Issue with Accept DNS Configuration strict and Diversion/YazFi/VPN

[Xentrk]

Thanks for the thread. I can follow some of this, but have a couple of more questions:

1). I need to use split tunneling so my kids' school Chromebooks play nicely outside the VPN with the school network; currently, I am doing this within the PIA app. Does this mean I cannot set the policy routing to "exclusive"?

a). If this is correct, then how do I set up dnsmasq for Diversion?

2). I also have SkyNet. Does OpenDNS interfere with that in any way?

Thanks...

Can you clarify the split tunneling? Do you need to route the chromebook to the school's VPN and all other traffic to PIA?

There is no "exclusive" setting for Policy Rules.

The "Exclusive" setting only applies to the "Accept DNS Configuration" setting. dnsmasq is bypassed when "Accept DNS Configuration" is set to "Exclusive" and Policy Rules are enabled. You are telling the Client to exclusively use the DNS of the VPN provider. Problem does not seem to occur when "Force Internet traffic through tunnel" is set to "Yes". Enabling dnsmasq with Policy Rules is done by setting "Accept DNS Configuration" to either "Relaxed, "Strict" or "Disabled". Use the DNSFilter feature available on the LAN page to configure a custom DNS for each LAN client.

Enabling policy rules is done by configuring "Force Internet traffic through tunnel" to "Policy Rules" or "Policy Rules (Strict)". Forcing all internet traffic to use the VPN Client is done by configuring "Force Internet traffic through tunnel" to "Yes".

The work around I used for a long time was to set Accept DNS Configuration to “Strict”. Then, specify the DNS server for the VPN tunnel to use by adding the dhcp-option DNS command in the Custom Configuration section:

dhcp-option DNS 1.1.1.1

You can specify the DNS of the VPN provider or a public VPN provider. But the ability to customize DNS per LAN device using the DNSFilter option appears to be a better solution from the limited testing I did in the prior posts.

I don't recall a requirement that dnsmasq be enabled when using Skynet.

 

[Istvanwagon]

Thanks for the further advice. I am using split tunneling because the Chromebooks won't access the school's website and SSO related apps properly going through the VPN (the Chromebooks are administered by the school). There is no VPN for the school; the Chromebooks just didn't connect to the school's domain until I excepted those LAN IPs from the VPN within the PIA app.

So I followed the Wiki, but Diversion seems still not to be working when using the "Exclusive" setting with Accept DNS configuration and routing internet traffic through tunnel to "yes". I had avoided this setting since I thought it would screw up the split tunneling I mentioned above. Is this perhaps why Diversion is still not working despite using the "Exclusive" setting?

I also set up OpenDNS, but I'm getting stumped here now. From the Asus LAN/DNS Filter menu, I have turned on the global filtering to OpenDNS (Family) and then chosen specific devices to assume the OpenDNS (Home) configuration. However, the specific devices aren't inheriting the properties I set up in OpenDNS (like blocking YouTube). I can't even tell if the global filtering is working. Do I need to change anything else under the LAN (like DHCP) or WAN menus? I did not add the DNS servers 208.67.222.222 and 208.67.220.220 for OpenDNS anywhere.

If there are settings I need to post to Github to help decipher this, let me know.

Thanks...

 

[Xentrk]

Thanks for the further advice. I am using split tunneling because the Chromebooks won't access the school's website and SSO related apps properly going through the VPN (the Chromebooks are administered by the school). There is no VPN for the school; the Chromebooks just didn't connect to the school's domain until I excepted those LAN IPs from the VPN within the PIA app.

So I followed the Wiki, but Diversion seems still not to be working when using the "Exclusive" setting with Accept DNS configuration and routing internet traffic through tunnel to "yes". I had avoided this setting since I thought it would screw up the split tunneling I mentioned above. Is this perhaps why Diversion is still not working despite using the "Exclusive" setting?

I also set up OpenDNS, but I'm getting stumped here now. From the Asus LAN/DNS Filter menu, I have turned on the global filtering to OpenDNS (Family) and then chosen specific devices to assume the OpenDNS (Home) configuration. However, the specific devices aren't inheriting the properties I set up in OpenDNS (like blocking YouTube). I can't even tell if the global filtering is working. Do I need to change anything else under the LAN (like DHCP) or WAN menus? I did not add the DNS servers 208.67.222.222 and 208.67.220.220 for OpenDNS anywhere.

