Issue with Accept DNS Configuration strict and Diversion/YazFi/VPN

[RMerlin]

Playing around further, comparing Strict to Exclusive, something is definitely wrong.

With Strict, no iptable entries are being added under /tmp/etc/openvpn/client1/dns.sh unlike with Exclusive (which is working).

Maybe something has broken recently @RMerlin? This is on a fresh reinstall as you can see, 384.19 and using Client1 - exact steps taken after reset above.

Strict mode does not create any iptable rules. It merely appends the DNS servers to dnsmasq, and sets the "strict" parameter in dnsmasq which determines the order used when querying servers.

 

[RighteousPy]

Strict mode does not create any iptable rules. It merely appends the DNS servers to dnsmasq, and sets the "strict" parameter in dnsmasq which determines the order used when querying servers.

I appreciate the clarification @RMerlin (also for sticking your head in to assist ).

So with whats been written in this thread, how would you envision one achieves the following?

• Utilize DNS = Strict + Policy Rules (Strict) - to keep dnsmasq (Diversion etc) working
• Have non-VPN Clients (bypassing via the WAN iface under Policy Rules) not DNS Leak (currently obtaining the DNS of the VPN when utilizing dhcp-option)
  • Short of manually adding every non-VPN Client to DNSFilter

I've come across similar threads below discussing the issue and can't seem to find a solution:

• https://www.snbforums.com/threads/policy-based-routing-for-vpn-how-to-handle-dns.48781/
• https://www.snbforums.com/threads/i...cept-dns-configuration-parameter.54062/page-2

My other thought (and I am far from as tech savvy as @Xentrk, @Martineau and others) is; if the non-VPN Clients aren't going via the tunnel, how do they see the appended private 10.x.x.x address (below is with 'Strict' DNS on):

cat /tmp/resolv.dnsmasq
server=<ISP DNS 1>
server=<ISP DNS 2>
server=<VPN DNS - 10.x.x.x>
server=<VPN DNS - 10.x.x.x (repeated)>

My only thought is to admit defeat, switch to using 'Exclusive' and point non-VPN clients to a PiHole (via DNSFilter) and just skip using Diversion (makes me sad because I'd love to do it all 'in-house' on the Router)...

I would of thought this would be a wider spread issue but I guess many are utilizing Cloudfare DNS/DoT etc, set via DNSFilter/hard-coded DNS (LAN/WAN).

Would bringing Unbound or x3mRouting into the mix help anything? Could I 'split' DNS then?

 

[RMerlin]

So with whats been written in this thread, how would you envision one achieves the following?

I don't know. I don't use Diversion, so I don't know what exact configuration will work best with it.

 

[Xentrk]

I have dnsmasq logging enabaled and local DNS caching enabled. Do you have dnsmasq logging enabled? Enabling the feature is required when using the dnsmasq method of x3mRouting.

Enable dnsmasq Logging

1. Navigate to the /jffs/configs directory e.g cd /jffs/config
2. Use your SFTP or SSH client to create the dnsmasq.conf.add file
3. Add the following entry to /jffs/configs/dnsmasq.conf.add:

log-async
log-queries
log-facility=/opt/var/log/dnsmasq.log

restart dnsmasq

service restart_dnsmasq

You may need to adjust the location of the log-facility parm. Also, turn on dnsmasq caching to see if any change.
Tools->Other Settings-> Wan: Use local caching DNS server as system resolver (default: No) ->Yes

 

[Xentrk]

Also, you may try setting WAN DNS1 and DNS2 to Cloudflare 1.1.1.1 and 1.0.0.1 and then route those two IP to the WAN in the VPN Client 1 Screen to see if that helps.

 

[RighteousPy]

I have dnsmasq logging enabled and local DNS caching enabled. Do you have dnsmasq logging enabled? Enabling the feature is required when using the dnsmasq method of x3mRouting.

Enable dnsmasq Logging

1. Navigate to the /jffs/configs directory e.g cd /jffs/config
2. Use your SFTP or SSH client to create the dnsmasq.conf.add file
3. Add the following entry to /jffs/configs/dnsmasq.conf.add:

Tools->Other Settings-> Wan: Use local caching DNS server as system resolver (default: No) ->Yes

Thanks for getting back Xentrk - I've gone ahead and enabled dnsmasq logging - is there any particular output you'd like? I can see it working/logging.

