Merlin: VPN + PiHole/Adguard + YazFi - Avoiding DNS Leaks

[RighteousPy]

This is a continuation of the thread here: https://www.snbforums.com/threads/i...uration-strict-and-diversion-yazfi-vpn.58031/ due to the new policy regarding six month old threads.

This is a thread to discuss Asus Routers running Merlin, using the inbuilt VPN and potentially making use of an external PiHole/Adguard Home setup - the last thread and this thread is my ramblings with trying to combat DNS Leaks caused by trying to have some Clients go via the VPN and some via my default ISP.

@Xentrk and others have kindly been helping to assist with Strict, Exclusive, DNS Filtering and so forth.

Below is my response to the last message in the above thread (https://www.snbforums.com/threads/i...ict-and-diversion-yazfi-vpn.58031/post-627407):

I was pleased with the result of using DNSFilter and how it plays well with LAN clients assigned to route via the VPN Client or to bypass the VPN Client. I may set up some of my devices to use the setup. It may be my new recommendation.

The dnsmasq method of x3mRouting won't work when using Pi-Hole. The dnsmasq on the router is bypassed and the IPv4 addresses won't load. Caveat - try using WAN DNS for a few days to create the entries. Once the list is populated, you should be able to switch back to Pi-Hole and have it work. In theory, the other methods should work okay as dnsmasq is not required. Lists are loaded from other sources and iptables rules does the routing.

Once again @Xentrk I apologize for the delay in my response, exams started and didn't want to take everything done. However I have some good news/need some confirmation things are correct !

Using a combination of your [fantastic] advise, DNSFilter and PiHole I think we're on track. I've done a diagram below in the hopes it explains things haha.

To explain things further, the following IP schema has been given:

• Router = 192.168.1.1
• RPi #1 = 192.168.1.2
• RPi #2 = 192.168.1.3
• PiHole (Unbound) = 192.168.1.4
• PiHole (VPN) = 192.168.1.5
• Unbound = 192.168.1.6

I've then gone and started my DHCP at 192.168.1.10 and statically assigned the above. I left their DNS servers (in the 'Manual Assigned IP' section). In the DNS Setting under DHCP Server I have it set to 192.168.1.5 (PiHole via VPN) as I want everything going via the VPN when not on the Guest Wifi.

In DNSFilter I have Global Filter Mode = Router. I also then have the following set to No Filtering:

• PiHole (Unbound)
• PiHole (VPN)
• Unbound
• RPi #1
• RPi #2

YazFi is setup to force DNS to 192.168.1.4 (the PiHole via Unbound) as this is used for all my Guests who aren't on the VPN.

Now this is where I get confused, the Upstream DNS be on the PiHoles. They are current set as:

• PiHole (Unbound) = 192.168.1.6 (the Unbound IP)
• PiHole (VPN) = VPN's IP

Then under my VPN Policy Rules (using Exclusive atm as I don't need dnsmasq yet):

• All via VPN
• RPi #2 via WAN
• PiHole (Unbound) via WAN
• Unbound via WAN

Currently I have NO DNS Leaks - YAY! And everything is 'protected' by PiHole (I think...).

My question is, do I have any loops in my network? With my 'No Filtering' above - does that mean everything is working? Should the Global Filter Mode be set to 192.168.1.5 instead of the Router? I read somewhere you wanted to have it as router and then have the PiHole point back to the Router but not sure if my step uses this?

Thanks again for all your help!

 

[Xentrk]

This is a continuation of the thread here: https://www.snbforums.com/threads/i...uration-strict-and-diversion-yazfi-vpn.58031/ due to the new policy regarding six month old threads.

This is a thread to discuss Asus Routers running Merlin, using the inbuilt VPN and potentially making use of an external PiHole/Adguard Home setup - the last thread and this thread is my ramblings with trying to combat DNS Leaks caused by trying to have some Clients go via the VPN and some via my default ISP.

@Xentrk and others have kindly been helping to assist with Strict, Exclusive, DNS Filtering and so forth.

Below is my response to the last message in the above thread (https://www.snbforums.com/threads/i...ict-and-diversion-yazfi-vpn.58031/post-627407):



Once again @Xentrk I apologize for the delay in my response, exams started and didn't want to take everything done. However I have some good news/need some confirmation things are correct !

Using a combination of your [fantastic] advise, DNSFilter and PiHole I think we're on track. I've done a diagram below in the hopes it explains things haha.

To explain things further, the following IP schema has been given:

• Router = 192.168.1.1
• RPi #1 = 192.168.1.2
• RPi #2 = 192.168.1.3
• PiHole (Unbound) = 192.168.1.4
• PiHole (VPN) = 192.168.1.5
• Unbound = 192.168.1.6

I've then gone and started my DHCP at 192.168.1.10 and statically assigned the above. I left their DNS servers (in the 'Manual Assigned IP' section). In the DNS Setting under DHCP Server I have it set to 192.168.1.5 (PiHole via VPN) as I want everything going via the VPN when not on the Guest Wifi.