If there are settings I need to post to Github to help decipher this, let me know.

Thanks...

Diversion does not work when you have Policy Rules enabled and Accept DNS Configuration = Exclusive as dnsmasq is bypassed and Diversion requires it. You are telling clients to exclusively use the DNS of the VPN provider. If you have Accept DNS Configuration = Exclusive, my guess is that it is overriding any DNS setting for clients that are configured in the DNSFilter or DNS field on the DHCP assignment screen. You have to set Accept DNS Configuration to Disabled, Relaxed or Strict. LAN clients assigned to use the VPN will then use the DNS on the WAN page. dnsmasq will now work on Diversion will block ads. Use the DNSFilter page to assign a specific DNS to the LAN client or try the DHCP Assignment page to override the DNS specified on the WAN page.

The Accept DNS Configuration won't impact split tunneling. Do you have an entry to route the entire LAN to the PIA VPN Client e.g. 192.168.1.0/24 and another to have the chromebook to bypass the VPN?

Don't use the LAN DNS setting. You can use the ipleak.net or dnsleak.com site to validate DNS. Hope this helps.

 

[Istvanwagon]

Diversion does not work when you have Policy Rules enabled and Accept DNS Configuration = Exclusive as dnsmasq is bypassed and Diversion requires it. You are telling clients to exclusively use the DNS of the VPN provider. If you have Accept DNS Configuration = Exclusive, my guess is that it is overriding any DNS setting for clients that are configured in the DNSFilter or DNS field on the DHCP assignment screen. You have to set Accept DNS Configuration to Disabled, Relaxed or Strict. LAN clients assigned to use the VPN will then use the DNS on the WAN page. dnsmasq will now work on Diversion will block ads. Use the DNSFilter page to assign a specific DNS to the LAN client or try the DHCP Assignment page to override the DNS specified on the WAN page.

The Accept DNS Configuration won't impact split tunneling. Do you have an entry to route the entire LAN to the PIA VPN Client e.g. 192.168.1.0/24 and another to have the chromebook to bypass the VPN?

Don't use the LAN DNS setting. You can use the ipleak.net or dnsleak.com site to validate DNS. Hope this helps.

Thanks again. This time I've included anonymized screen shots of my VPN, WAN, and LAN/DHCP screens to make it clearer what is going on; I will post PIA screen shots next.

I had thought I needed to set the Accept DNS Configuration = Exclusive per the Wiki to get Diversion to work; maybe I misunderstood. When I chose the Force Internet Connection through Tunnel = Yes, I didn't think this was messing up the policy rules since Policy rules and Policy Rules (Strict) are not chosen.

I do not have an entry to route to the entire LAN to the PIA VPN client (I am just using whatever default from PIA). But I have the 2 Chromebooks (192.xx.yy.zz/32) excepted.

Please let me know what seems off from the below. My questions now are:

1). Confirm that I should be setting the Accept DNS Configuration = Relaxed / Strict. (I would revert to Relaxed as per the .ovpn file generated by PIA if that is fine)

2). Are any custom configurations needed? (1.1.1.1, etc)

3) Should I turn off the "Connect to DNS Server automatically" on the WAN page? If so, should I use the OpenDNS servers? 208.67.222.222 and 208.67.220.220

4). I want the specific clients assigned under the LAN to have stricter rules (like turning off YouTube in OpenDNS). Right now, they are not obeying that. Is this set up correctly?

5). Will PIA MACE interfere with Diversion, and should it be off then?

Sorry for all of the questions; this is all new to me! Thanks...

 

[Istvanwagon]

Thanks again. This time I've included anonymized screen shots of my VPN, WAN, and LAN/DHCP screens to make it clearer what is going on; I will post PIA screen shots next.

I had thought I needed to set the Accept DNS Configuration = Exclusive per the Wiki to get Diversion to work; maybe I misunderstood. When I chose the Force Internet Connection through Tunnel = Yes, I didn't think this was messing up the policy rules since Policy rules and Policy Rules (Strict) are not chosen.

I do not have an entry to route to the entire LAN to the PIA VPN client (I am just using whatever default from PIA). But I have the 2 Chromebooks (192.xx.yy.zz/32) excepted.

