Policy-based routing for VPN - how to handle DNS?

[Shasarak]

I'm using an RT-AC86U with Asuswrt-Merlin version 384.6; I'm experimenting with routing a specific device through the router's VPN connection while all others go to the WAN.

Initially I added a rule for the device's IP address, destination address 0.0.0.0, with iFace set to VPN. With the VPN connected, the device in question then couldn't access web pages.

After tearing my hair out for a bit, I finally figured out why - the router was sending the device's DNS requests to the VPN connection, which (not surprisingly) wasn't forwarding them.

I added two new rules, specifying "WAN" for the IP addresses of the device's DNS servers, and everything now works; but I'm pretty sure this isn't the right way to do it! Is there a way to configure either the device or the router so that I only need a single routing rule instead of 3? (For example, could the device use the router itself as a DNS server, and the router relay the DNS request to its servers?)

 

[Zastoff]

I'm using an RT-AC86U with Asuswrt-Merlin version 384.6; I'm experimenting with routing a specific device through the router's VPN connection while all others go to the WAN.

Initially I added a rule for the device's IP address, destination address 0.0.0.0, with iFace set to VPN. With the VPN connected, the device in question then couldn't access web pages.

After tearing my hair out for a bit, I finally figured out why - the router was sending the device's DNS requests to the VPN connection, which (not surprisingly) wasn't forwarding them.

I added two new rules, specifying "WAN" for the IP addresses of the device's DNS servers, and everything now works; but I'm pretty sure this isn't the right way to do it! Is there a way to configure either the device or the router so that I only need a single routing rule instead of 3? (For example, could the device use the router itself as a DNS server, and the router relay the DNS request to its servers?)

Maybe these posts can help
[Release] Asuswrt-Merlin 384.6 is now available

[Release] Asuswrt-Merlin 384.6 is now available

edit: I use DNS Strict mode in vpn client settings, i entered my dns servers LAN/DHCP-Server DNS1: &DNS2:
(Dont use DNS servers under LAN/DHCP-server anymore since i use DNScrypt-proxy)

 

[Shasarak]

I still haven't got this working completely to my satisfaction.

I've got "Redirect Internet traffic" set to "Policy Rules (strict)" and initially had "Accept DNS Configuration" set to "Exclusive" - that, if I understand correctly, means that it should use the VPN's DNS servers for clients that are being routed via the VPN, and the regular WAN DNS servers for the others.

There was actually an issue with the OpenVPN config setting the VPN DNS servers correctly, but that's now been resolved.

There was also a possible issue with my DHCP settings, which were passing hard-coded DNS addresses (1.1.1.1 and 1.0.0.1) to the client. I've removed those, and the router now passes its own IP address as both gateway and DNS server. I reset the client device - but still no joy: with all devices being routed through the VPN (no policy) it works fine, but with just one (via a policy) all of the client's DNS requests fail. Going back to my previous configuration (route DNS requests via WAN rather than VPN) isn't really a viable option in the long-term as it means I'm getting DNS leaks.

In the end I took Zastoff's advice and changed "Accept DNS Configuration" to "Strict", and that does seem to work - I can now route a device to the VPN with a single policy, and its DNS requests (with the router as its DNS server) now succeed; but it still doesn't feel quite right because (again, if I understand correctly) clients that are not being routed via the VPN are now using the VPN DNS servers instead of the standard WAN ones.

 

[Zastoff]

I still haven't got this working completely to my satisfaction.

I've got "Redirect Internet traffic" set to "Policy Rules (strict)" and initially had "Accept DNS Configuration" set to "Exclusive" - that, if I understand correctly, means that it should use the VPN's DNS servers for clients that are being routed via the VPN, and the regular WAN DNS servers for the others.

There was actually an issue with the OpenVPN config setting the VPN DNS servers correctly, but that's now been resolved.