I also went ahead and enabled local caching - unfortunately still no luck. Non-VPN Clients are still getting my VPN's DNS

cat /tmp/resolv.dnsmasq
server=<ISP DNS #1>
server=<ISP DNS #2>
server=<VPN DNS #1 - from dhcp-option | 10.8.x.x>
server=<VPN DNS #2 - connecting to a new server | 10.10.x.x>

Also, you may try setting WAN DNS1 and DNS2 to Cloudflare 1.1.1.1 and 1.0.0.1 and then route those two IP to the WAN in the VPN Client 1 Screen to see if that helps.

Using the routing below - my non-VPN Client is now getting an IP from my VPN and DNS from VPN during that test haha.

cat /tmp/resolv.dnsmasq
server=1.1.1.1
server=1.0.0.1
server=<VPN DNS #1 - from dhcp-option | 10.8.x.x>
server=<VPN DNS #2 - connecting to a new server | 10.10.x.x>

As mentioned before, setting WAN DNS unfortunately does nothing . I have to manually force via DNSFilter if I want it to work.

From what @RMerlin has said @Xentrk - do you think this is futile? It seems with Strict (from reading his comments in other threads), it simply appends to resolv.dnsmasq and then non-VPN Clients simply get the bottom DNS (which is the one added via dhcp-option.

There seems to be no smarts/logic (with the DNS = Strict option) to say Client X (non-VPN) you should get X.X.X.X DNS while VPN Clients get X.X.X.X DNS...

 

[Xentrk]

Make the router entry 192.168.1.1 the first entry in the Policy Routing table. That is how mine is set.

The other item is my VPN Provider uses Cloudflare and my ISP now uses Google DNS.

 

[RighteousPy]

Make the router entry 192.168.1.1 the first entry in the Policy Routing table. That is how mine is set.

The other item is my VPN Provider uses Cloudflare and my ISP now uses Google DNS.

Deleted and re-added my Policy Rules ad you've advised; Router (WAN) then All (via VPN) then Test1/2 (WAN). Then rebooted Router to be sure.

Test PC is still getting VPN's DNS (after ipconfig /release, /renew + /flushdns)

Do you think since your VPN is using Cloudfare and your forcing Cloudflare via WAN DNS your getting a false positive and really are leaking too?

If you test at home by remove Cloudflare from all places on Router (WAN DNS, DNSFilter, dhcp-option etc), then on your Policy Rules make a test device go via WAN iface - should you not expect the test device to get Google DNS (your ISPs DNS) and not Cloudflare?

Maybe your manual Cloudflare is masking a leak? What are your /tmp/resolv.dnsmasq and /tmp/etc/openvpn/clientX/dns.sh outputs (after removal of custom Cloudflare)?

I assume it should be 2xGoogle DNS (from ISP) and 1xCloudflare (from VPN/dhcp-option)..?

 

[Xentrk]

I disabled all references to Cloudflare when I tested using DNS from ISP. When using ISP, I get Google DNS in Singapore. When I revert to Cloudflare on the WAN, I get Cloudflare servers in Bangkok.

Here is a snip from a post on the web that you may want to test to for you LAN device that is using VPN DNS when routed to the WAN.

iptables -t nat -I PREROUTING -i br0 -s <<device IP>>/32 -p udp --dport 53 -j DNAT --to <<DNS Server IP>>
iptables -t nat -I PREROUTING -i br0 -s <<device IP>>/32 -p tcp --dport 53 -j DNAT --to <<DNS Server IP>>

 

[RighteousPy]

I disabled all references to Cloudflare when I tested using DNS from ISP. When using ISP, I get Google DNS in Singapore. When I revert to Cloudflare on the WAN, I get Cloudflare servers in Bangkok.

Here is a snip from a post on the web that you may want to test to for you LAN device that is using VPN DNS when routed to the WAN.

iptables -t nat -I PREROUTING -i br0 -s <<device IP>>/32 -p udp --dport 53 -j DNAT --to <<DNS Server IP>>
iptables -t nat -I PREROUTING -i br0 -s <<device IP>>/32 -p tcp --dport 53 -j DNAT --to <<DNS Server IP>>

With regards to manually adding the above two iptable commands against my primary ISP DNS - I can happily confirm that's worked!

