypt DNS queries for all devices on the network.

Accept DNS Configuration Definitions
For reference, the definition of the Accept DNS Configuration field values are as follows:

• Disabled: DNS servers pushed by VPN provided DNS server are ignored.
• Relaxed: DNS servers pushed by VPN provided DNS server are prepended to the current list of DNS servers, of which any can be used.
• Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order. Existing DNS servers are only used if VPN provided ones don’t respond.
• Exclusive: Only the pushed VPN provided DNS servers are used.

 

[adid]

Thanks Xentrk, I have read the page you sent before posting, so I understand
that when you use strict it prepends to existing. But what I don't understand is that
either if I use dhcp-option DNS 1.1.1.1 or dhcp-option DNS <my vpn's dns>
I always get my VPN's DNS as DNS server.
It seems like strict doesn't really take into account the dhcp-option and always prepends the
ones pushed by the VPN.

 

[Xentrk]

Thanks Xentrk, I have read the page you sent before posting, so I understand
that when you use strict it prepends to existing. But what I don't understand is that
either if I use dhcp-option DNS 1.1.1.1 or dhcp-option DNS <my vpn's dns>
I always get my VPN's DNS as DNS server.
It seems like strict doesn't really take into account the dhcp-option and always prepends the
ones pushed by the VPN.

I can't duplicate the issue. I have DNS capitalized in the (dhcp-option DNS 9.9.9.9) command if that makes a difference.

My provider recently started using Cloudflare DNS. So when I run a test, DNS appears as Cloudflare in the location of the VPN Server. For a test, I have Accept DNS Configuration = Exclusive and Internet Traffic = Policy Rules (Strict)

iptables --line -t nat -nvL DNSVPN5

Chain DNSVPN5 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       all  --  *      *       172.16.0.115         0.0.0.0/0            to:1.1.1.1

iptables --line -t nat -nvL PREROUTING | grep DNSVPN
2        0     0 DNSVPN5    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
3    16449 1113K DNSVPN5    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

nvram get vpn_client5_adns
3

cat /tmp/etc/openvpn/fw/client5-dns.sh

#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN5
/usr/sbin/iptables -t nat -A DNSVPN5 -s 172.16.0.115 -j DNAT --to-destination 1.1.1.1
/usr/sbin/iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSVPN5
/usr/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN5

I add

dhcp-option DNS 9.9.9.9

to the Custom Config section and the LAN client 192.168.22.152 to the list.

# iptables --line -t nat -nvL DNSVPN5
Chain DNSVPN5 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       all  --  *      *       172.16.0.115         0.0.0.0/0            to:9.9.9.9
2       11   745 DNAT       all  --  *      *       192.168.22.152       0.0.0.0/0            to:9.9.9.9

iptables --line -t nat -nvL PREROUTING | grep DNSVPN
1        0     0 DNSVPN5    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2       22  1533 DNSVPN5    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

cat /tmp/etc/openvpn/fw/client5-dns.sh

#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN5
/usr/sbin/iptables -t nat -A DNSVPN5 -s 172.16.0.115 -j DNAT --to-destination 9.9.9.9
/usr/sbin/iptables -t nat -A DNSVPN5 -s 192.168.22.152 -j DNAT --to-destination 9.9.9.9
/usr/sbin/iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSVPN5
/usr/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN5

When I go to DNS Leak Test site, it reports Quad 9 DNS (aka WoodyNet).

 

[adid]

Thanks fr your time Xentrk
I have completely different behavior than yours when it comes to strict

Here is with exclusive and Policy routing (it's similar to yours)

iptables --line -t nat -nvL DNSVPN2
Chain DNSVPN2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination        
1     1847  121K DNAT       all  --  *      *       192.168.3.0/24       0.0.0.0/0            to:<my VPN's pushed DNS>
2        0     0 DNAT       all  --  *      *       192.168.4.0/24       0.0.0.0/0            to:<my VPN's pushed DNS>
3     3724  253K DNAT       all  --  *      *       192.168.2.100        0.0.0.0/0            to:<my VPN's pushed DNS>

iptables --line -t nat -nvL PREROUTING | grep DNSVPN
1       42  2324 DNSVPN2    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2    16561 1154K DNSVPN2    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

cat /tmp/etc/openvpn/fw/client2-dns.sh
#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN2
#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN2
/usr/sbin/iptables -t nat -A DNSVPN2 -s 192.168.3.0/24 -j DNAT --to-destination <my VPN's pushed DNS>
/usr/sbin/iptables -t nat -A DNSVPN2 -s 192.168.4.0/24 -j DNAT --to-destination <my VPN's pushed DNS>
/usr/sbin/iptables -t nat -A DNSVPN2 -s 192.168.2.100 -j DNAT --to-destination <my VPN's pushed DNS>
/usr/sbin/iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSVPN2
/usr/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN2

