OpenVPN Client: Advanced settings

[hw1380]

Router: RT-AC68
Firmware: 380.58

I'm not sure what are the best settings in the advanced settings sections of the openvpn client.
Currently these are my settings:

Accept DNS Configuration: disabled
-> Then the DNS servers are being used which I have set in WAN tab.
-> setting it to "Exclusive", then a private 10.X IP-address from my VPN provider is being used.
# In both cases, I have no DNS leak but what is recommended ?

Verify server certificate: yes
What is recommended, yes or no ?

Redirect Internet traffic: All traffic
What is recommended, "All traffic" or "No" and what are the implications ?

 

[octopus]

Router: RT-AC68
Firmware: 380.58

I'm not sure what are the best settings in the advanced settings sections of the openvpn client.
Currently these are my settings:

Accept DNS Configuration: disabled
-> Then the DNS servers are being used which I have set in WAN tab.
-> setting it to "Exclusive", then a private 10.X IP-address from my VPN provider is being used.
# In both cases, I have no DNS leak but what is recommended ?

Use: Exclusive, then you don't have any DNS leaks from vpnprovider.

Verify server certificate: yes
What is recommended, yes or no ?

No

Redirect Internet traffic: All traffic
What is recommended, "All traffic" or "No" and what are the implications ?

Depends if you want all clients or some being redicted.

 

[hw1380]

Verify server certificate: yes
What is recommended, yes or no ?

No

I have heard that this could allow man-in-the-middle attacks ?

Redirect Internet traffic: All traffic
What is recommended, "All traffic" or "No" and what are the implications ?

Depends if you want all clients or some being redicted.

OK.
Setting this to "no", there is no option to select the clients which will not be redirected.
That's the reason why I was thinking of using the "Policy based" option.
I'd like to have only one client to use ISP and all others through VPN tunnel.
But I got it not to work. I have added the following policy:
Source IP 192.168.1.5 Destination IP 0.0.0.0 lface WAN

After that all clients are using ISP and not only this particular IP.

This essential because Amazon Instant Video is using geo-blocking like Netflix and I'm not able to play videos on my Smart-TV while connected to VPN.

 

[octopus]

Set "Redirect Internet Traffic" to All traffic.
and client exeptions to: Source IP 192.168.1.5 Destination IP 0.0.0.0 lface WAN
then only that ip goes to WAN

 

[hw1380]

Set "Redirect Internet Traffic" to All traffic.
and client exeptions to: Source IP 192.168.1.5 Destination IP 0.0.0.0 lface WAN
then only that ip goes to WAN

If I choose redirect internet traffic to all traffic, I have no option for client exceptions.
I managed to exclude the IP by adding the following rules by choosing policy based:
Source IP 192.168.1.5 Destination IP 0.0.0.0 lface WAN
Source IP 192.168.1.0/24 Destination IP 0.0.0.0 lface VPN

Although I have set "Accept DNS configuration" to Exclusive, I have a DNS leak all of the sudden.
But this time I have tested on ipleak.net
My IP and my WebRTC IP shows the IP of the VPN but both DNS-Servers are the IPs which I set in WAN tab.

 

[octopus]

Are you sure your VPN-provider push dns-address?
When you test with ipleak.net its through vpn-tunnel?
Do set any other dns servers ?
Se if you have any dns: cat /etc/openvpn/dns/client1.resolv

 

[hw1380]

In /etc/openvpn/dns/client1.resolv: 10.10.55.1

 

[octopus]

In /etc/openvpn/dns/client1.resolv: 10.10.55.1

Then you should see that and your vpn-address on ipleak.net
hmm 10.10.55.1 is lan net address, are you on double nat?

 

[hw1380]

Then you should see that and your vpn-address on ipleak.net
hmm 10.10.55.1 is lan net address, are you on double nat?

No, I guess this is the NAT address from my VPN provider.

During checking the changelog of the later releases than mine, I found a fix:

380.59 (10-May-2016)
...
- FIXED: OpenVPN clients set to policy-based routing and Exclusive
            DNS mode were still adding the tunnel nameservers to
            dnsmasq, causing both routed and non-routed clients to use
            them.
....

Since 380.62 is still in beta, I will wait until the final version is being released.
Does anybody know if I can just update from .58 to .62 (with reset to factory defaults, of course) ?

 

[octopus]

During checking the changelog of the later releases than mine, I found a fix:

380.59 (10-May-2016)
...
- FIXED: OpenVPN clients set to policy-based routing and Exclusive
            DNS mode were still adding the tunnel nameservers to
            dnsmasq, causing both routed and non-routed clients to use
            them.
....

Since 380.62 is still in beta, I will wait until the final version is being released.

Try to update to 380.59 or .61 and test. I'm sure 10.10.55.1 is local lan address.

Class Private Networks Subnet Mask Address Range
A     10.0.0.0     255.0.0.0     10.0.0.0 - 10.255.255.255

 

[hw1380]

Now I know where this 10.X IP address comes from: since two days my ISP is providing NAT'ed 10.X addresses as a WAN address. His IPv4 address pool runs out of free addresses.
After this change I have trouble to resolve any hostname on the clients if I switch off the VPN.
If I switch on the VPN again, everything is fine.