In DNSFilter I have Global Filter Mode = Router. I also then have the following set to No Filtering:

• PiHole (Unbound)
• PiHole (VPN)
• Unbound
• RPi #1
• RPi #2

YazFi is setup to force DNS to 192.168.1.4 (the PiHole via Unbound) as this is used for all my Guests who aren't on the VPN.

Now this is where I get confused, the Upstream DNS be on the PiHoles. They are current set as:

• PiHole (Unbound) = 192.168.1.6 (the Unbound IP)
• PiHole (VPN) = VPN's IP

Then under my VPN Policy Rules (using Exclusive atm as I don't need dnsmasq yet):

• All via VPN
• RPi #2 via WAN
• PiHole (Unbound) via WAN
• Unbound via WAN

Currently I have NO DNS Leaks - YAY! And everything is 'protected' by PiHole (I think...).

My question is, do I have any loops in my network? With my 'No Filtering' above - does that mean everything is working? Should the Global Filter Mode be set to 192.168.1.5 instead of the Router? I read somewhere you wanted to have it as router and then have the PiHole point back to the Router but not sure if my step uses this?

Thanks again for all your help!

Looks like you got things working good so far. Very interesting setup. At this point, I don't have a spare Raspberry PI to test with. I found a Asuswrt Pi-Hold Setup thread on Reddit that may be a good place to ask. There is discussion on how to use the DNSFilter option to force clients to use upstream Pi-Hole.

 

[Daniel LaRusso]

This is a continuation of the thread here: https://www.snbforums.com/threads/i...uration-strict-and-diversion-yazfi-vpn.58031/ due to the new policy regarding six month old threads.

This is a thread to discuss Asus Routers running Merlin, using the inbuilt VPN and potentially making use of an external PiHole/Adguard Home setup - the last thread and this thread is my ramblings with trying to combat DNS Leaks caused by trying to have some Clients go via the VPN and some via my default ISP.

@Xentrk and others have kindly been helping to assist with Strict, Exclusive, DNS Filtering and so forth.

Below is my response to the last message in the above thread (https://www.snbforums.com/threads/i...ict-and-diversion-yazfi-vpn.58031/post-627407):



Once again @Xentrk I apologize for the delay in my response, exams started and didn't want to take everything done. However I have some good news/need some confirmation things are correct !

Using a combination of your [fantastic] advise, DNSFilter and PiHole I think we're on track. I've done a diagram below in the hopes it explains things haha.

To explain things further, the following IP schema has been given:

• Router = 192.168.1.1
• RPi #1 = 192.168.1.2
• RPi #2 = 192.168.1.3
• PiHole (Unbound) = 192.168.1.4
• PiHole (VPN) = 192.168.1.5
• Unbound = 192.168.1.6

I've then gone and started my DHCP at 192.168.1.10 and statically assigned the above. I left their DNS servers (in the 'Manual Assigned IP' section). In the DNS Setting under DHCP Server I have it set to 192.168.1.5 (PiHole via VPN) as I want everything going via the VPN when not on the Guest Wifi.

In DNSFilter I have Global Filter Mode = Router. I also then have the following set to No Filtering:

• PiHole (Unbound)
• PiHole (VPN)
• Unbound
• RPi #1
• RPi #2

YazFi is setup to force DNS to 192.168.1.4 (the PiHole via Unbound) as this is used for all my Guests who aren't on the VPN.

Now this is where I get confused, the Upstream DNS be on the PiHoles. They are current set as:

• PiHole (Unbound) = 192.168.1.6 (the Unbound IP)
• PiHole (VPN) = VPN's IP

Then under my VPN Policy Rules (using Exclusive atm as I don't need dnsmasq yet):

• All via VPN
• RPi #2 via WAN
• PiHole (Unbound) via WAN
• Unbound via WAN

Currently I have NO DNS Leaks - YAY! And everything is 'protected' by PiHole (I think...).

My question is, do I have any loops in my network? With my 'No Filtering' above - does that mean everything is working? Should the Global Filter Mode be set to 192.168.1.5 instead of the Router? I read somewhere you wanted to have it as router and then have the PiHole point back to the Router but not sure if my step uses this?

Thanks again for all your help!

Hi,

I’ve been trying to find an answer to this to no avail, and I’ve tested it on my Asus AC86U (running Merlin 384.19 and manually configured with Express VPN OVPN client files) in multiple variations.

I have a Raspberry Pi 4 with Adguard Home installed and running correctly (I can access the web UI), it’s connected by ethernet to my router which has Express VPN (Open VPN files) manually configured and running all the time. I’ve followed the directions from GitHub to use the Pi’s static IP as the DNS my router uses. However, it keeps leaking the DNS of the Adguard server when I check for a leak. How do I prevent this? I don’t care about using Adguard on mobile outside of my home network, only when I’m at home on my WiFi.

I’ve tried multiple configurations from Reddit posts to other forums to no avail. Am I doing something wrong? Do I need to change something on the Pi or from the Adguard settings?

I’m really new to this and my configuration isn’t as complicated as yours, but thought you might have some tips. I guess my configuration would be something like: ISP modem > Asus router (VPN) > Raspberry Pi (Adguard Home) > all devices. How can I configure my router and Pi to prevent leaks?

