OpenVPN DNS leaking

[Martineau]

Does the answer lie in the Vpn DNS settings - strict exclusive etc? Mine is set to strict.

Yes.

If you issue the following command (assuming you are using VPN Client 1)

iptables --line -t nat -nvL DNSVPN1

the table is empty?

If you change the VPN Client 'Accept DNS Configuration=Exclusive' and restart the VPN Client, then repeat the command
e.g. you should see entries for the VPN routed device(s) explicitly using the DNS of the VPN

iptables --line -t nat -nvL DNSVPN1

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination               
1        0     0 DNAT       all  --  *      *       10.88.8.90           0.0.0.0/0            to:10.200.198.1

 

[RMerlin]

Is there a way to achieve Vpns DNS server use for devices policy routed through Vpn and wan defined DNS for all other clients without fiddling around each time with DNS filter.

Set DNS mode to "Exclusive" on your OpenVPN client configuration. It will basically automatically implement DNSFilter-based rules for you.

 

[barcote]

Thank you so much. Changing the Vpn DNS option to exclusive did the trick. Sorry I should have tried this - i didn't because of an explanation of what exclusive meant elsewhere on this forum.

All the best.

 

[lazydrunksmurf]

I recommend using DNSFilter for these. Force only the clients you want to be routed through the tunnel, to use the DNS servers normally provided by the tunnel provider.

Hello, sorry to reactivate something from 2 years ago, but I'm a bit of a noob and I want to confirm these are the correct steps:

Click "AiProtection" on the left menu
DNSFilter tab
set it to "ON"
put in the vpn's DNS servers here as custom (user defined) DNS 1 and custom (user defined) DNS 2.

In the list I add devices that I selectively route through VPN to this list.

Under VPN client, set "Accept DNS Configuration" to strict.



I want to selectively route two devices through vpn. It is working for the most part but I have a dns leak. I want to set it up such that those two devices that are routed through vpn (open vpn) with no dns leak and my understanding is that the steps above are what I need to do. I would like all other devices (other than the two i mentioned ie) to use "normal internet" with no vpn.

Thanks!

 

[lazydrunksmurf]

Hello, sorry to reactivate something from 2 years ago, but I'm a bit of a noob and I want to confirm these are the correct steps:

Click "AiProtection" on the left menu
DNSFilter tab
set it to "ON"
put in the vpn's DNS servers here as custom (user defined) DNS 1 and custom (user defined) DNS 2.

In the list I add devices that I selectively route through VPN to this list.

Under VPN client, set "Accept DNS Configuration" to strict.



I want to selectively route two devices through vpn. It is working for the most part but I have a dns leak. I want to set it up such that those two devices that are routed through vpn (open vpn) with no dns leak and my understanding is that the steps above are what I need to do. I would like all other devices (other than the two i mentioned ie) to use "normal internet" with no vpn.

Thanks!

I had tried this yesterday before I posted and the leak test failed. I tried the steps I posted again today and it worked (no dns leak, tested with the same site both days). The only conclusion I can come to with my highly limited knowledge of this stuff is that I must have inadvertently done something different than what I posted.

 

[bob bart]

100% correct using the DNS filter on Asus

Go to Aiprotection

Allow DNS filtering

Set Global filter mode to router

Set DNS to 8.8.8.8 for number one.
Set DNS to 8.8.8.4 for number 2

This is google DNS. You can use your favorite.

100 percent eliminates leakage.

For tunnel protection, set NAT to off. Do not use policy rules. If the tunnel fails. Total internet is down. No VPN...also no regular internet. The most safe way.

 

[bob bart]

I had tried this yesterday before I posted and the leak test failed. I tried the steps I posted again today and it worked (no dns leak, tested with the same site both days). The only conclusion I can come to with my highly limited knowledge of this stuff is that I must have inadvertently done something different than what I posted.

Yes...DNS filtering is the most full proof.

 

[RMerlin]

Exclusive mode works exactly like DNSFilter.

 

[mferraro]

Exclusive mode works exactly like DNSFilter.