There was also a possible issue with my DHCP settings, which were passing hard-coded DNS addresses (1.1.1.1 and 1.0.0.1) to the client. I've removed those, and the router now passes its own IP address as both gateway and DNS server. I reset the client device - but still no joy: with all devices being routed through the VPN (no policy) it works fine, but with just one (via a policy) all of the client's DNS requests fail. Going back to my previous configuration (route DNS requests via WAN rather than VPN) isn't really a viable option in the long-term as it means I'm getting DNS leaks.

In the end I took Zastoff's advice and changed "Accept DNS Configuration" to "Strict", and that does seem to work - I can now route a device to the VPN with a single policy, and its DNS requests (with the router as its DNS server) now succeed; but it still doesn't feel quite right because (again, if I understand correctly) clients that are not being routed via the VPN are now using the VPN DNS servers instead of the standard WAN ones.

Accept DNS Configuration: Exclusive should work also
Try setting Redirect Internet traffic to: Policy Rules (not strict) and check your wan clients
WAN page do you have Connect to DNS Server automatically set to YES?

Another option is LAN/DNS filter: there you can add clients to use whatever DNS servers you want (should not be needed)

Your WAN clients should use your ISP`s DNS servers(or the DNS server you set there) and VPN clients should use your vpn providers DNS

You can add DNS servers in Custom Configuration on vpn client page if you want to try that
dhcp-option DNS x.x.x.x
push "dhcp-option DNS x.x.x.x"
(Have not tried that myself so only if you feel the need to try that option)

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

(I use Accept DNS Configuration: Strict so Diversion will work on my vpn clients, But i get no DNS leaks with that setting)

 

[Shasarak]

"Accept DNS Configuration: Strict" doesn't give me DNS leaks; the issue there is that (I think!) clients which are not being routed through the VPN still have to use the VPN DNS server. Otherwise, it's okay.

For "Accept DNS Configuration: Exclusive", with a client that is being routed through the VPN by policy, there are two possibilities: if DHCP tells it to use the router as its DNS server, the client's DNS requests don't work at all; if DHCP directly supplies it with DNS server addresses, its requests work, but I have a DNS leak, and I need three policies instead of one (because the DNS requests have to go via the WAN).

I do not have "Connect to DNS Server automatically" set to Yes on the WAN page because, for some reason, setting that causes the router to unpredictably drop its internet connection. Using 1.1.1.1 and 1.0.0.1 as the router's DNS servers fixes that problem. (God knows why).

I don't really want to assign DNS servers to each client individually - what I want is for clients that are go via the WAN to use the standard WAN DNS, and clients that go via the VPN to use the VPN DNS. I don't understand why setting "Accept DNS Configuration: Exclusive" doesn't do that! It's supposed to.

At the moment there are "dhcp-option DNS" lines in the VPN options, but referencing the VPN DNS, not the WAN DNS. There isn't a corresponding "push" line. I must confess I'm not really clear what that either of those does - it's part of the config my VPN provider recommends, so I left it in there.

 

[Martineau]

For "Accept DNS Configuration: Exclusive", with a client that is being routed through the VPN by policy, there are two possibilities: if DHCP tells it to use the router as its DNS server, the client's DNS requests don't work at all; if DHCP directly supplies it with DNS server addresses, its requests work, but I have a DNS leak, and I need three policies instead of one (because the DNS requests have to go via the WAN)

Using 'Accept DNS Configuration=EXLUSIVE' you can investigate which DNS server is to be used by the VPN clients; issue:

iptables --line -t nat -nvL DNSVPN1  2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --line
 -t nat -nvL DNSVPN4 2>/dev/null;iptables --line -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null

I suggest you then (temporarily) remove the 'dhcp-option DNS' directive from the Custom configuration, restart the VPN Client, then reissue the display command.