This double /usr/sbin/iptables -t nat -N DNSVPN2 seems quite strange thought

cat /tmp/resolv.dnsmasq
server=192.168.1.1
server=192.168.1.1
server=/Speedport/192.168.1.1
server=/Speedport/192.168.1.1

With this setup the results are:
VPN client --> IP is VPN ip , DNS is VPN DNS
non-VPN client --> IP is ISP ip, DNS is ISP DNS

And now here is with Strict and policy based routing with dhcp-option DNS 1.1.1.1 set

iptables --line -t nat -nvL DNSVPN2
Chain DNSVPN2 (0 references)
num   pkts bytes target     prot opt in     out     source               destination

iptables --line -t nat -nvL PREROUTING | grep DNSVPN

This has no entries now in ip tables

cat /tmp/etc/openvpn/fw/client2-dns.sh
#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN2

cat /tmp/resolv.dnsmasq
server=192.168.1.1
server=192.168.1.1
server=/Speedport/192.168.1.1
server=/Speedport/192.168.1.1
server=1.1.1.1
server=<my VPN's pushed DNS>

With this setup the results are:
VPN client --> IP is VPN ip , DNS is VPN DNS
non-VPN client --> IP is ISP ip, DNS is VPN DNS

 

[Xentrk]

Thanks fr your time Xentrk
I have completely different behavior than yours when it comes to strict

Yes, something is awry. What router model and firmware version do you have?

Do you have DNS Server entries on the LAN->DHCP Server page?

On the WAN tab, I use DoT 1.1.1.1 and 1.0.0.1.

On the Tools->Other Settings tab, I am using Local DNS Caching:

This results in the contents of /tmp/resolv.dnsmasq to be the router's loop back address 127.0.0.1:

server=127.0.1.1

What is creating the server entries you have in /tmp/resolv.dnsmasq? I would focus on that. Do you have any server entries in /jffs/configs/dnsmasq.conf.add file?

Also look on the LAN->DNSFilter tab. Do you have entries there?

 

[adid]

I have Asus Merlin 384.13 on a RT-AC68U. In the change log of 384.13 is stated that fixed
something for strict but not sure what changes were done.

I don't have DNS Server entries on the LAN->DHCP Server page and for WAN
I don't have any hardcoded DNS. I just use "Connect to DNS Server automatically"

I also don't have any entries in LAN->DNSFilter tab.

In the dnsmasq.conf.add I have the following:

cat /jffs/configs/dnsmasq.conf.add

dhcp-boot=bootnetx64.efi,openmediavault,192.168.2.100

### Start of script-generated configuration for interface wl0.1 ###
interface=wl0.1
dhcp-range=wl0.1,192.168.3.2,192.168.3.254,255.255.255.0,43200s
dhcp-option=wl0.1,3,192.168.3.1
dhcp-option=wl0.1,6,192.168.3.1,192.168.3.1
### End of script-generated configuration for interface wl0.1 ###

### Start of script-generated configuration for interface wl1.1 ###
interface=wl1.1
dhcp-range=wl1.1,192.168.4.2,192.168.4.254,255.255.255.0,43200s
dhcp-option=wl1.1,3,192.168.4.1
dhcp-option=wl1.1,6,192.168.4.1,192.168.4.1
### End of script-generated configuration for interface wl1.1 ###

First line is for my jumpstart server.
The rest are added by YazFi.

 

[Xentrk]

I have Asus Merlin 384.13 on a RT-AC68U. In the change log of 384.13 is stated that fixed
something for strict but not sure what changes were done.

I don't have DNS Server entries on the LAN->DHCP Server page and for WAN
I don't have any hardcoded DNS. I just use "Connect to DNS Server automatically"

I also don't have any entries in LAN->DNSFilter tab.