Issue is obviously, its not realistic to manually add every non-VPN (WAN) client this way (plus there is no way to have a Primary/Secondary DNS correct?) due to numbers.

A step in the right direction though . Is there anything else you can suggest trying now we know that works?

--------------------------

I can't believe there's so much disparency between our Routers - at least I know other users have had issues, just hope we (maybe with @RMerlin help) can get to the bottom of it .

You must have a leftover feature/iptable rule somewhere because all I know is that a factory reset RT-AC68U (with the limited settings I altered and outline previously) has leaks out of the box with DNS = Strict.

Becoming even more frustrated today I went and borrowed a dormies spare RT-AC86U (since moved to AX). Put 384.19 on it, factory reset, setup PPPoE and VPN (Strict + Policy Rules with one device via WAN) and still same issue (WAN device gets VPNs DNS) - so thats two for two now not working...

 

[Xentrk]

With regards to manually adding the above two iptable commands against my primary ISP DNS - I can happily confirm that's worked!

Issue is obviously, its not realistic to manually add every non-VPN (WAN) client this way (plus there is no way to have a Primary/Secondary DNS correct?) due to numbers.

A step in the right direction though . Is there anything else you can suggest trying now we know that works?

--------------------------

I can't believe there's so much disparency between our Routers - at least I know other users have had issues, just hope we (maybe with @RMerlin help) can get to the bottom of it .

You must have a leftover feature/iptable rule somewhere because all I know is that a factory reset RT-AC68U (with the limited settings I altered and outline previously) has leaks out of the box with DNS = Strict.

Becoming even more frustrated today I went and borrowed a dormies spare RT-AC86U (since moved to AX). Put 384.19 on it, factory reset, setup PPPoE and VPN (Strict + Policy Rules with one device via WAN) and still same issue (WAN device gets VPNs DNS) - so thats two for two now not working...

I did another round of testing.

Strict will "leak" the DNS of LAN clients routed via the VPN. Strict uses the DNS specified on the WAN page and not the VPN end point location.

Same with LAN clients set to bypass the VPN. They also use the DNS specified on the WAN page.

Makes sense since Strict prepends to the list of VPN DNS.

When I add the "dhcp-option DNS x.x.x.x", the LAN device set to bypass the VPN uses the DNS specified by this option. So this is where the conflict may be coming from.

In regards to the work around, here is an example of how to specify a range of IP addresses:

iptables -A INPUT -m iprange --src-range 192.168.25.149-192.168.25.151 -j ACCEPT

 

[RighteousPy]

I did another round of testing.

Strict will "leak" the DNS of LAN clients routed via the VPN. Strict uses the DNS specified on the WAN page and not the VPN end point location.

Same with LAN clients set to bypass the VPN. They also use the DNS specified on the WAN page.

Makes sense since Strict prepends to the list of VPN DNS.

When I add the "dhcp-option DNS x.x.x.x", the LAN device set to bypass the VPN uses the DNS specified by this option. So this is where the conflict may be coming from.

In regards to the work around, here is an example of how to specify a range of IP addresses:

iptables -A INPUT -m iprange --src-range 192.168.25.149-192.168.25.151 -j ACCEPT

I knew I wasn't going insane haha! Thank you for confirming where things might be going 'wrong' - apologies for the delay, work pulled me away.

