RT-AC86U OpenVPN DNS Leak Solved

[Jordie]

The change notes of the Merlin 384.9 Beta 1 release mentioned that the DNS leak was fixed. It did not mention how or any thing more about it. I spent much of yesterday trying to plug my DNS leak in my configuration. I am skipping hours of failed attempts. I use ExpressVPN and simply imported the downloaded .ovpn config file adjusted check boxes a little as required.

First of all the easy solution when configuring OpenVPN.

Set the Redirect Internet Traffic to "All" and the leak vanished.

However my requirement is to allow some traffic to avoid the tunnel show up on my ISP's address space. Services like sending email (SMTP) and their streaming only work if my host is located there.

A partial example. Redirect Internet Traffic (Policy Rules)

Old config example which leaks DNS.
smtp.cox 192.168.1.0/24 68.1.17.4 wan
home theater 192.168.1.83 0.0.0.0 wan
all hosts 192.168.1.0/24 0.0.0.0 vpn

Example config which does not leak DNS

smtp.cox 0.0.0.0 68.1.17.4 wan
home theter 192.168.1.83 0.0.0.0 wan
all hosts 192.168.1.0/24 0.0.0.0 vpn

The limitation is that there must be 0.0.0.0 as the source or the destination in the entire policy rules set.

If I wanted to use (Policy Rules Strict), I needed to include the gateway in the wan exceptions.

router 192.168.1.1 0.0.0.0 wan

I use ExpressVPN and simply imported the .ovpn config file adjusted a little as required.

AsusWRT-Merlin is a little weird. Play with it to much and the VPN breaks completely until the router is rebooted. Once I plugged the leak, I did several repeat tests, some of the tests showed the VPN DNS and a configured DNS server (1.1.1.1) but once the router was cold booted that anomaly vanished.

 

[Frost]

The AC86U has the latest 384.15_alpha1 installed and work well.
One problem is DNS leak with OpenVPN and ExpressVPN.
Reboot and Factory Restore has been done.
The Client 1 has no DNS leak, but Client 2 and the rest leaks.
Last year all worked well for 8 to 9 months to the end of the year with no leaks.
A lot of different configurations are tried also information from SNB Forum but still the same result.
ExpressVPN is contacted, but has at the moment no real solution to the problem.

If possible, please give me some advice.

Regards
Frost

 

[L&LD]

@Frost, factory restore? That should be factory reset with a minimal and manual configuration. Is that what was done, or something else?

 

[Frost]

Now I have done factory reset and return back to firmware 384-14, and yes, I was quite optimistic. At last I had OpenVPN Client 1, 2 and 3 working with no DNS leak, but just for a moment. Client 1 is ok, but Client 2 and 3 have leaks.
The AC86U is connected with cable(no Wi-Fi).
My pc has Windows 10 installed.

Regards
Frost

 

[Frost]

Administration – Restore/---

“Factory default” --- “Restore” --- is what I did.

If this is part of the problem, I can only do regret and hope there is a solution.

 

[L&LD]

@Frost, that seems to be the problem right there.

Please follow the M&M Config and possibly even the Nuclear Reset guides which you can find in my signature below to get your router back to a good/known state.

This may not guarantee to solve the issue(s), but the router should be in a much better position to allow proper troubleshooting to happen.

 

[Frost]

Thank you for your advice.
Yes, I like your "Nuclear Reset guides", and I will use it as far as possible.

This is off-topic I know, but for years I have followed the Cold Fusion (LENuklearR) recearch by A. Rossi and others. As told by E-Cat World etc., it might be quite close to a first real end result.

 

[Frost]

Your Nuclear Reset advice is used several times, and yes, I have followed the good instruction as close as possible. Still the router AC86U does not work properly regards DNS leaks(Client 1 is OK but not the rest).

The System Log shows references to the date today but also to May 5. Access setting page via https://192.168.1.1:8443 was set May 5 2018. The information from this setting is lost, and I wonder if I can “clean” the router if this is part of the problem?

 

[CaptainSTX]

also to May 5

That is what the date defaults to in a reboot until it connects to a NTP server. All very normal.

 

[Frost]

Thanks!
Yes, now I don't see the May 5 anymore.