In the dnsmasq.conf.add I have the following:

cat /jffs/configs/dnsmasq.conf.add

dhcp-boot=bootnetx64.efi,openmediavault,192.168.2.100

### Start of script-generated configuration for interface wl0.1 ###
interface=wl0.1
dhcp-range=wl0.1,192.168.3.2,192.168.3.254,255.255.255.0,43200s
dhcp-option=wl0.1,3,192.168.3.1
dhcp-option=wl0.1,6,192.168.3.1,192.168.3.1
### End of script-generated configuration for interface wl0.1 ###

### Start of script-generated configuration for interface wl1.1 ###
interface=wl1.1
dhcp-range=wl1.1,192.168.4.2,192.168.4.254,255.255.255.0,43200s
dhcp-option=wl1.1,3,192.168.4.1
dhcp-option=wl1.1,6,192.168.4.1,192.168.4.1
### End of script-generated configuration for interface wl1.1 ###

First line is for my jumpstart server.
The rest are added by YazFi.

CC: @Jack Yaz

I don't see any entries in dnsmasq.conf.add that may be the source of the issue.

I don't see the expected entries in /tmp/etc/openvpn/fw/client2-dns.sh along with the iptables rules I was expecting. The server entries in resolv.dnsmasq may come into play with the issue you are experiencing. Server precedence may honor the order in which the servers are listed in resolv.dnsmasq.

The only thing I can think of is to do a factory reset followed by M&M Config. Do a basic setup and get the internet working. Then, configure the VPN Client. Do a baseline test. Then, add the dhcp-option DNS 1.1.1.1 entry and test again. If it works, then add configuration one item at a time followed by a test. Take a config backup after each successful test. Continue the cycle until it breaks.

 

[adid]

Yes, that was my idea too. I will try to find some time over the weekend to do a factory reset plus re-flush latest firmware and install again all one by one. Hopefully that will short it out.
Thanks for all your time!

 

[Xentrk]

Yes, that was my idea too. I will try to find some time over the weekend to do a factory reset plus re-flush latest firmware and install again all one by one. Hopefully that will short it out.
Thanks for all your time!

I am looking at an AC-86U I support. Last night, I set Accept DNS Cofiguration = Exclusive with Policy Rules (Strict). I didn't see the iptables chains nor the entries in /etc/openvpn/fw/client1-dns.sh that I should have seen. I noticed I didn't have Cipher Negotiation enabled. Once I enabled and saved the settings, the expected entries in /etc/openvpn/fw/client1-dns.sh and iptables rules now appear.

 

[RighteousPy]

Sorry to bump an old post but I'm having the exact same issues as @adid and @Xentrk (temporarily). To recap since we're in 2020 and new Merlin releases.

Using a RT-68U, Merlin 384.19, just factory reset and began fresh to eliminate any 'old' configs laying around. Everything is left default apart from PPPoE details, advertise router's IP to No and the below (no changes to LAN DNS etc)

VPN Client 1

• Accept DNS Configuration = Strict
• Policy Rules (strict) - to make things as simple as possible;
  • All | 192.168.1.0/24 | 0.0.0.0 | VPN
  • Router | 192.168.1.1 | 0.0.0.0 | WAN
  • Test PC | 192.168.1.55 | 0.0.0.0 | WAN
• Added dhcp-option DNS <VPN's DNS> to Custom Config

Expect behavior is that Test PC should have my ISP's IP and ISP's DNS while my other PC (going via VPN) should have my VPN's IP and my VPN's DNS. This is not working - the IP's are correct, but all Clients are getting my VPN's DNS.

When I have 'Accept DNS Configuration' = Exclusive everything works. Clients via VPN have VPN's IP and DNS - Clients non-VPN have my ISP's IP and DNS.

Below is the output for when I'm trying 'Accept DNS Configuration = Strict' to assist with troubleshooting. I also have made sure I have a Cipher Negation enabled:

iptables --line -t nat -nvL DNSVPN1
Chain DNSVPN1 (0 references)
num   pkts bytes target     prot opt in     out     source               destination

iptables --line -t nat -nvL PREROUTING | grep DNSVPN
<nothing>

cat /tmp/etc/openvpn/client1/dns.sh
#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN1

cat /tmp/resolv.dnsmasq
server=<ISP DNS 1>
server=<ISP DNS 2>
server=<VPN DNS>
server=<VPN DNS>

I've factory 'nuked' twice, re-setup making sure I rebooted the RT-AC68U after applying (as well as /flushdns on Clients), even tried setting up on Client 2 to no avail. My goal is to:

• Utilize a VPN for certain Clients
  • No DNS Leaks
    • Clients via VPN get VPN's IP + DNS
    • Clients non-VPN get ISP's IP + DNS (this part is not working)
• Utilize Diversion for Ad Blocking (hence why I'm trying to use DNS = Strict)
• Utilize x3mRouting eventually (once the above is sorted haha - AMAZING script btw @Xentrk thank you!!!!)

