merlin issue dns leak

[Mikeysnb]

hi guys i have an ac3200 running merlin 380.58 but im experiencing problems with policy based routing
i have ipvanish setup to run on the router and whilst redirecting ALL traffic if i were to test it via https://ipleak.net/
it works as expected however if i were to use policy based routing it fails the dns leak test, is there a way to rectify this or another workaround i could do in the meantime
regards, mike

 

[octopus]

- CHANGED: if you set an OpenVPN client DNS mode to "Exclusive"
and you enable policy-based routing, then those policies
will also determine which DNS to use (the tunnel's or
the ISP's). This is based on DNSFilter's technology.
You no longer need to use DNSFilter to control
the DNS used by your OpenVPN clients.

 

[Mikeysnb]

appreciate the help but i didn't understand any of that sorry
in fact i have just noticed that whenever i do enable any policy based routing i get an error routing issue for the vpn status

 

[octopus]

Set your Client1 setting to:
VPN=> OpenVPN Client Settings =>Advanced setting => Accept DNS Configuration => set to "Exclusive"
Se my signature

 

[Mikeysnb]

that sort of worked, i can now use policy rules and the clients that are set to vpn(my pc) work fine and dont leak dns, but now the clients ive set to wan dont get any internet connection, any ideas?

 

[octopus]

that sort of worked, i can now use policy rules and the clients that are set to vpn(my pc) work fine and dont leak dns, but now the clients ive set to wan dont get any internet connection, any ideas?

name 192.168.1.100 0.0.0.0 WAN on your Rules for routing client traffic through the tunnel

 

[darrinmc]

Set your Client1 setting to:
VPN=> OpenVPN Client Settings =>Advanced setting => Accept DNS Configuration => set to "Exclusive"
Se my signature

Octopus, thank you very much for the tip, had no idea my ISP was still visible via DNS, including my geolocation, scary. I applied this setting and re-checked and now I have privacy. I'm using Johns latest fork which has an extra checkbox beside it " Only VPN clients use VPN DNS**"
I left it unchecked and it works , but I want to try it checked to see what happens.

 

[octopus]

Octopus, thank you very much for the tip, had no idea my ISP was still visible via DNS, including my geolocation, scary. I applied this setting and re-checked and now I have privacy. I'm using Johns latest fork which has an extra checkbox beside it " Only VPN clients use VPN DNS**"
I left it unchecked and it works , but I want to try it checked to see what happens.

I dont know how it works in John's fork. That tips was for Rmerlin 380.58 build and Mikeysnb question.

 

[Mikeysnb]

name 192.168.1.100 0.0.0.0 WAN on your Rules for routing client traffic through the tunnel

im still having trouble, do i just click on the drop down box select my device and set to wan as thats what i have been doing but it does not work, also everytime a make any changes to the policy based stuff i keep getting, Error routing conflict, until i change the vpn to a new server ive not used before then it works fine but i can no longer use the old server, seems like a bug in the merlin software

 

[octopus]

If you type "ip roule" in ssh and se if there is some strange rules.

 

[yorgi]

im still having trouble, do i just click on the drop down box select my device and set to wan as thats what i have been doing but it does not work, also everytime a make any changes to the policy based stuff i keep getting, Error routing conflict, until i change the vpn to a new server ive not used before then it works fine but i can no longer use the old server, seems like a bug in the merlin software

get into your router via ssh
type the following.
route delete ipaddress
replace IP address with the IP of the server you are having conflict.
then the error will disapear

I suggest you don't use IP address's use the actual server name like this in PIA
ca-toronto.privateinternetaccess.com
you can turn it on and off if you have a routing conflict and it will refresh and give you a new IP.
Also its better not to use IP of Server because by using the address I mentioned the server will boot you out after 24 hours. this is a good thing because you don't want to have a static ip address for VPN

 

[yorgi]

hi guys i have an ac3200 running merlin 380.58 but im experiencing problems with policy based routing
i have ipvanish setup to run on the router and whilst redirecting ALL traffic if i were to test it via https://ipleak.net/
it works as expected however if i were to use policy based routing it fails the dns leak test, is there a way to rectify this or another workaround i could do in the meantime
regards, mike

You have a routing conflict. I have noticed that as well. When you have 2 clients running on AES-128-CBC for some reason it freaks out and leaks your DNS. Could be because the Servers are using same Subnet not sure. Never had that problem when I used BlowFish. I ran 2 clients all the time. Ever since I went to 128 encrytption it doesnt apply the same way. Merlin says that the encrytption has nothing to do with that but my experience in running 2 vpn clients at the same time never gave me any routing conflict. If you run one client at a time you will not have that problem again.

From my experience you cannot run 2 clients in the background as with blowfish you have to enable and disable each client as you please. Unless the clients are from different ISP then you can have more then one client on at the same time.

The way I found to fix this is to power down the router and pull the plug. Boot it again and you should be fine.
You can now reconfigure that client that didn't work.
Just make sure that the policy rules IP address's are not the same as the other VPN client.
Oh and disable the connect on WAN of the other client before the reboot.
this way when the router starts there are no clients connected.
fix up the old client and then start which ever one you want and put connect on WAN back for the client you want to be on by default

with the new Firmware the DNS on policy based routes resolves properly to the DNS of your VPN client.
I have the same problem where if I go to a Local ISP connection it still shows DNS of VPN client.
I fix the Local ISP real quick by using DNSfiltering.
You can enter the DNS you want your device to use when connecting and it will work perfect.