Please let me know what seems off from the below. My questions now are:

1). Confirm that I should be setting the Accept DNS Configuration = Relaxed / Strict. (I would revert to Relaxed as per the .ovpn file generated by PIA if that is fine)

2). Are any custom configurations needed? (1.1.1.1, etc)

3) Should I turn off the "Connect to DNS Server automatically" on the WAN page? If so, should I use the OpenDNS servers? 208.67.222.222 and 208.67.220.220

4). I want the specific clients assigned under the LAN to have stricter rules (like turning off YouTube in OpenDNS). Right now, they are not obeying that. Is this set up correctly?

5). Will PIA MACE interfere with Diversion, and should it be off then?

Sorry for all of the questions; this is all new to me! Thanks...

Here are the other screen shots:

 

[cooloutac]

I don't know if I would be of any help. I don't use diversion I use pi-hole with pia. but ya you have to set a custom dns to whatever dns your diversion uses in the app. The app bypasses the router dns settings if set to pia dns. Mace will have no effect because it only works with pia dns.

I use policy routing strict on merlin firmware setting the whole network range for vpn and specifying clients for wan, and for the wan devices I specify the dns for each client with static ip in the dhcp settings.

For all the vpn devices I specify the pi-hole address in the .ovpn file or the advanced config in vpn settings, I also set accept dns to exclusive.

in the wan dns settings i just put any random public dns server just to make sure its not on automatic.

so basically for those two chromebooks using the app, remove those bypass vpn entries, set them to wan in vpn policy routing of router, set them static in dhcp settings and put the dns server you use for diversion set on your router or maybe better just leave it blank, then put the router ip in the custom dns setting of the app on the chromebook and see if that works. Thats what I do but with the pi-hole address.

 

[Xentrk]

I had thought I needed to set the Accept DNS Configuration = Exclusive per the Wiki to get Diversion to work; maybe I misunderstood. When I chose the Force Internet Connection through Tunnel = Yes, I didn't think this was messing up the policy rules since Policy rules and Policy Rules (Strict) are not chosen.

You are correct. I thought you were using Policy Rules since you mentioned split tunneling. It is the combination of enabling Policy Rules and Accept DNS Configuration = Exclusive that causes dnsmasq to be bypassed which prevents Diversion from working. The issue does not occur when you route all traffic to the VPN client as you have done.

I do not have an entry to route to the entire LAN to the PIA VPN client (I am just using whatever default from PIA). But I have the 2 Chromebooks (192.xx.yy.zz/32) excepted.

I see the misunderstanding now. You are using PIA GUI (which I don't have any experience with) to create the routing rules for the chromebooks rather than the features of the OpenVPN Client screen.

1). Confirm that I should be setting the Accept DNS Configuration = Relaxed / Strict. (I would revert to Relaxed as per the .ovpn file generated by PIA if that is fine)

I guess my main point was dnsmasq won't work if you have Accept DNS Configuration set to Exclusive when using Policy Rules. All router traffic will use the DNS of the VPN and bypass the DNS setting on the WAN page. You can use the follow the log file option in Diversion to see if dnsmasq is blocking ads and dnsmasq is working.

2). Are any custom configurations needed? (1.1.1.1, etc)

Not that I am aware of.

3) Should I turn off the "Connect to DNS Server automatically" on the WAN page? If so, should I use the OpenDNS servers? 208.67.222.222 and 208.67.220.220

You want to set WAN DNS to be the default DNS for LAN clients. Use the DNSFilter screen for exceptions. Use the ipleak.net and dnsleak.com sites to test how DNS is behaving.

4). I want the specific clients assigned under the LAN to have stricter rules (like turning off YouTube in OpenDNS). Right now, they are not obeying that. Is this set up correctly?

Use the sites I mentioned above to verify DNS is what your goal is. Following are some iptables commands for DNS debugging.

 iptables --line -t nat -nvL DNSFILTER

 iptables --line -t nat -nvL PREROUTING

iptables --line -t nat -nvL DNSVPN1

5). Will PIA MACE interfere with Diversion, and should it be off then?

Hopefully a PIA customer can help you with this one.

 

[Istvanwagon]

You are correct. I thought you were using Policy Rules since you mentioned split tunneling. It is the combination of enabling Policy Rules and Accept DNS Configuration = Exclusive that causes dnsmasq to be bypassed which prevents Diversion from working. The issue does not occur when you route all traffic to the VPN client as you have done.