Would love any help from the gurus!

 

[Xentrk]

Sorry to bump an old post but I'm having the exact same issues as @adid and @Xentrk (temporarily). To recap since we're in 2020 and new Merlin releases.

Using a RT-68U, Merlin 384.19, just factory reset and began fresh to eliminate any 'old' configs laying around. Everything is left default apart from PPPoE details, advertise router's IP to No and the below (no changes to LAN DNS etc)

VPN Client 1

• Accept DNS Configuration = Strict
• Policy Rules (strict) - to make things as simple as possible;
  • All | 192.168.1.0/24 | 0.0.0.0 | VPN
  • Router | 192.168.1.1 | 0.0.0.0 | WAN
  • Test PC | 192.168.1.55 | 0.0.0.0 | WAN
• Added dhcp-option DNS <VPN's DNS> to Custom Config

Expect behavior is that Test PC should have my ISP's IP and ISP's DNS while my other PC (going via VPN) should have my VPN's IP and my VPN's DNS. This is not working - the IP's are correct, but all Clients are getting my VPN's DNS.

When I have 'Accept DNS Configuration' = Exclusive everything works. Clients via VPN have VPN's IP and DNS - Clients non-VPN have my ISP's IP and DNS.

Below is the output for when I'm trying 'Accept DNS Configuration = Strict' to assist with troubleshooting. I also have made sure I have a Cipher Negation enabled:

iptables --line -t nat -nvL DNSVPN1
Chain DNSVPN1 (0 references)
num   pkts bytes target     prot opt in     out     source               destination

iptables --line -t nat -nvL PREROUTING | grep DNSVPN
<nothing>

cat /tmp/etc/openvpn/client1/dns.sh
#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN1

cat /tmp/resolv.dnsmasq
server=<ISP DNS 1>
server=<ISP DNS 2>
server=<VPN DNS>
server=<VPN DNS>

I've factory 'nuked' twice, re-setup making sure I rebooted the RT-AC68U after applying (as well as /flushdns on Clients), even tried setting up on Client 2 to no avail. My goal is to:

• Utilize a VPN for certain Clients
  • No DNS Leaks
    • Clients via VPN get VPN's IP + DNS
    • Clients non-VPN get ISP's IP + DNS (this part is not working)
• Utilize Diversion for Ad Blocking (hence why I'm trying to use DNS = Strict)
• Utilize x3mRouting eventually (once the above is sorted haha - AMAZING script btw @Xentrk thank you!!!!)

Would love any help from the gurus!

LAN Clients can override the DNS specified on the router. To force LAN clients to use the DNS specified on the router, go to LAN->DNS Filter and set as shown below

I stopped worrying about DNS leaks a long time ago. I use a VPN to circumvent geo blocking and they don't care what DNS I use. It's just the VPN IP end point they use to determine location. I now set Accept DNS Configuration to Disabled and use DoT to encrypt DNS queries sent via the WAN.

However, Express VPN requries you use their DNS to circumvent geo restrictions

 

[RighteousPy]

LAN Clients can override the DNS specified on the router. To force LAN clients to use the DNS specified on the router, go to LAN->DNS Filter and set as shown below

View attachment 26801

The master himself - thanks for replying so quickly !

Knew I forgot something in all my reading, unfortunately my two test devices (non-VPN - trying a PC and a Mobile device) are still getting my VPN's DNS.

That was after a reboot of the RT-AC68U (after applying the DNSFilter option), rebooted both test devices (making sure they're IPs haven't changed per Policy Rules - to flush their DNS). Re-ran the commands you asked for originally and the output is exactly the same as I posted above .

Of note, the VPN DNS I am adding via the dhcp-option is an internal 10.x.x.x because I thought that if it was a normal public IP, that might be the issue since you've mentioned it works down the appended list. They shouldn't even be able to hit the 10.x.x.x VPN DNS should they unless they are going via the tunnel which they're not because I'm getting my ISP's IP on them, just their DNS is leaking.

Anything else to test sir?

 

[Xentrk]

Of note, the VPN DNS I am adding via the dhcp-option is an internal 10.x.x.x because I thought that if it was a normal public IP, that might be the issue since you've mentioned it works down the appended list. They shouldn't even be able to hit the 10.x.x.x VPN DNS should they unless they are going via the tunnel which they're not because I'm getting my ISP's IP on them, just their DNS is leaking.