 

[Mikeysnb]

thanks for the help but im new to this 'networking' and am finding this more than difficult i dont even understand most of what your saying.
just to let you guys know i have just restored to factory default set up the vpn via https://www.ipvanish.com/vpn-setup/#tomato
instead of setting it to strict as per their suggestions i set it to exclusive as said here
clicked on the drop down box under the policy options and selected my pc to use the vpn.
and selected my phone to use wan.
and once again i cannot connect to the internet on my phone but my pc works fine.
sorry to keep saying i dont understand but i have never 'messed' with a router before
im afraid i dont know what ssh is, and the encryption is set to AES-256-CBC
thanks for trying to help me guys

ps also i have never typed the ip address of the vpn i used the server name as you said, also im only using one vpn

 

[john9527]

Octopus, thank you very much for the tip, had no idea my ISP was still visible via DNS, including my geolocation, scary. I applied this setting and re-checked and now I have privacy. I'm using Johns latest fork which has an extra checkbox beside it " Only VPN clients use VPN DNS**"
I left it unchecked and it works , but I want to try it checked to see what happens.

There are some notes on my implementation in the README.....this was still pretty new so I made it an option.
With that box unchecked, all your clients (both those policy routed through the WAN as well as the VPN) are using the VPN DNS servers...the old behavior. When you check the box, only the VPN clients will use the VPN DNS servers, the WAN clients will use what ever you have configured for DNS in the standard gui setup.

 

[Mikeysnb]

appreciate the help guys but i think im just going to go with dual routers at least that way i have the option to switch between them on the fly cheers anyways

 

[octopus]

You can only use two clients if you use different port on both, eg 1194 and 1195
IPVANISH
For OpenVPN, we allow connections via TCP or UDP on ports 443 or 1194. The IPVanish software uses port 443.

 

[yorgi]

thanks for the help but im new to this 'networking' and am finding this more than difficult i dont even understand most of what your saying.
just to let you guys know i have just restored to factory default set up the vpn via https://www.ipvanish.com/vpn-setup/#tomato
instead of setting it to strict as per their suggestions i set it to exclusive as said here
clicked on the drop down box under the policy options and selected my pc to use the vpn.
and selected my phone to use wan.
and once again i cannot connect to the internet on my phone but my pc works fine.
sorry to keep saying i dont understand but i have never 'messed' with a router before
im afraid i dont know what ssh is, and the encryption is set to AES-256-CBC
thanks for trying to help me guys

ps also i have never typed the ip address of the vpn i used the server name as you said, also im only using one vpn

There is one of your problems. AES-256-CBC is the slowest of them all.
If you want that to work properly you need to add
auth sha256 at the bottom where it says custom configurations and port 1197

Where it says Rules for routing client traffic through the tunnel
you need to set an IP address of your device that you want to let through the VPN and Iface has to be VPN and Destination IP 0.0.0.0

the reason you are not getting internet is because of the AES-256
it has to be on port 1197 and auth sha256 in custom configurations.

this is very slow what you need to do is get on AES-128-CBC port 1196 and you will get the same results as from tomato

Don't give up so easy. You are new to this, you will make mistakes.
they are all correctable

 

[yorgi]

One thing you have to undestand about policy rules.
when you put an IP address in the Rules for routing client traffic through the tunnel area
only those ip address's will go to the VPN
ALL OTHER IPS WILL GO TO LOCAL ISP!
so your phone if it has a DCHP address and its not one of the address's you put for policy rules then it should autocratically work with local ISP.
You dont need to put the lface to WAN for your phone.
only put Static IP address's for the vpn.
this means you will have to manually enter these IP address's on your devices.
Lets assume your router is setup as 192.168.1.1
and you want your PC to be on VPN
change the IP address of you PC to 192.168.1.50 Subent 255.255.255.0 Gateway 192.168.1.1 DNS 192.168.1.1

and put in Rules for routing client traffic through the tunnel that IP 192.168.1.50 address on Source IP and destination IP 0.0.0.0 and lface VPN
now click the add button and then hit apply.
Your PC that has 192.168.1.50 will be on VPN and everything else connected will be on local ISP.

 

[Mikeysnb]

One thing you have to undestand about policy rules.
when you put an IP address in the Rules for routing client traffic through the tunnel area
only those ip address's will go to the VPN
ALL OTHER IPS WILL GO TO LOCAL ISP!
so your phone if it has a DCHP address and its not one of the address's you put for policy rules then it should autocratically work with local ISP.
You dont need to put the lface to WAN for your phone.
only put Static IP address's for the vpn.
this means you will have to manually enter these IP address's on your devices.
Lets assume your router is setup as 192.168.1.1
and you want your PC to be on VPN
change the IP address of you PC to 192.168.1.50 Subent 255.255.255.0 Gateway 192.168.1.1 DNS 192.168.1.1

and put in Rules for routing client traffic through the tunnel that IP 192.168.1.50 address on Source IP and destination IP 0.0.0.0 and lface VPN
now click the add button and then hit apply.
Your PC that has 192.168.1.50 will be on VPN and everything else connected will be on local ISP.

Appreciate the help but I have set up the 2 routers now and I'm kind of glad I did it's nice to be able to switch between the ISP and vpn so easily thanks for trying to help me

 

[yorgi]

Appreciate the help but I have set up the 2 routers now and I'm kind of glad I did it's nice to be able to switch between the ISP and vpn so easily thanks for trying to help me

You don't need 2 routers to do that but if it works for you that's great
it can all be done with one router just the same
the instructions are simple. I would assume it would be harder to do it with 2 routers.