Pushing the limits ASUS/OpenVPN/Static Routes

[jjtally]

I'm running the latest Merlin FW 380.66_2 with OpenVPN Client, DNS filtering and static routes configured on the router.

When I enable OpenVPN, it breaks the DNS filtering meaning, I can no longer restrict my kid's internet, unless I turn on Policy Rules strict in the OpenVPN Client. If I turn on Policy rules, then I lose my static routes on the router. I need static routes due to VLANs.

I need all of the above to work.

Any help is appreciated.

 

[jjtally]

Duplicate post. See here.

I know, I posted in the wrong section, but it wouldn't let me delete.

 

[jjtally]

OK I rebuilt the router from scratch, deleting the old config and a fresh install of 380.66_2. The static route issue is resolved. I'm still left with the problem of if I go out the VPN, then no DNS filtering will apply. DNS filtering only works if I go direct out of the WAN interface no VPN. I've tested and tested with every combination of redirect internet traffic and accept DNS config in the VPN client window.

Thoughts?

Thanks

 

[RMerlin]

You have to chose which is more important: using the VPN provider's DNS, or using your DNSFilter ones, as you cannot use both DNS. Many VPN providers will force you to use their servers.

 

[jjtally]

Thanks for the feedback, Merlin really is a great router FW. I'm guessing then policy rules only allow specific IP's to use VPN or WAN interfaces. Maybe there is a custom statement I can put in to declare specific DNS when using the VPN?

 

[RMerlin]

Thanks for the feedback, Merlin really is a great router FW. I'm guessing then policy rules only allow specific IP's to use VPN or WAN interfaces. Maybe there is a custom statement I can put in to declare specific DNS when using the VPN?

First, check if VPN clients are forced to use the VPN server's DNS. If they do, then set Policy Rules for those clients, with DNS mode set to Exclusive, then set DNSFilter rules for non-VPN clients using the DNS of your choice.

 

[jjtally]

Policy rules for the VPN clients to use my specified DNS? What would the rule look like. I only know how to write rules to point to the VPN or WAN interface.

Thanks again.

 

[RMerlin]

Policy rules for the VPN clients to use my specified DNS? What would the rule look like. I only know how to write rules to point to the VPN or WAN interface.

Thanks again.

First, make sure you have DNS connection mode set to Exclusive on the VPN client.

Then, set Redirect Internet to Policy Rules mode, and follow the following documentation on how to select which client to redirect through the tunnel (and therefore to use the VPN provider's DNS as well):

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

It's fairly straightforward to configure.

 

[jjtally]

First, make sure you have DNS connection mode set to Exclusive on the VPN client.

Then, set Redirect Internet to Policy Rules mode, and follow the following documentation on how to select which client to redirect through the tunnel (and therefore to use the VPN provider's DNS as well):

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

It's fairly straightforward to configure.

Thanks! Sorry for not communicating this correctly. I'm trying to send everyone through the VPN, but use my selected DNS not the provider's. Any way to accomplish this?

Appreciate the info.

 

[Martineau]

Thanks! Sorry for not communicating this correctly. I'm trying to send everyone through the VPN, but use my selected DNS not the provider's. Any way to accomplish this?

Appreciate the info.

Set DNS connection mode set to 'Strict' on the VPN client page.

Then AiProtection->Parental Controls->DNS Filtering page if you wish to selectively specify custom DNS for individual devices.

 

[RMerlin]

Thanks! Sorry for not communicating this correctly. I'm trying to send everyone through the VPN, but use my selected DNS not the provider's. Any way to accomplish this?

Appreciate the info.

"Accept DNS configuration" to Disable, this way you will not accept any DNS provided by the server, and will be free to use whatever you wish through DNSFilter. Once again, this is assuming your provider does allow you to use your own DNS servers, not all of them do.

 

[jjtally]

I did some more testing and have concluded that even though it's well documented that OpenVPN allows you to select your DNS, it doesn't look like it can be configured this way on my router.
Thanks for the help though.