I see the misunderstanding now. You are using PIA GUI (which I don't have any experience with) to create the routing rules for the chromebooks rather than the features of the OpenVPN Client screen.


I guess my main point was dnsmasq won't work if you have Accept DNS Configuration set to Exclusive when using Policy Rules. All router traffic will use the DNS of the VPN and bypass the DNS setting on the WAN page. You can use the follow the log file option in Diversion to see if dnsmasq is blocking ads and dnsmasq is working.


Not that I am aware of.


You want to set WAN DNS to be the default DNS for LAN clients. Use the DNSFilter screen for exceptions. Use the ipleak.net and dnsleak.com sites to test how DNS is behaving.


Use the sites I mentioned above to verify DNS is what your goal is. Following are some iptables commands for DNS debugging.

 iptables --line -t nat -nvL DNSFILTER

 iptables --line -t nat -nvL PREROUTING

iptables --line -t nat -nvL DNSVPN1

Hopefully a PIA customer can help you with this one.

Thanks again. From your guidance, this is what I found:

* I ran the ipleak.net test and it showed one IP address that was not from my ISP and another which was very similar to the first (only aa and bb match from aa.bb.cc.dd from what I have blurred out). However, the geek details section is populated. Anyway, I think I am not leaking anything; please let me know if not. Again, this is with Asus VPN settings of Accept DNS Configuration = Exclusive and forcing all internet traffic through tunnel.

* I checked the Diversion dnsmasq log, and it is basically only showing traffic from one domain (dns.msftncsi.com). The uIDivFilterStats shows a marked drop in blocks the day I installed the VPN. When I temporarily turn off the VPN, I get way more traffic on this log from many more IP addresses. So, I do think Diversion is the issue.


Sorry, I am still spinning my wheels and getting lost on the DNS pieces since I am not sure what I want where. As much as you can spoon feed me what to put where from the screen shots, that would help. My questions are:

6) From the prior WAN screen shot, do I have this set up correctly? When you say I want the WAN DNS to be the default DNS for LAN clients, what do you recommend? Right now, I am using automatic assignment. Is that bad? Is Cloudflare (1.1.1.1) any better? What about Google (8.8.8.8)? If I am using OpenDNS for the DNSFilter exception rules, do I NOT want to put the OpenDNS servers here?

7). When I set up Diversion, I had to reserve one IP address on my local IP (192.xx.yy.zz) to send the ads to. Does that IP address need to appear somewhere now in these DNS settings (DNSFIlter, WAN DNS, or somewhere else?)

8). Do I need to do anything with the CustomDNS server 1, 2, or 3 on the LAN/DNSFilter page? I am guessing this is where the OpenDNS 208.67.222.222 and 208.67.220.220 should go?


Thanks...

 

[Istvanwagon]

I don't know if I would be of any help. I don't use diversion I use pi-hole with pia. but ya you have to set a custom dns to whatever dns your diversion uses in the app. The app bypasses the router dns settings if set to pia dns. Mace will have no effect because it only works with pia dns.

I use policy routing strict on merlin firmware setting the whole network range for vpn and specifying clients for wan, and for the wan devices I specify the dns for each client with static ip in the dhcp settings.

For all the vpn devices I specify the pi-hole address in the .ovpn file or the advanced config in vpn settings, I also set accept dns to exclusive.

in the wan dns settings i just put any random public dns server just to make sure its not on automatic.

so basically for those two chromebooks using the app, remove those bypass vpn entries, set them to wan in vpn policy routing of router, set them static in dhcp settings and put the dns server you use for diversion set on your router or maybe better just leave it blank, then put the router ip in the custom dns setting of the app on the chromebook and see if that works. Thats what I do but with the pi-hole address.

Thanks for your thoughts. I am sort of following what you are saying, but not completely. Can you please clarify:

1). "....have to set a custom dns to whatever dns your diversion uses in the app." I did have to set a DNS for Diversion to route all of the ads to. Where should I put this custom DNS? LAN/DNSFilter or WAN or somewhere else?

2). "put the router ip in the custom dns setting of the app on the Chromebook". I am not running the PIA app on the Chromebooks; I am using it on other Apple Devices (where Diversion is failing). Do you mean to set the router IP to be put somewhere else so it is not in the VPN?