Sadly I personally found that EXCLUSIVE requires the use of the 'dhcp-option DNS' directive as suggested by my VPN provider.... see Routing with multiple OpenVPN clients running

Spoiler: /jffs/scripts/openvpnclientX.postconf

# These are my pseudo DNS config commands (see openvpnclientX.postconf)
#dns=opendns
#dns=opennic
#dns=dyn
#dns=comodo
dns=torguard
#dns=quad9
#dns=dns.watch
#dns=uncensoreddns
#dns=anycast
#dns=newyork
#dns=randomus

 

[Shasarak]

Sorry, I'm a little out of my depth, here. What do you mean by "issue"? Are those commands to be entered at the prompt in an SSH session with the router?

 

[Martineau]

Are those commands to be entered at the prompt in an SSH session with the router?

Yes

 

[gnoe]

I don't really want to assign DNS servers to each client individually - what I want is for clients that are go via the WAN to use the standard WAN DNS, and clients that go via the VPN to use the VPN DNS.

Very interesting topic, as I ran in similar DNS issues since I replaced my n66u for a ac86u and want exactly this!

I also have a permanent VPN tunnel on the router and defined some exclusions that are directy routed to the WAN. One of these exclusions is my Synology, as I want to have it's Apps/webservices available from the outside. Problem that occurred is that the synology lost it's *outbound* connections because it cannot ressolve anymore. Inbound is still possible with a domain name attached to my WAN IP, but not with the DDNS of Synology (i.e. xyz.synology.me).

I have Diversion/Pixelserv/Skynet installed last week, and the problem seemed to start after that. However, I did disable these temporarily on the router but the Synology is still unable do resolve DNS requests.

What I tried more:
* restarting (router as well as Syno many times)
* manual DNS at Synology
* Change "Accept DNS Configuration" from 'strict' to 'exclusive' (and back)
* Manually configured DNS in LAN section of router.

Did you find a solution to force a client (i.e. Syno) to use the WAN DNS, specified on the router?

 

[Shasarak]

Did you find a solution to force a client (i.e. Syno) to use the WAN DNS, specified on the router?

No, I gave up in the end. I found that the latency involved using 1.1.1.1 and 1.0.0.1 DNS servers is only fractionally more than using my ISP's servers, so I just use them for everything now. I'm not sure how secure that actually is....

 

[gnoe]

No, I gave up in the end. I found that the latency involved using 1.1.1.1 and 1.0.0.1 DNS servers is only fractionally more than using my ISP's servers, so I just use them for everything now. I'm not sure how secure that actually is....

Thanks for the quick reply! In my situation the Syno can't resolve at all. No manual configured DNS and no automatically assigned DNS of my ISP.

Syno is configured to get its IP(fixed)/gateway/DNS by DHCP of the router.

 

[Shasarak]

Thanks for the quick reply! In my situation the Syno can't resolve at all. No manual configured DNS and no automatically assigned DNS of my ISP.

Syno is configured to get its IP(fixed)/gateway/DNS by DHCP of the router.

Well, for what it's worth, here are my settings:

WAN
Connect to DNS Server automatically: No
DNS Server1: 1.1.1.1
DNS Server2: 1.0.0.1

LAN / DHCP Server
DNS Server 1: Blank
DNS Server 2: Blank
Advertise router's IP in addition to user-specified DNS: Yes
Forward local domain queries to upstream DNS: No

VPN / VPN Client
Accept DNS Configuration: Strict
Custom Configuration: remove all references to DNS.

This seems to work okay, although I'm not sure if DNS is leaking or not. (If not, at least it isn't my ISP's DNS that's leaking).

This does sometimes go a bit peculiar when turning the VPN off.

 

[Alfsu]

VPN / VPN Client
Accept DNS Configuration: Strict
Custom Configuration: remove all references to DNS.

This seems to work okay, although I'm not sure if DNS is leaking or not. (If not, at least it isn't my ISP's DNS that's leaking).

This does sometimes go a bit peculiar when turning the VPN off.