I am using "Accept DNS Configuration: Exclusive", but am seeing my ISP DNS at leak test sites when I create policy rules that include both the VPN and WAN interfaces.

Router config:
RT-AC86U w/fw 384.4_2
OpenVPN Client 1 (no other VPN clients)
- Accept DNS Configuration: Exclusive
- Redirect Internet traffic: Policy Rules (strict)
- Block routed clients if tunnel goes down: Yes
- Policy Rules...
Default External 192.168.50.0/24 0.0.0.0 VPN
Bank of America 192.168.50.0/24 171.161.202.100/32 WAN

Test Device:
Windows 10
ipconfig /all
- DNS Servers: 192.168.50.1

Going to dnsleaktest or ipleak reveals my ISP DNS.

If I remove the "Bank of America" policy rule and go to dnsleaktest or ipleak, I only see my VPN DNS.

Based on the info under the "DNS configuration" section here - https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing - I would expect all routes to use the VPN DNS. This is the desired behavior, but I am seeing the opposite. What am I missing?

 

[Xentrk]

I am using "Accept DNS Configuration: Exclusive", but am seeing my ISP DNS at leak test sites when I create policy rules that include both the VPN and WAN interfaces.

Router config:
RT-AC86U w/fw 384.4_2
OpenVPN Client 1 (no other VPN clients)
- Accept DNS Configuration: Exclusive
- Redirect Internet traffic: Policy Rules (strict)
- Block routed clients if tunnel goes down: Yes
- Policy Rules...
Default External 192.168.50.0/24 0.0.0.0 VPN
Bank of America 192.168.50.0/24 171.161.202.100/32 WAN

Test Device:
Windows 10
ipconfig /all
- DNS Servers: 192.168.50.1

Going to dnsleaktest or ipleak reveals my ISP DNS.

If I remove the "Bank of America" policy rule and go to dnsleaktest or ipleak, I only see my VPN DNS.

Based on the info under the "DNS configuration" section here - https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing - I would expect all routes to use the VPN DNS. This is the desired behavior, but I am seeing the opposite. What am I missing?

I discuss this DNS leak issue when using policy rules in this blog post https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/. See the section DNSmasq and OpenVPN DNS

 

[mferraro]

I discuss this DNS leak issue when using policy rules in this blog post https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/. See the section DNSmasq and OpenVPN DNS

Thank you for the response, but I may be missing something. Were you recommending a fix for the DNS leak issue or were you simply highlighting the fact that the DNS leak exists?

Out of curiosity, you make some claims in your blog post that are a little unclear. You state that the router itself must be routed through the WAN iface in order to use policy rules. You also state that you must configure static IP addresses for devices that you want to route through the VPN tunnel. It doesn't seem like either of those things should be required?

I will try the dhcp-option to manually set the DNS servers and see if that solves the DNS leak issue. I am assuming that I have to include this option in every VPN client configuration if I created more than one?

 

[mferraro]

I used the dhcp-option under custom configuration, but it didn't have any impact. I guess that makes sense since the dhcp-option is specific to the tunnel and the DNS leak is caused by the router using DNS outside of the tunnel. I also tried to set the VPN DNS servers under the router's LAN settings, but that didn't work either.

I see these messages in the system log:

May 6 21:37:08 openvpn-updown: Forcing 192.168.50.0/24 to use DNS server 103.86.96.100
May 6 21:37:08 openvpn-updown: Excluding 192.168.50.0/24 from forced DNS routing

I tried switching the order of the policy rules and it does switch the order in which the log messages are written, but does not change the result. I am going to try the DNSFilter tomorrow, but was hoping that the "Exclusive" setting would behave as described.

 

[Xentrk]

Thank you for the response, but I may be missing something. Were you recommending a fix for the DNS leak issue or were you simply highlighting the fact that the DNS leak exists?

Out of curiosity, you make some claims in your blog post that are a little unclear. You state that the router itself must be routed through the WAN iface in order to use policy rules. You also state that you must configure static IP addresses for devices that you want to route through the VPN tunnel. It doesn't seem like either of those things should be required?