Now we've [started] to get to the bottom of things, I just wanted to confirm what I should be trying/what commands I need. To achieve the following:

• Utilize Diversion (Ad Blocking) + x3mRouting (for routing Chromecast through VPN but allowing Netflix etc out via 'ISP' so not blocked)
  • To achieve this I need to utilize DNS Strict
    • Done (have not either up yet)
• VPN running - no DNS/IP Leaks
  • To achieve this I'm using Client 1, with DNS = Strict and Policy Rules (Strict)
    • Done
• Non-VPN Clients (bypass the VPN via iface WAN), I will need to add via the normal WebUI Policy Rules and then add iptable rules (or DNSFilter - see below?)
  • This is where I get confused. The iptable rules (you linked one originally with udp/tcp, do I need to do those two (2) for every non-VPN Client? What is the command you linked in your latest response, where does that go?)
    • Pending

My next question is, since we now know the behavior of 'Strict' - Clients use the last DNS entry of /tmp/resolv.dnsmasq. Would my ISP DNS entries (normally 1st and 2nd in the list) ever move underneath the "dhcp-option DNS x.x.x.x" - aka should I manually assign DNS for every Client (worried if it moves, my VPN Clients will leak) if I was being cautious?

Are setting the iptable rules the same as using DNSFilter? Would it be easier to use DNSFilter via the GUI (I discovered that worked previously in our testing) to point non-VPN Clients to my ISP's DNS (Custom #1)? I guess if do that, I can't force all devices to 'Router' to bypass hard-coded DNS correct, so I should do via iptables?

In a nutshell, I want my network (I've compacted it down) to look like:

• All Clients via VPN (DNS + IP from VPN) - excluding below:
  • 2xWork Devices to bypass VPN completely (DNS + IP from VPN)
  • 1xChromecast to go via VPN but not Netflix or Hulu traffic (use DNS + IP from ISP) via x3mRouting
    • I think that's how x3mRouting works?

After that is done, I can worry about Unbound

 

[Xentrk]

My time is a little limited today. I can follow up more properly later. But I wanted to mention the recently updated feature in the firmware where you can specify DNS Server by device on the LAN -> DHCP Server page. You may want to test to see if this is also a work around for the LAN Clients assigned to bypass the VPN.

 

[Xentrk]

• Non-VPN Clients (bypass the VPN via iface WAN), I will need to add via the normal WebUI Policy Rules and then add iptable rules (or DNSFilter - see below?)
  • This is where I get confused. The iptable rules (you linked one originally with udp/tcp, do I need to do those two (2) for everynon-VPN Client? What is the command you linked in your latest response, where does that go?)
    • Pending

I would use the DNSFilter feature. I tested and it works good. These commands show the iptables rules

iptables --line -t nat -nvL DNSFILTER
iptables --line -nvL DNSFILTER_DOT

I would use the firewall-start script if using custom iptables rules. You can use the iprange feature so specify a range of addresses or else you will have to create a rule for each device.

My next question is, since we now know the behavior of 'Strict' - Clients use the last DNS entry of /tmp/resolv.dnsmasq.

Would my ISP DNS entries (normally 1st and 2nd in the list) ever move underneath the "dhcp-option DNS x.x.x.x" - aka should I manually assign DNS for every Client (worried if it moves, my VPN Clients will leak) if I was being cautious?

From what I've seen so far, the DNSFilter option appears to be the best option. I set my PC to use Quad9 in DNSFilter and removed the VPN Bypass entry so it now uses the VPN tunnel. It now gets Quad 9 from VPN End Point location in US rather than my real geo location.

Are setting the iptable rules the same as using DNSFilter? Would it be easier to use DNSFilter via the GUI (I discovered that worked previously in our testing) to point non-VPN Clients to my ISP's DNS (Custom #1)? I guess if do that, I can't force all devices to 'Router' to bypass hard-coded DNS correct, so I should do via iptables?

Using the DNSFiler via GUI should be the easiest to implement. The rules appear to be different in how they are implemented though.

In a nutshell, I want my network (I've compacted it down) to look like:

• All Clients via VPN (DNS + IP from VPN) - excluding below:
  • 2xWork Devices to bypass VPN completely (DNS + IP from VPN)
  • 1xChromecast to go via VPN but not Netflix or Hulu traffic (use DNS + IP from ISP) via x3mRouting
    • I think that's how x3mRouting works?

After that is done, I can worry about Unbound

Regarding Unbound, your WAN IP will appear as your DNS server on the IP leak test sites.

 

[RighteousPy]

I would use the DNSFilter feature. I tested and it works good. These commands show the iptables rules

iptables --line -t nat -nvL DNSFILTER
iptables --line -nvL DNSFILTER_DOT

I would use the firewall-start script if using custom iptables rules. You can use the iprange feature so specify a range of addresses or else you will have to create a rule for each device.