Want to give it another try? This configuration works very good on 2 VPN clients, no DNS leaks:
VPN1:
- Accept DNS Configuration: Exclusive
- Policy Rules (Strict)
- The first rule must direct the router IP to the WAN
- Other rules for IPs going to VPN
VPN2:
- Accept DNS Configuration: Disable
- Policy Rules (Strict)
- Rules for IPs going to VPN
- Use 'dhcp-option dns xxx.xxx.xxx.xxx' in VPN custom configuration

You probably only need to reproduce the configuration for VPN1.

 

[Shasarak]

Ahhhhh… I see what's been going wrong!

I think a lot of the problems I've been having are actually to do with the "Block routed clients if tunnel goes down" setting. If you have a VPN set up using policy-based routing, and a policy routing a particular source IP through the VPN, then the kill-switch kicks in and blocks the device even if the VPN is turned off manually. I hadn't realised that.

(And that's annoying. I might want to have a UK VPN server and a US VPN server set up, activate only one at a time, and route only one source IP to the VPN server - the same source in both cases. This isn't possible at the moment, because the VPN that's turned off kill-switches the source, even if the other VPN is connected.)

So long as "Block routed clients if tunnel goes down" is set to No, it all works - and with no DNS leak.

Settings:

LAN / DHCP Server
DNS Server 1: Blank
DNS Server 2: Blank
Advertise router's IP in addition to user-specified DNS: Yes
Forward local domain queries to upstream DNS: No

VPN / VPN Client
Accept DNS Configuration: Exclusive
Redirect Internet traffic: Policy Rules (strict)
Custom Configuration: remove all references to DNS

and then simply add one rule routing any given source IP through the VPN. (It isn't necessary to add a rule pushing the router's IP address across the WAN unless there's also a rule pushing everything through the VPN unless otherwise specified).

 

[Martineau]

I might want to have a UK VPN server and a US VPN server set up, activate only one at a time, and route only one source IP to the VPN server - the same source in both cases.

This isn't possible at the moment, because the VPN that's turned off kill-switches the source, even if the other VPN is connected.)

Yes it is.

see Multiple VPNs - need advice on how to use KILL switch for the solution.

 

[Shasarak]

Yes it is.

see Multiple VPNs - need advice on how to use KILL switch for the solution.

There is no solution in that thread.

There is a possible solution here - I will give that a try at some point. The suggestion there is that because the VPN connections are considered in numeric sequence, the kill-switching will work so long as only the last one is set to kill-switch.

But there are (probably rare) situations where that wouldn't work. For example, suppose you have three VPN connections (1, 2 and 3) and two devices (A and B). A uses either connection 1 or connection 2, and B uses either 2 or 3. Both devices need kill-switching.

In that case connection 2 has to have the kill-switch option turned on to kill-switch A properly, but it also has to have the option turned off to allow device B to use connection 3.

The way this really ought to work (IMO) is that there should be a difference between "VPN connection dropped" and "VPN connection deliberately turned off", with an option to apply kill-switching only in the former case.

 

[Martineau]

There is no solution in that thread.

Err yes there is ....actually it is the same solution (that I posted) in your reference below:

There is a possible solution here

The suggestion there is that because the VPN connections are considered in numeric sequence, the kill-switching will work so long as only the last one is set to kill-switch.

There is no suggestion, it is a fact for the use-case described by the OP.

But there are (probably rare) situations where that wouldn't work. For example, suppose you have three VPN connections (1, 2 and 3) and two devices (A and B). A uses either connection 1 or connection 2, and B uses either 2 or 3. Both devices need kill-switching.

It is trivial to achieve a solution for your hypothetical/rare scenario but it requires the use of scripting.

The way this really ought to work (IMO) is that there should be a difference between "VPN connection dropped" and "VPN connection deliberately turned off", with an option to apply kill-switching only in the former case.

Submit a formal bug report/enhancement request then.