OpenVPN domain based DNS routing with DNSFilter On

[sputnikk]

Hi all,

I have an always on VPN tunnel to work, over which I'm exposing Active Directory for domain traffic for external laptops. This works fine with OpenVPN clients direct on the laptop.

Ported to Merlin, this also works fine. Routing, DNS, AD, etc. is provided to all my local LAN clients over the split-tunnel VPN, just like when the laptops ran their own OpenVPN client.

EXCEPT, if I want to also provide DNS filtering services to my clients who get their internet locally (NOT through VPN), even if I set "DNSFilter" to Router mode - the DNS Hijacking being performed prevents my laptop clients from reaching out to the domain controllers for my internal DNS.

I've done some googling, I have the following in my OpenVPN config:

resolv-retry 20
keepalive 10 60
mute-replay-warnings
ns-cert-type server
max-routes 500
explicit-exit-notify 1
cipher AES-128-CBC
#DNS
dhcp-option DOMAIN mysecret.domain
dhcp-option DNS 192.168.x.112
dhcp-option DNS 192.168.y.181

#required when in dual wan mode
local wan0

I also see its taking effect as this file is created :

admin@RT-AX56U-AFA0:/tmp/etc/openvpn/client1# cat client.resolv
server=192.168.1.112
server=/my.secret.domain/192.168.x.112
server=192.168.0.181
server=/my.secret.domain/192.168.y.181

No, my local LAN hanging off the ASUS does not overlap (192.168.23.x). The only way my 23.x local clients are able to nslookup against 192.168.1.112 or 192.168.0.181 is if I toggle the "DNSFilter" option completely OFF in Merlin UI.

 

[sputnikk]

Solved: I forgot to put "Accept DNS Configuration" into "Exclusive" mode. Once doing so and respinning the VPN configuration quoted above + ENABLING Dns filtering (using Quad9 as an example but I'll be using Diversion and setting this to Router mode soon) - split DNS tunnelling for mysecret.domain is working.


Ugh. That's twice in a week with a self answer but at least I'm coming back to say so.


P.S. This + Dual WAN load balancing coupled with Wifi 6 has made me fall in love with this router. Awesome job Asus.

 

[sputnikk]

Update:

I got a USB flash drive now to install Diversion on and after noticing that dnsmasq.log wasn't catching any traffic, I realized my "Exclusive" VPN configuration was forcing all my local WiFi clients to use the split-tunnels VPN DNS server for ALL DNS traffic (despite the fact they are getting their internet locally).

I'm lost now as to how to make the ASUS split its DNS queries for domains defined in openvpn