3). What benefit would having "any random public server" (1.1.1.1, 8.8.8.8, etc) have instead of leaving it as automatic? How can this screw things up?

4). Is it possible to have VPN/OpenVPN Server and VPN/OpenVPN Client menus both configured at the same time on the Asus VPN screens? If so, should I insert any DNS to VPN/OpenVPN Server (it is off now).

Thanks...

 

[cooloutac]

Thanks for your thoughts. I am sort of following what you are saying, but not completely. Can you please clarify:

1). "....have to set a custom dns to whatever dns your diversion uses in the app." I did have to set a DNS for Diversion to route all of the ads to. Where should I put this custom DNS? LAN/DNSFilter or WAN or somewhere else?

2). "put the router ip in the custom dns setting of the app on the Chromebook". I am not running the PIA app on the Chromebooks; I am using it on other Apple Devices (where Diversion is failing). Do you mean to set the router IP to be put somewhere else so it is not in the VPN?

3). What benefit would having "any random public server" (1.1.1.1, 8.8.8.8, etc) have instead of leaving it as automatic? How can this screw things up?

4). Is it possible to have VPN/OpenVPN Server and VPN/OpenVPN Client menus both configured at the same time on the Asus VPN screens? If so, should I insert any DNS to VPN/OpenVPN Server (it is off now).

Thanks...

1) in the app on the chromebook you have pictured there.

2) you aren't? Isn't that what those pictures are of? well i'm confused, I only recognize it cause I use pia too lol. Might be easier to do it that way though. Thats what I do.

3) when set to automatic with a vpn client set up, on stock for example, the router will sometimes mistakenly think you have no internet. It either kills my internet connection, or tells me i'm not connected even though everything is working. I leave it off automatic on merlin too just in case of any other problems. Plus your ISP dns is not safe imo (bad redirects, tracking, ad inserts) and what ISP you have might be the factor.

4) I think so but I have no experience with that best to ask someone else.


To readdress your MACE question. I don't think it should have any ill effect other then possibly block a site you don't want blocked. I thought it was something that either happens with pia dns servers before it even hits your router, but it is apparently just a browser plugin with the app.

 

[Istvanwagon]

Thanks again. From your guidance, this is what I found:

* I ran the ipleak.net test and it showed one IP address that was not from my ISP and another which was very similar to the first (only aa and bb match from aa.bb.cc.dd from what I have blurred out). However, the geek details section is populated. Anyway, I think I am not leaking anything; please let me know if not. Again, this is with Asus VPN settings of Accept DNS Configuration = Exclusive and forcing all internet traffic through tunnel.

* I checked the Diversion dnsmasq log, and it is basically only showing traffic from one domain (dns.msftncsi.com). The uIDivFilterStats shows a marked drop in blocks the day I installed the VPN. When I temporarily turn off the VPN, I get way more traffic on this log from many more IP addresses. So, I do think Diversion is the issue.


Sorry, I am still spinning my wheels and getting lost on the DNS pieces since I am not sure what I want where. As much as you can spoon feed me what to put where from the screen shots, that would help. My questions are:

6) From the prior WAN screen shot, do I have this set up correctly? When you say I want the WAN DNS to be the default DNS for LAN clients, what do you recommend? Right now, I am using automatic assignment. Is that bad? Is Cloudflare (1.1.1.1) any better? What about Google (8.8.8.8)? If I am using OpenDNS for the DNSFilter exception rules, do I NOT want to put the OpenDNS servers here?

7). When I set up Diversion, I had to reserve one IP address on my local IP (192.xx.yy.zz) to send the ads to. Does that IP address need to appear somewhere now in these DNS settings (DNSFIlter, WAN DNS, or somewhere else?)

8). Do I need to do anything with the CustomDNS server 1, 2, or 3 on the LAN/DNSFilter page? I am guessing this is where the OpenDNS 208.67.222.222 and 208.67.220.220 should go?
View attachment 28236

Thanks...

Sorry for the slow update. For item #6, I changed the WAN DNS to Cloudflare, but there is no change in behavior. For #8, I saw in the Diversion specs that the LAN/DNSFilter should not be set, but it seems to have no effect.

Is the issue really #7 -- i.e., getting the dnsmasq server to not be skipped over putting the 192.xx.yy.zz address I set up for the "ad-blocker" setting in Diversion in the right DNS place? If not, then I'm lost on what to try next!