From what I've seen so far, the DNSFilter option appears to be the best option. I set my PC to use Quad9 in DNSFilter and removed the VPN Bypass entry so it now uses the VPN tunnel. It now gets Quad 9 from VPN End Point location in US rather than my real geo location.

Using the DNSFiler via GUI should be the easiest to implement. The rules appear to be different in how they are implemented though.

Regarding Unbound, your WAN IP will appear as your DNS server on the IP leak test sites.

Thanks so much @Xentrk, sorry for the delay again - needed to find time to take everything offline again to test haha. Aiming to do so tomorrow!

From what you've suggested, going to go ahead and try utilizing the DNSFilter along with DNS Strict (so I can utilize x3mRouting).

I've gone ahead and trialed Diversion but had to go back to PiHole due to lack of regex rules. To do so, I need to initially route from Router to the RaspberryPi - in doing so this has added one extra layer of confusion - sorry haha!!!

My thinking is I use the DNSFilter to go to 192.168.1.5 (RPi), I will then bypass VPN on required Clients, leaving some use VPN, then all Clients will firstly hit the PiHole to handle adblocking.

From there I have two options; using 192.168.1.1 as Upstream DNS for all Clients (to send back to Router) or set my ISP and VPN individually as Upstream DNS per Client. I'm unsure if I have to go back to the Router? Is there performance issues if I don't? If I don't go back to the Router, will x3mRouting work still?

I think I had issues with DNS leaks using the same PiHole before because depending what the docker PiHole was doing - aka bypassing VPN or not, it would leak the opposite. I may need to create two seperate PiHoles, one for VPN Clients and one for non-VPN Clients?

Anyways, long story short. Thanks so much as usual and will get back to you after some further testing !

 

[Xentrk]

Thanks so much @Xentrk, sorry for the delay again - needed to find time to take everything offline again to test haha. Aiming to do so tomorrow!

From what you've suggested, going to go ahead and try utilizing the DNSFilter along with DNS Strict (so I can utilize x3mRouting).

I've gone ahead and trialed Diversion but had to go back to PiHole due to lack of regex rules. To do so, I need to initially route from Router to the RaspberryPi - in doing so this has added one extra layer of confusion - sorry haha!!!

My thinking is I use the DNSFilter to go to 192.168.1.5 (RPi), I will then bypass VPN on required Clients, leaving some use VPN, then all Clients will firstly hit the PiHole to handle adblocking.

From there I have two options; using 192.168.1.1 as Upstream DNS for all Clients (to send back to Router) or set my ISP and VPN individually as Upstream DNS per Client. I'm unsure if I have to go back to the Router? Is there performance issues if I don't? If I don't go back to the Router, will x3mRouting work still?

I think I had issues with DNS leaks using the same PiHole before because depending what the docker PiHole was doing - aka bypassing VPN or not, it would leak the opposite. I may need to create two seperate PiHoles, one for VPN Clients and one for non-VPN Clients?

Anyways, long story short. Thanks so much as usual and will get back to you after some further testing !

I was pleased with the result of using DNSFilter and how it plays well with LAN clients assigned to route via the VPN Client or to bypass the VPN Client. I may set up some of my devices to use the setup. It may be my new recommendation.

The dnsmasq method of x3mRouting won't work when using Pi-Hole. The dnsmasq on the router is bypassed and the IPv4 addresses won't load. Caveat - try using WAN DNS for a few days to create the entries. Once the list is populated, you should be able to switch back to Pi-Hole and have it work. In theory, the other methods should work okay as dnsmasq is not required. Lists are loaded from other sources and iptables rules does the routing.

 

[amplatfus]

I am looking at an AC-86U I support. Last night, I set Accept DNS Cofiguration = Exclusive with Policy Rules (Strict). I didn't see the iptables chains nor the entries in /etc/openvpn/fw/client1-dns.sh that I should have seen. I noticed I didn't have Cipher Negotiation enabled. Once I enabled and saved the settings, the expected entries in /etc/openvpn/fw/client1-dns.sh and iptables rules now appear.

View attachment 19031

Thanks.