I will try the dhcp-option to manually set the DNS servers and see if that solves the DNS leak issue. I am assuming that I have to include this option in every VPN client configuration if I created more than one?

It is best practice to define static IP address for LAN clients if you use selective routing. If not, the IP addresses of the clients can change over time. That is the nature of dynamic DHCP assignments for LAN clients. If you define a long dynamic lease time, and the clients do not leave the network for an extended period of time, then the risk of the client obtaining a new IP assignment is reduced. But the risks still exists. For example, if you went on holiday for two weeks and the lease expired on your phone, there is a chance your phone would be assigned a different IP address by the router next time it connects.

The blog post link was to explain how DNS works when using OpenVPN client on Asuswrt-Merlin and John's Fork. Unfortunately, I have no recommendation on how to fix the DNS leak issue when using Policy Rules when using Asuswrt-Merlin. I have spent many hours trying to find a work around with no luck. There are no known issues with DNS leak when routing all traffic thru the tunnel and using Accept DNS Configuration to Exclusive. On pfSense, I am able to route DNS thru Unbound DNS Resolver and have all DNS queries use VPN tunnel to fix this issue. It is something I have on my to do list to try with Asuswrt-Merlin. It may cause another issue with AB-Solution though. But there may be some hacks to make it all work.

I run more than one OpenVPN client running on the Asus router. I had routing issues unless I define the router's IP address to use WAN interface. I spent many hours testing this. If you only use one OpenVPN client, it may not be necessary. It has been several months since I tested though. I think there was a change awhile back that eliminated the need for this. But when running more than one OpenVPN client, I had routing issues and things did not work unless I added the entry. I have custom scripts for selective routing and found I also need to include an iptables entry to default traffic to the WAN using the router's IP address. If you end up with a different result, please let me know and I will update the blog post.

I do include the dhcp-option DNS entry for each OpenVPN client since they are all are configured to use Policy Rules.

 

[Xentrk]

I used the dhcp-option under custom configuration, but it didn't have any impact. I guess that makes sense since the dhcp-option is specific to the tunnel and the DNS leak is caused by the router using DNS outside of the tunnel. I also tried to set the VPN DNS servers under the router's LAN settings, but that didn't work either.

I see these messages in the system log:

May 6 21:37:08 openvpn-updown: Forcing 192.168.50.0/24 to use DNS server 103.86.96.100
May 6 21:37:08 openvpn-updown: Excluding 192.168.50.0/24 from forced DNS routing

I tried switching the order of the policy rules and it does switch the order in which the log messages are written, but does not change the result. I am going to try the DNSFilter tomorrow, but was hoping that the "Exclusive" setting would behave as described.

Are you using Policy Rules so you can enable the option to block traffic egressing to WAN if the tunnel goes down? It appears the 192.168.50.0/24 is sending all of your traffic to vpn tunnel. In that case, you can ignore my instructions about placing the routers IP address in the table so it routes to the WAN and assigning static IP addresses to the clients.

My provider pushes their own DNS thru the tunnel. I see on the forums where other providers use public DNS servers.

 

[Alfsu]

@mferraro , the scope of this rule covers the router IP:

Default External 192.168.50.0/24 0.0.0.0 VPN

This could be messing your config, try excluding the router IP from going over the tunel.

I do have multiple VPN clients running in the same router (DNS Exclusive & Rules Strict) without any leaks, and the way it works for me is by simply using CDIR notation, for example:

Client 1: (DHCP Server)
DHCP 192.168.50.64/26 0.0.0.0 VPN

Client 2: (Manually assigned IPs in router)
CDIR2 192.168.50.128/26 0.0.0.0 VPN

Client 3: (Manually assigned IPs in router)
CDIR3 192.168.50.192/26 0.0.0.0 VPN

WAN: (Manually assigned IPs in router)
CDIR4 192.168.50.0/26 
These IPs go to WAN by default, they do not need a routing rule

In your case it should suffice to just use one range for your DHCP that misses the router IP and have the VPN client accept DNS excusive and use an Strict Rule for the DHCP range you've set.

No leaks should be thereafter.