 

[GrimmHoliday]

Hi,

I’ve been trying to find an answer to this to no avail, and I’ve tested it on my Asus AC86U (running Merlin 384.19 and manually configured with Express VPN OVPN client files) in multiple variations.

I have a Raspberry Pi 4 with Adguard Home installed and running correctly (I can access the web UI), it’s connected by ethernet to my router which has Express VPN (Open VPN files) manually configured and running all the time. I’ve followed the directions from GitHub to use the Pi’s static IP as the DNS my router uses. However, it keeps leaking the DNS of the Adguard server when I check for a leak. How do I prevent this? I don’t care about using Adguard on mobile outside of my home network, only when I’m at home on my WiFi.

I’ve tried multiple configurations from Reddit posts to other forums to no avail. Am I doing something wrong? Do I need to change something on the Pi or from the Adguard settings?

I’m really new to this and my configuration isn’t as complicated as yours, but thought you might have some tips. I guess my configuration would be something like: ISP modem > Asus router (VPN) > Raspberry Pi (Adguard Home) > all devices. How can I configure my router and Pi to prevent leaks?

Hey there, I'm newer to this than you are, so no sweat, haha, but I have a question for you regarding the Raspberry Pi in the workflow. Why is that unit needed in the workflow?

I'm looking at the Asus ac86u for a VPN router, so I can game anonymously. I want to plug it into my ISP's modem/router.

ISP modem > Asus router > Gaming Console

Will this work for me, or will I need any other equipment in the chain?

Sorry for the rookie Q!

 

[Daniel LaRusso]

Hey there, I'm newer to this than you are, so no sweat, haha, but I have a question for you regarding the Raspberry Pi in the workflow. Why is that unit needed in the workflow?

I'm looking at the Asus ac86u for a VPN router, so I can game anonymously. I want to plug it into my ISP's modem/router.

ISP modem > Asus router > Gaming Console

Will this work for me, or will I need any other equipment in the chain?

Sorry for the rookie Q!

Hi,

The Pi is for ad blocking, but it’s basically a credit card sized computer that can be used for a multitude of projects. I’m just using it to run ad blocking software for my network, but it can also be used as a server, VPN, etc.

I think the AC86U is actually a gaming router, so it might be perfect for your needs, although there are newer ones available as well. Asus routers can natively be configured to run a VPN, so I don’t think there will be any problems with your set up.

 

[GrimmHoliday]

Hi,

The Pi is for ad blocking, but it’s basically a credit card sized computer that can be used for a multitude of projects. I’m just using it to run ad blocking software for my network, but it can also be used as a server, VPN, etc.

I think the AC86U is actually a gaming router, so it might be perfect for your needs, although there are newer ones available as well. Asus routers can natively be configured to run a VPN, so I don’t think there will be any problems with your set up.

Thanks Daniel!! Very informative for a complete noob here, haha. I'm glad I ordered it then! I'm going to look into how to configure it before it arrives so I know what the heck I'm doing when it gets here! Cheers!!!

 

[Daniel LaRusso]

Thanks Daniel!! Very informative for a complete noob here, haha. I'm glad I ordered it then! I'm going to look into how to configure it before it arrives so I know what the heck I'm doing when it gets here! Cheers!!!

No worries, glad I could offer a little assistance for a fellow noob, haha!

 

[cooloutac]

adguard has dns leaks. so does quad 9 dnscrypt. best to use quad9 doh server in your dnscrypt pi-hole setup. when you do the leak test the only thing you should see is the single ip designated from your vpn you are using. . you should not see any resolvers.

I don't use unbound or an anonymizer. I use policy routing on asus merlin page. with exclusive dns and strict policy routing. I don't use dns filter and I don't specify a router domain name or the pi-hole ip in dhcp settings, but I do manually put each ip i forwarded to wan there and use the box to specify dns server and put the pi-hole address there. For the vpn devices i set the pi-hole with the dhcp-option DNS in the advanced config in vpn settings. Put whatever you want in wan dns settings but make sure automatic is not selected and would recommend not using your isp dns.

I only use vpn from the router for my non android and windows iot devices, for my windows and android devices I use the vpn app directly and manually set the pi-hole as the dns address within the app settings.

use this guys guide. https://www.derekseaman.com/2019/09/how-to-pi-hole-plus-dnscrypt-setup-on-raspberry-pi-4.html I also disable ipv6 system wide on the pi, devices, in router and in the dnscrypt config file. only set the pi to listen with ip4 local host. use the ip4 quad9 doh, no log, filter dnssec server.

 

[cooloutac]

well don't know what happened but it started showing the quad9 proxy again in a dns leak test. no idea what changed, you might not consider that a dns leak or you might. I do lol. I made sure the pi itself was using localhost as its dns server in case that was the issue, but I guess that makes no sense. its not showing any other proxies at least. At least you would have some protection against MITM.

I tried setting openvpn on the pihole and no idea what i'm doing wrong but I can't get it to connect. TLS error. I still feel like the pi-hole is just a cool tech experiment. It doesn't really block many ads, especially not the ones you really want it to block, and it throws your privacy out the window... the whole idea of it blocking trackers and analytics if nothing else is pointless.