In my case, rules are not there if I activate the up/ down scripts. I do not why.

All the best,
Gabriel

 

[Istvanwagon]

I was pleased with the result of using DNSFilter and how it plays well with LAN clients assigned to route via the VPN Client or to bypass the VPN Client. I may set up some of my devices to use the setup. It may be my new recommendation.

The dnsmasq method of x3mRouting won't work when using Pi-Hole. The dnsmasq on the router is bypassed and the IPv4 addresses won't load. Caveat - try using WAN DNS for a few days to create the entries. Once the list is populated, you should be able to switch back to Pi-Hole and have it work. In theory, the other methods should work okay as dnsmasq is not required. Lists are loaded from other sources and iptables rules does the routing.

I knew I wasn't going insane haha! Thank you for confirming where things might be going 'wrong' - apologies for the delay, work pulled me away.

Now we've [started] to get to the bottom of things, I just wanted to confirm what I should be trying/what commands I need. To achieve the following:

• Utilize Diversion (Ad Blocking) + x3mRouting (for routing Chromecast through VPN but allowing Netflix etc out via 'ISP' so not blocked)
  • To achieve this I need to utilize DNS Strict
    • Done (have not either up yet)
• VPN running - no DNS/IP Leaks
  • To achieve this I'm using Client 1, with DNS = Strict and Policy Rules (Strict)
    • Done
• Non-VPN Clients (bypass the VPN via iface WAN), I will need to add via the normal WebUI Policy Rules and then add iptable rules (or DNSFilter - see below?)
  • This is where I get confused. The iptable rules (you linked one originally with udp/tcp, do I need to do those two (2) for everynon-VPN Client? What is the command you linked in your latest response, where does that go?)
    • Pending

My next question is, since we now know the behavior of 'Strict' - Clients use the last DNS entry of /tmp/resolv.dnsmasq. Would my ISP DNS entries (normally 1st and 2nd in the list) ever move underneath the "dhcp-option DNS x.x.x.x" - aka should I manually assign DNS for every Client (worried if it moves, my VPN Clients will leak) if I was being cautious?

Are setting the iptable rules the same as using DNSFilter? Would it be easier to use DNSFilter via the GUI (I discovered that worked previously in our testing) to point non-VPN Clients to my ISP's DNS (Custom #1)? I guess if do that, I can't force all devices to 'Router' to bypass hard-coded DNS correct, so I should do via iptables?

In a nutshell, I want my network (I've compacted it down) to look like:

• All Clients via VPN (DNS + IP from VPN) - excluding below:
  • 2xWork Devices to bypass VPN completely (DNS + IP from VPN)
  • 1xChromecast to go via VPN but not Netflix or Hulu traffic (use DNS + IP from ISP) via x3mRouting
    • I think that's how x3mRouting works?

After that is done, I can worry about Unbound

Hi,

So I am pretty new to all of this and just got a PIA VPN service. Diversion is not working for me since I added the VPN. How would the setup be modified using the .ovpn auto-generated from the PIA app? Right now, the policy is "relaxed" which is not mentioned here. I'm also not sure how to add any servers to dnsmasq through the app or Merlin. FYI, I am running an RT-AX88U on 384.19.

 

[Xentrk]

Hi,

So I am pretty new to all of this and just got a PIA VPN service. Diversion is not working for me since I added the VPN. How would the setup be modified using the .ovpn auto-generated from the PIA app? Right now, the policy is "relaxed" which is not mentioned here. I'm also not sure how to add any servers to dnsmasq through the app or Merlin. FYI, I am running an RT-AX88U on 384.19.

I recently updated the wiki about the Accept DNS Configuration settings with policy based routing.

 

[Istvanwagon]

I recently updated the wiki about the Accept DNS Configuration settings with policy based routing.

Thanks for the thread. I can follow some of this, but have a couple of more questions:

1). I need to use split tunneling so my kids' school Chromebooks play nicely outside the VPN with the school network; currently, I am doing this within the PIA app. Does this mean I cannot set the policy routing to "exclusive"?

a). If this is correct, then how do I set up dnsmasq for Diversion?

2). I also have SkyNet. Does OpenDNS interfere with that in any way?

Thanks...