VPN Policy Rules - DNS Ignored?

[rugglebear]

I set up a new VPN Client.
DNS Global Filter is set to ON > Router
DNS is set to use the recommended NordVPN IP addresses.

Everything works as expected so long as "Route all internet traffic to the tunnel" is set to "No".

My issue with this is that I need to route certain clients outside the VPN using Policy Rules.

I changed "Route all internet traffic to the tunnel" to both "Policy Rules" or "Policy Rules (Strict)".
I added my entire subnet to route through the VPN.
I added a test client to route to the WAN.
Applied settings.

This is my core issue:
In this configuration, I do see that I'm using the VPN's IP Address, however, when running a DNS Leak Test, a non-NordVPN DNS is revealed to be in use.

Any help is appreciated. Thanks!

 

[cooloutac]

set accept dns to exclusive and double check a dns is specified in the advanced config section or in the .ovpn file.

You could also put Nords VPN in the wan dns config as well and see if that works, which I think is what their instructions specify but just put any opther public dns if you don't want certain clients using theirs.

You can also specify dns servers for specific clients in the DHCP settings.

 

[Xentrk]

1. You can use the DNS Filter page to specify a DNS per client MAC address. This works very well with Policy Routing.
2. You can also use the DHCP Server page to assign DNS per manually assigned LAN devices.
3. If you need to use Diversion or the ipset feature built into dnsmasq or the x3mRouting addon, you can set Accept DNS Configuration to Strict and use the following option in the Custom Config section

dhcp-option DNS xx.x.x.x

Where the x's are the IPv4 address of Nord DNS.

 

[rugglebear]

Thanks all, setting it to 'Exclusive' did the trick.

The issue now is that the one device added to the Policy Rules (Device IP to specific Destination IP), works successfully, staying behind the VPN, but DNS Leak Test shows it still using the ISP DNS.

I would have thought it should be using the NordVPN DNS for everything except the Destination IP designated in the Policy Rules.

@Xentrk I appreciate those additional tips, I wasn't aware of them.

 

[cooloutac]

Thanks all, setting it to 'Exclusive' did the trick.

The issue now is that the one device added to the Policy Rules (Device IP to specific Destination IP), works successfully, staying behind the VPN, but DNS Leak Test shows it still using the ISP DNS.

I would have thought it should be using the NordVPN DNS for everything except the Destination IP designated in the Policy Rules.

@Xentrk I appreciate those additional tips, I wasn't aware of them.
Regarding Diversion, I am using it.
When I set it to 'Exclusive', Diversion still works, and I don't have that additional 'Custom Config' entry for the DNS IP address.

you can use dns filter like above user suggested possibly, or specify that device's dns in the dhcp settings in the manual assignment section for static ip's. Not sure if the latter is only available on merlin firmware though, not sure.

 

[rugglebear]

So, using the DNS Filter - Mac Address DNS assignment does work well, but what I've found is that it nullifies Diversion.

It seems like there is no Holy Grail to allow for all these at once:
- Router based VPN
- Diversion
- Policy Rules
- DNS Assignment

I can have it all, but no Diversion.
Or have Diversion and an unrecognized DNS.

 

[Er0n]

I was experiencing the same issue (DNS Leak) with ExpressVPN on Asus Merlin.
To avoid that, I had to either:
- set Exclusive instead of Strict and accept the risk related to disconnection since it's url and not ip
- set Force Internet traffic through tunnel to YES, but this way I would loose the possibility to tunnel some services (i.e. the IP of the TV to make it work with Netflix and Prime) wich is called POLICY RULE

No other methods worked (DNS filtering, manual adding, etc)

The ExpressVPN support sucks and always try to force you install their own firmware, so not of help.