VPN Client DNS Settings

[dcsang]

Requesting a little guidance with my VPN DNS settings.

WAN​

Connect to DNS server automatically: No​

DNS Server1: 8.8.8.8​

DNS server2: 192.168.1.1​

​

VPN Client​

Accept DNS Configuration: Exclusive​

Force Internet traffic through tunnel: Policy Rules (Strict)​

Block routed clients if tunnel goes down: No​

​

The IP address of my main workstation was added to the routing table specifying Iface VPN. If the router is restarted my main workstation connects and resolves with the VPN Client off. When the VPN client is started my workstation also connects and resolves without issue. After stopping the VPN client it appears that I lose DNS configuration. Restarting the VPN Client or restarting the router restores full connectivity.

My intention is to have all traffic and DNS requests from that workstation routed strictly through the VPN when it is active, but revert to WAN DNS settings otherwise. What am I doing wrong?

 

[eibgrad]

Not sure if this is the problem, but regardless, it makes no sense to specify the router itself (192.168.1.1) as a custom DNS server. Those custom DNS servers are used to tell DNSMasq (the router's DNS server @ 192.168.1.1) what servers should be used to resolve public IPs. By specifying 192.168.1.1, you've created a circular reference. In effect, you're telling DNSMasq to use DNSMasq to resolve public IPs. It would make more sense to use something else, say 8.8.4.4.

 

[dcsang]

Thank you! After changing that to the suggested 8.8.4.4 and restarting the router I can freely (dis)connect to the VPN client and maintain full connectivity, including DNS.

The only reason I specified 192.168.1.1 in that secondary DNS setting is because I was receiving a message on another configuration page stating something like "...specifying an address other than the router's ip..." and that was the only way to clear the warning. I don't recall if that was during my attempts to set up DNSSEC but I just went through several settings and it's nowhere to be found.

Much appreciated!

 

[dcsang]

Initial results were good, but I'm losing DNS again after disconnecting from VPN client.

UPDATE: I have roughly a 40% success rate of resolving the DNS issue by toggling the VPN client. Changing the secondary DNS as suggested definitely improved things.

 

[eibgrad]

Suggestion. Unless you have a specific reason for using the DNS server(s) provided by your VPN provider, why not set "Accept DNS configuration" to Disabled, and bind the 8.8.8.8 and 8.8.4.4 IPs to the VPN using policy based routing (as destination IPs). This eliminates any dependencies on the VPN provider for support of DNS, and constantly having to contend w/ implicit changes to DNSMasq every time the VPN is started/stopped. All that changes is how those same DNS servers get routed.

 

[dcsang]

Thank you for that suggestion. Would you be able to elaborate more on binding the 8.8.8.8 and 8.8.4.4 IPs to the VPN using policy based routing?

I used the VPN provided DNS to fully secure the connection but I would like to explore the alternative you provided.

 

[eibgrad]

What I'm suggesting is that you define routing policy rules specifically for those DNS servers, where you specify only the destination IPs (8.8.8.8 and 8.8.4.4) and VPN network interface. When the VPN is NOT active, those DNS servers are accessed over the WAN. But once the VPN is active, they get routed over the VPN. Simple. In combination w/ "Accept DNS configuration" set to Disabled, this eliminates reconfiguration of DNSMasq every time the VPN is brought up and down (which seems to be the source of your problems).

This is the approach I use w/ my own VPN client. The only downside is if you require the DNS queries to never leave the VPN provider. Personally, I find that to be overkill, but I suppose it might matter to some ppl.

 

[dcsang]

Nice approach. I never fully understood the usage of Destination IP routing but your example is quite clear. Thank you for the help, and lesson!

 

[dcsang]

I just updated to 386.3 but the DNS issue remains present when stopping the VPN Client. As an alternative to eibgrad's suggestion I can restart the Internet Connection from scMerlin to refresh the DNS configuration rather than restarting the router.

 

[Brenneke]

Have you considered having a guest network set to a VPN client and just switching to that network when you want VPN?