[Preview] Asuswrt-Merlin 384.11 with DNS over TLS

[DroidST]

Hopefully that will work, Merlin did say "In theory"

 

[bluepoint]

Hopefully that will work, Merlin did say "In theory"

I've done it, it works and Merlin tested different scenarios and it works for him as well.

 

[Marin]

Has anyone figured out how to set up a VPN client yet? Was finally able to reset and install this FW in my AX88U and get DOT configured but I am having a hard time figuring out what WAN and Accept Configuration settings should be. I have NordVPN and have been setting up my configuration many times with @Xentrk's Stubby and had no issues. With this one, cannot get through the VPN tunnel. Anyone can provide some guidance as to what these settings should be this time?

Thank you

 

[L&LD]

Has anyone figured out how to set up a VPN client yet? Was finally able to reset and install this FW in my AX88U and get DOT configured but I am having a hard time figuring out what WAN and Accept Configuration settings should be. I have NordVPN and have been setting up my configuration many times with @Xentrk's Stubby and had no issues. With this one, cannot get through the VPN tunnel. Anyone can provide some guidance as to what these settings should be this time?

Thank you

I think NordVPN is down. See @KingJohn's posts.

 

[Marin]

Ah.....I keep keep getting an "Error in configuration" every time I move the slider to connect......

 

[Marin]

So what should the correct choice be with VPN and DOT on:

ACCEPT DNS CONFIGURATION (in Stubby and for Diversion I used to have this as Disabled)

CONNECT TO DNS SERVERS AUTOMATICALLY (I used to have this as No and have my router's IP there instead)

What about here? Do I stick with default custom config setup? Or do I need to add any "dhcp option xxx.xxx.xx.x" there as well? (Although I did not use them when I had Stubby)

Appreciate any guidance - thank you!

 

[Marin]

Figured it out.... Somehow I had this setting at "None" per this post: https://www.snbforums.com/threads/ax88-openvpn-hardware-assist.55938/#post-481850

As soon as I activated it back to SHA512, VPN started working again...

@doczenith1..fyi.

 

[RMerlin]

Leaving VPN client to Relaxed should work, provided the tunnel provider does not block port 853 in an attempt to force you through their DNS servers (some currently do to protect customers against accidental leaks, however so far they only block 53, not 853).

 

[Gar]

You can leave Global Filter to "no filtering" then just add clients that you want filtered with Opendns. With this setup clients not listed in the DNSFilter will use the DOT configured in WAN settings.

I have DoT set to CF and Global filter set to No Filtering. Added my tablet as a client and set Cleanbrowsing to it alone. The Asus app still shows CF under DNS Setting, not CB, does that seem correct?

Edit, restarted tablet after setting CB.

 

[Marin]

Leaving VPN client to Relaxed should work, provided the tunnel provider does not block port 853 in an attempt to force you through their DNS servers (some currently do to protect customers against accidental leaks, however so far they only block 53, not 853).

Thank you @RMerlin, this is good to know. Any thoughts on why Auth digest setting is breaking my VPN connection when I am using AES-256-GCM? I was under the impression that it wasn’t needed but somehow switching back to SHA512 made it work. I also kept getting an “Error in configuration” warning next to the toggle switch and I couldn’t figure out why was wrong in my setup.

Thanks again!


Sent from my iPhone using Tapatalk

 

[bluepoint]

I have DoT set to CF and Global filter set to No Filtering. Added my tablet as a client and set Cleanbrowsing to it alone. The Asus app still shows CF under DNS Setting, not CB, does that seem correct?

Edit, restarted tablet after setting CB.

The Asus app is in the tablet? If yes, you have to set the tablet/app to automatically get the DNS.
Check here https://browserleaks.com/ip

Also, double check the MAC address of the tablet matches the MAC you put in the DNSfilter.

 

[RMerlin]

I have DoT set to CF and Global filter set to No Filtering. Added my tablet as a client and set Cleanbrowsing to it alone. The Asus app still shows CF under DNS Setting, not CB, does that seem correct?

Edit, restarted tablet after setting CB.

The Asus app has no idea of DNSFilter or DNS Privacy, neither are supported by the stock firmware.

 

[RMerlin]

Thank you @RMerlin, this is good to know. Any thoughts on why Auth digest setting is breaking my VPN connection when I am using AES-256-GCM? I was under the impression that it wasn’t needed but somehow switching back to SHA512 made it work. I also kept getting an “Error in configuration” warning next to the toggle switch and I couldn’t figure out why was wrong in my setup.

Thanks again!


Sent from my iPhone using Tapatalk

Ask your provider.

Unrelated to DNS Privacy.

 

[Marin]

DNS Privacy? Was this related to previous post?


Sent from my iPhone using Tapatalk

 

[hifiwifi]

Leaving VPN client to Relaxed should work, provided the tunnel provider does not block port 853 in an attempt to force you through their DNS servers (some currently do to protect customers against accidental leaks, however so far they only block 53, not 853).

I ended up having to use "Disabled." Otherwise, my VPN would use Cloudflare with DoT inconsistently (would randomly start using my VPN DNS again per dnsleaktest.com and cloudflare-dns.com/help/). I'm not able to use DNSSEC and DoT at the same time. (Alpha 3)

 

[Marin]

I ended up having to use "Disabled." Otherwise, my VPN would use Cloudflare with DoT inconsistently (would randomly start using my VPN DNS again per dnsleaktest.com and cloudflare-dns.com/help/). I'm not able to use DNSSEC and DoT at the same time. (Alpha 3)

I am using Disabled as well. I am able to use both DOT and DNSSEC but I realize that this will break 1.1.1.1/help which I am not very concerned about. I am just not sure what the impact of Disabled, Relaxed, Exclusive and Strict modes is in Diversion on this new FW -I posted a question on the Diversion thread so I will stay on topic.


Sent from my iPhone using Tapatalk

 

[Swistheater]

I am using Disabled as well. I am able to use both DOT and DNSSEC but I realize that this will break 1.1.1.1/help which I am not very concerned about. I am just not sure what the impact of Disabled, Relaxed, Exclusive and Strict modes is in Diversion on this new FW -I posted a question on the Diversion thread so I will stay on topic.


Sent from my iPhone using Tapatalk

the problem is the dnssec is mixing flavors of dnssec when it is enabled in the gui. I can run just DNSSEC-proxy inside the dnsmasq add file and still get the same dnssec blocking results as a i would if i added the get extension option into stubby as well.

 

[Gar]

The Asus app is in the tablet? If yes, you have to set the tablet/app to automatically get the DNS.
Check here https://browserleaks.com/ip

Also, double check the MAC address of the tablet matches the MAC you put in the DNSfilter.

Tablet DNS is on manual select in the app (in the tablet). Don't know if that slider is changing tablet settings or trying to change the router's. Remote access is off in the router.

 

[bluepoint]

Thanks, tablet DNS was on manual select in the app (in the tablet).

So were you able to route the DNS properly to CB?

 

[Gar]

So were you able to route the DNS properly to CB?

Not sure about anything. That DNS setting in the app on the tablet changes the router's setting even though remote access is off. That makes the app dangerous, too easy to screw things up.