You have to be careful when using those dns leak site as web page caching may give you a false reading when using ipleak.net and dnsleak.com. It has thrown me for a loop many times.

I did a test using your setup. Seems to work okay for me. I use a public DNS when using the dhcp-option DNS 9.9.9.9 though. Here is how it appears in resolv.dnsmasq

server=9.9.9.9
server=10.9.0.1
server=10.8.0.1
server=127.0.1.1

Scenarios:

192.168.1.0/24 VPN
Exlcusive
No dhcp-option DNS
Result: DNS is same as IP of VPN Server

192.168.1.0/24 VPN
Strict
No dhcp-option DNS
Result: DNS is 1.1.1.1 from WAN

192.168.1.0/24 VPN
192.168.1.152 WAN
Strict
No dhcp-option DNS
Result: DNS is 1.1.1.1 from WAN

192.168.1.0/24 VPN
192.168.1.152 WAN
Strict
dhcp-option DNS 9.9.9.9
Result: DNS is 9.9.9.9 via WAN iface

What firmware version are you on?

 

[RighteousPy]

You have to be careful when using those dns leak site as web page caching may give you a false reading when using ipleak.net and dnsleak.com. It has thrown me for a loop many times.

I did a test using your setup. Seems to work okay for me. I use a public DNS when using the dhcp-option DNS 9.9.9.9 though. Here is how it appears in resolv.dnsmasq

<snip>

Yeah, thought it may be cookies etc, but this is all in 'private' mode and as I said, trying on two different devices too now

Below is screenshot so we're all on the same page - this is after a complete factory reset/nuke, only other change was to add my PPPoE details in and turn off Advertise Router IP DNS. I have not set any any DNS via LAN or WAN pages, I'm trying to keep it basic at the moment and just use my ISP DNS for non-VPN (will try DoT/Unbound later). This is on a RT-AC68U with Merlin 384.19, fresh as per above:

What I'm expecting, just to make sure I'm not going mad:

• The device (blanked out) not going via the VPN shouldbe getting an ISP provided IP and DNS
  • This isn't happening, it's getting an IP from my ISP but the DNS from my VPN
• All other devices go via the VPN and get the IP and DNS from my VPN
  • This is working

Again below is my output of the same command - unsure why my VPN DNS is at the bottom nor why it's repeated twice:

cat /tmp/resolv.dnsmasq
server=<ISP #1>
server=<ISP #2>
server=<VPN #1 - from dhcp-option 10.x.x.x>
server=<VPN #1 - from dhcp-option 10.x.x.x>

 

[Xentrk]

On my WAN page, I specify 1.1.1.1 and 1.0.0.1 for DNS1 & DNS2. I then specify DoT to Cloudflare as well. This way the router has DNS services until DoT starts up.

I'm not seeing the issue you are with the ISP DNS appearing in resolv.dnsmasq

/tmp/resolv.dnsmasq (Strict - no dhcp-option)

server=10.9.0.1
server=10.8.0.1
server=127.0.1.1

The system log entry:

 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.9.0.1,dhcp-option DNS 10.8.0.1,sndbuf 524288,rcvbuf 524288,route 10.34.0.1,topology net30,ping 5,ping-restart 30,socket-flags TCP_NODELAY,compress,ifconfig 10.34.1.141 10.34.1.142,peer-id 0'

Same for 10.8.0.1. The server=127.0.1.1 is because I have local DNS caching turned on. Maybe don't use private network address for DNS, especially the 10.x.x.x subnet?

This will show the various DNS nvram vars and may help identify if the ISP DNS is being stored in nvram.

nvram show | grep _dns

At first I was going to have you check if you had a server entry in /jffs/configs/dnsmasq.conf.add but since you did a factory reset and basic config, I doubt that is an issue. Maybe try to set up as I have my router and then see if you still have the issue.

DNS Hijack/Filtering? The simplest way to bypass an ISP that does DNS filtering is to switch to DNS-over-TLS. It's encrypted and it uses a different port than 53, so the ISP won't be able to interfere. See if that fixes the issue.

 

[RighteousPy]

I'm not seeing the issue you are with the ISP DNS appearing in resolv.dnsmasq

I think there is a little bit of miscommunication - I want my ISP's DNS to appear, and be shown on dnsleaktest.com for Clients bypassing the VPN (WAN via Policy Rules) haha!

