What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Tailscale Exit Node

B

Brenneke

Regular Contributor
I have set up an exit node on my RT-AX88U and it works, but with a DNS issue.

I want the exit node traffic to go through VPN so I set up a VPN client.

Given that I will only use this exit node with my Android phone, I set up a rule in VPN Director:
Code: 
Tailscale Exit Node    100.xx.x.xx        OVPN4

The issue I have:

1) In the Tailscale Android app I must have Use Tailscale DNS toggled on before I can connect phone through exit node
2) When checking DNS leak, I see both my VPN provider and ISP DNS (Accept DNS Configuration set to Exclusive in OVPN4 client)

Please help.
 
95 views from those (surely) more knowledgeable than myself and not a sniff of a suggestion even.

Is it a reasonable answer?

The issue you're experiencing is likely due to how DNS handling works when combining Tailscale's exit node functionality with AsusWRT-Merlin's VPN Director. Even though you've set the VPN client to "exclusive DNS," Tailscale's exit node may still allow local LAN DNS queries to leak through.

So, the easiest and most effective solution in your scenario would be to configure your router (the exit node) to use exclusive DNS settings that match your VPN provider's DNS or another secure DNS service. This ensures that all DNS queries from your phone, routed through the exit node and VPN, are resolved using the intended DNS servers, thus preventing DNS leaks.

To achieve this, you can set the DNS servers in your router's VPN client settings to use the VPN provider's DNS or a secure public DNS service. Additionally, ensure that your router's firewall rules block any DNS queries that might bypass the VPN.

Here’s how you can do it - run these commands via SSH on your router:

iptables -I FORWARD -s 100.x.x.x -p udp --dport 53 ! -o tun11 -j DROP
iptables -I FORWARD -s 100.x.x.x -p tcp --dport 53 ! -o tun11 -j DROP

Replace tun11 with your VPN client's interface name (you can find it in the VPN status page).

The firewall rules ensure that all DNS traffic from your phone is forced through the VPN interface (tun11), preventing any fallback to LAN or ISP DNS.

Configuring secure DNS on the exit node ensures that even if Tailscale prioritizes local DNS, it will resolve queries using a trusted server.

This approach directly addresses the root cause of mixed DNS resolution paths and should eliminate leaks effectively.
 
You must log in or register to reply here.

Similar threads

B
Tailscale no direct connection on mobile data
Replies
0
Views
257
Brenneke
B
thanhnam1601
TAILMON How to use EXIT Nodes?
Replies
4
Views
1K
thanhnam1601
thanhnam1601
A
Tailscale subnet error
Replies
7
Views
1K
Aidancov1
A
J
Unbound Unbound - Warning WAN: Use local caching DNS server as system resolver=YES
Replies
0
Views
436
johnSmb
J
M
Allow admin web GUI access on another interface (tailscale0)
Replies
0
Views
881
mr8
M
Similar threads
Thread starter Title Forum Replies Date
B Tailscale no direct connection on mobile data Asuswrt-Merlin 0
B Chasing my Tail for Tailscale Asuswrt-Merlin 7
J Tailscale site2site Asuswrt-Merlin 3
M Repeater / AP mode: how to find out which client is connected to which node? Asuswrt-Merlin 2
W AiMesh AP connecting to router with ethernet backhaul on another node Asuswrt-Merlin 9
Preskitt.man Convert Mesh Node to AP Asuswrt-Merlin 1
M Solved Wireless radio timer for AI Mesh node Asuswrt-Merlin 4
M Solved How to connect to AIMesh node GUI Asuswrt-Merlin 5
A Remotely rebooting or accessing aimesh node? Asuswrt-Merlin 2
E Unable to add GT-AX11000 as an AiMesh node to GT-BE98 PRO router Asuswrt-Merlin 0

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 645 (members: 13, guests: 632)
Back
Top