 

[bob bart]

This is what I do to have full proof no leaking.
STRICT
I use dns filtering
No redirect Internet !!!!
Turn off NAT
Google dns

If the tunnel fails...no NAT..no Internet. Dead tunnel. Dead internet.

Dns filtering with strict works 100 percent of the time. Why change when it works. And my isp does not send me bot attack warnings like before when I used redirect traffic.

 

[Alfsu]

I did use DNS Filtering before strict rules were implemented in asuswrt-merlin, but, I found the strict rules more friendly when it comes to routing traffic on my PC. Changing the IP address, using a bath file, will route to the tunnel client I want it to real fast. Doing that via DNS Filtering it just wasn't practical.

 

[Xentrk]

What is different from my setup is I am using AB-Solution for adblocking which requires dnsmasq. DNS Filter is not compatible with ABS. The hack I describe in my blog post allows ABS to work over the VPN tunnel. But the downside is DNS leaks, which fortunately, never caused an issue for my use case.

 

[Argonaut]

I am using "Accept DNS Configuration: Exclusive", but am seeing my ISP DNS at leak test sites when I create policy rules that include both the VPN and WAN interfaces.

Router config:
RT-AC86U w/fw 384.4_2
OpenVPN Client 1 (no other VPN clients)
- Accept DNS Configuration: Exclusive
- Redirect Internet traffic: Policy Rules (strict)
- Block routed clients if tunnel goes down: Yes
- Policy Rules...
Default External 192.168.50.0/24 0.0.0.0 VPN
Bank of America 192.168.50.0/24 171.161.202.100/32 WAN

Test Device:
Windows 10
ipconfig /all
- DNS Servers: 192.168.50.1

Going to dnsleaktest or ipleak reveals my ISP DNS.

If I remove the "Bank of America" policy rule and go to dnsleaktest or ipleak, I only see my VPN DNS.

Based on the info under the "DNS configuration" section here - https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing - I would expect all routes to use the VPN DNS. This is the desired behavior, but I am seeing the opposite. What am I missing?

I was having exactly the same issues and getting pretty frustrated, but fortunately I found a simple solution...

The setup:-

ASUS RT-AC86U router with Merlin Firmware 384.6
with WAN DNS servers set to Cloudflare (1.1.1.1 and 1.0.0.1) for testing purposes
and LAN DHCP turned off.

Windows 10 machine with the following manually assigned Ethernet adapter settings:-

IPv4 Address 10.4.0.2
Subnet Mask 255.255.255.240
Default Gateway 10.4.0.1
IPv4 DNS Server 1 10.4.0.1
IPv4 DNS Server 2 blank

OpenVPN Client Settings:-

NordVPN server address and port – 144.48.xx.xx
Accept DNS Configuration – Exclusive
Redirect Internet traffic - Policy Rules (strict)

Rules for routing client traffic through the tunnel

ntp Sydney 0.0.0.0 203.35.xx.xx WAN
ntp Melbourne 0.0.0.0 203.35.xx.xx WAN
All other traffic 10.4.0.0/28 0.0.0.0 VPN

This leaves most traffic going through the VPN and using the VPN provider’s DNS servers and any (non-client specific) traffic intended for the WAN able to do so without introducing a DNS Leak.

Now when I set the Ethernet adapter DNS server(s) to that of the router (10.4.0.1) or other DNS providers (9.9.9.9 or OpenDNS), the list of DNS servers returned on dnsleaktest.com is that of the VPN provider (NordVPN).

This is desired behavior for me but YMMV depending on your intended setup.

Conclusions from all of this:-
1) If you configure exceptions on a device by device basis to use the WAN interface, then that device will no longer be forced by the rule “Accept DNS Configuration – Exclusive” to use a specific VPN DNS but rather the default setting which is that of the WAN DNS. This is contrary to what the Wiki says that you linked to...

2) If you want a whole device to go through the WAN or the VPN then that is easily achieved but if you want some traffic from a device to go to the VPN and other traffic from the same device to go through the WAN then it seems that level of granularity is not able to prevent DNS leaks?