At the moment, they are showing my VPN's DNS - which is a 'leak' as it's in a different country from the IP they get from my ISP.

Below is from my System Log:

pppd[1420]: primary   DNS address <ISP #1>
pppd[1420]: secondary DNS address <ISP #2>
ovpn-client1[2476]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.x.x.x,redirect-gateway def1 bypass-dhcp,route-gateway 10.x.x.x,topology subnet'

So I went ahead like you suggested and added 1.1.1.1 and 1.0.0.1 to WAN > DNS Server 1 + 2.

cat /tmp/resolv.dnsmasq
server=1.1.1.1
server=1.0.0.1
server=10.x.x.x
server=10.x.x.x

And guess what... The Clients bypassing the VPN via Policy Rules are still showing my VPN's DNS.

I then went to DNSFilter at set a Client (bypassing the VPN) to manually go to Custom 1 (1.1.1.1) just as a test. Flushed DNS and did another test and it WORKED - it bypassed my VPN's DNS and showed 1.1.1.1 (not quite my ISP's DNS but a step in the right direction).

So my question is, why when the Global Filter Mode is set to Router, do Clients bypassing the VPN not get my ISP's DNS? As my tests show, it seems to ignore WAN DNS settings (or when its 'Auto') and continues to show the VPN's DNS until you manually set it via DNSFilter - which I don't want to do manually for all my 30+ Clients haha...

Is there a bug in the VPN Client Policy Rules not correctly applying the default DNS (in my case, my ISPs) when bypassing the VPN (WAN iface) Policy Rules? Maybe @RMerlin could comment if we're barking up the wrong tree?

• All | 192.168.1.0/24 | 0.0.0.0/0 | VPN
• Router | 192.168.1.1 | 0.0.0.0/0 | WAN
• Test PC | 192.168.1.55 | 0.0.0.0/0 | WAN

In the above Policy Rules - I would expect 192.168.1.55 to get my ISP's IP (tick) and my ISP's DNS (not working), instead it gets my VPN's DNS.

Thanks for your continued help @Xentrk!

 

[Xentrk]

I'm not sure what else to look at since I can't duplicate.

I set up similar routing rules on my VPN Client 2 screen to route LAN to VPN and laptop to bypass the VPN. I set DNS on WAN page to use DNS from ISP and turned off DoT. I see the ISP DNS entries in /tmp/resolv.dnsmasq prepended to the VPN DNS entries.

My laptop, which is set to bypass the VPN, shows the DNS of my ISP when I go to dnsleak.com.

 

[RighteousPy]

I'm not sure what else to look at since I can't duplicate.

So much to my roommates horror, I just factory reset again to test. These are my exact steps, unfortunately its not good news:

1. Factory Reset RT-AC68U
2. Connected via WiFi to default WLAN
3. Set Username/Password
4. Logged in, went to Wireless and setup a temporary SSID with WPA2
5. Went to WAN and selected PPPoE and entered Username/Password
6. Went to VPN, uploaded my .opvn which contains CA, username etc
7. Changed to DNS = Strict, Policy Rules (strict) and added dhcp-option to custom configuration
8. Added 192.168.1.0/24 0.0.0.0/0 via VPN
9. Added 192.168.1.1 0.0.0.0/0 via WAN (Router)
10. Added 192.168.1.55 0.0.0.0/0 via WAN (Test PC)
11. Rebooted

Once back up (confirmed VPN connected sucessfully), opened freshly rebooted (dnsflush to be sure) Laptop (Text PC .55) and hit dnsleaktest.com - damn VPN DNS

I'm not sure what else to try. I PMd Aida (who started this all off the other night) and he confirmed he could never fix it and gave up. So there's atleast two of us...

Surely something isn't right with the VPN Policy Rules, I know if I use DNSFilter to set manually to a DNS for Test PC (.55) it will work but trying to avoid manually settting every Client bypassing the VPN up.

Hope you can think of something because I'm lost! Maybe you could try without any DNS set anywhere on router? Could it be you have an old iptables entry?

Exclusive works flawlessly, its just strict!

 

[RighteousPy]

Playing around further, comparing Strict to Exclusive, something is definitely wrong.

With Strict, no iptable entries are being added under /tmp/etc/openvpn/client1/dns.sh unlike with Exclusive (which is working).

Maybe something has broken recently @RMerlin? This is on a fresh reinstall as you can see, 384.19 and using Client1 - exact steps taken after reset above.