VPN privacy/dns leak/dns over tls diversion question

[skeal]

The force strong in you is @dave14305 Nice work.

 

[Dee dee]

If you are comfortable with SSH, login to the router command line and check:

cd /etc
cat hosts.dnsmasq
grep "^dhcp-host=" dnsmasq.conf

This worked!

I don't get what this did, but it came back!

I assume it wrote the mac address & reservations to my dnsmasq configuration file where it got removed from when i added in DOT.

Much appreciated!

 

[Dee dee]

While you’re there run this to see if there’s any problem with the stored values:

nvram get dhcp_staticlist
nvram get dhcp_hostnames

These 2 commands only return 2 of my devices ( I assume the currently active ones on my network at the moment).

Is that right?

 

[Dee dee]

Yes you can use NordVPN’s servers under “Connect to....automatically” setting changed to “No”. Or, you could use those from Cloudflare (1.1.1.1/1.0.0.1).

Choose your DOT setting to be “Strict”

Then further below choose the Cloudflare servers as your DOT servers (or any other ones on the pull down menu for that matter).


Sent from my iPhone using Tapatalk

I added the following 2 lines in my OPENVPN script on the bottom to allow the DNS of NordVPN to work on that connection but it's still defaulting to cloudflare.

dhcp-option DNS 103.86.96.100
dhcp-option DNS 103.86.99.100

Is there anything I need to do to allow the DNS for the VPN connection to use those servers and still have diversion/skynet working for those 2 devices or is it a global change in the DNSFilter that is superceding this?

 

[Marin]

I added the following 2 lines in my OPENVPN script on the bottom to allow the DNS of NordVPN to work on that connection but it's still defaulting to cloudflare.

dhcp-option DNS 103.86.96.100
dhcp-option DNS 103.86.99.100

Is there anything I need to do to allow the DNS for the VPN connection to use those servers and still have diversion/skynet working for those 2 devices or is it a global change in the DNSFilter that is superceding this?

See this excellent guide:

https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/


Sent from my iPhone using Tapatalk

 

[dave14305]

This worked!

I don't get what this did, but it came back!

I assume it wrote the mac address & reservations to my dnsmasq configuration file where it got removed from when i added in DOT.

Much appreciated!

No, these commands cannot change anything, they are just reading files to see what’s really there (or not).

These 2 commands only return 2 of my devices ( I assume the currently active ones on my network at the moment).

Is that right?

These are the only 2 devices that will be there if you reboot.

Did you ever upgrade to 384.14 and then downgrade to 384.12? The format of the dhcp_staticlist changed in .14 to accommodate the new DNS server field. If you didn’t restore an old settings backup from 384.12, it might not be able to handle the different format on older firmware.

Care to post the contents of dhcp_staticlist?

 

[Dee dee]

See this excellent guide:

https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/


Sent from my iPhone using Tapatalk

Ah I see!

So if I set to strict and put in the 2 values it should use those dns servers and still allow diversion and skynet.

My last q is how come when I put in my vpn policy routing the following ip into openvpn client (as assigned to me via vpn server) in cidr notation as 10.8.0.1/24 it doesn't allow me to surf web only allows internal ips.

I was told that on openvpn server I had to select advertise dns to clients and I did and put that back to basic.

Any idea why I can connect but not get web access?

Sent from my SM-A505U1 using Tapatalk

 

[Dee dee]

No, these commands cannot change anything, they are just reading files to see what’s really there (or not).

These are the only 2 devices that will be there if you reboot.

Did you ever upgrade to 384.14 and then downgrade to 384.12? The format of the dhcp_staticlist changed in .14 to accommodate the new DNS server field. If you didn’t restore an old settings backup from 384.12, it might not be able to handle the different format on older firmware.

Care to post the contents of dhcp_staticlist?

No I upgraded straight to 384.14 no settings restored.
Ok I can try and post from phone using terminus as a screenshot or I can post when I get home from work tonight

Sent from my SM-A505U1 using Tapatalk

 

[Dee dee]

No I upgraded straight to 384.14 no settings restored.
Ok I can try and post from phone using terminus as a screenshot or I can post when I get home from work tonight

Sent from my SM-A505U1 using Tapatalk

Btw I just checked now and my d hcp list is empty again

Sent from my SM-A505U1 using Tapatalk

 

[Dee dee]

No, these commands cannot change anything, they are just reading files to see what’s really there (or not).

These are the only 2 devices that will be there if you reboot.

Did you ever upgrade to 384.14 and then downgrade to 384.12? The format of the dhcp_staticlist changed in .14 to accommodate the new DNS server field. If you didn’t restore an old settings backup from 384.12, it might not be able to handle the different format on older firmware.

Care to post the contents of dhcp_staticlist?

Lemonssh works great on android btw

I am not home that is what is connected

ASUSWRT-Merlin RT-AC68U 384.14-0 Sat Dec 14 00:39:28 UTC 2019
admin@RT-AC68U-1340:/tmp/home/root# nvram get dhcp_staticlist
<B0:68:E6:82:D7:5B>192.168.2.28><04:03:D6:2F:F5:12>192.168.2.26><9C:AD:EF:60:D6:C0>192.168.2.22><9C:32:CE:78:38:CE>192.168.2.9><A8:6B:AD:89:8B:ED>192.168.2.4><00:11:32:1C:34:69>192.168.2.3><7C:89:56:70:8D:98>192.168.2.5>
admin@RT-AC68U-1340:/tmp/home/root#

Sent from my SM-A505U1 using Tapatalk

 

[dave14305]

admin@RT-AC68U-1340:/tmp/home/root# nvram get dhcp_staticlist
<B0:68:E6:82:D7:5B>192.168.2.28><04:03:D6:2F:F5:12>192.168.2.26><9C:AD:EF:60:D6:C0>192.168.2.22><9C:32:CE:78:38:CE>192.168.2.9><A8:6B:AD:89:8B:ED>192.168.2.4><00:11:32:1C:34:69>192.168.2.3><7C:89:56:70:8D:98>192.168.2.5>

Any special characters in dhcp_hostnames?

Are any browser ad-blockers disabled for the router URL?

 

[Dee dee]

Any special characters in dhcp_hostnames?

Are any browser ad-blockers disabled for the router URL?

No just a dash and a underscore on device names.

Can you explain what browser adblock means? Like chrome extensions ublock etc?

If that then no all I have is diversion and skynet and I believe I installed the ca.crt

I backed up my Jffs and settings. Should I do a reset unplug my usb stick and restore both files?

Sent from my SM-A505U1 using Tapatalk

 

[dave14305]

Can you explain what browser adblock means? Like chrome extensions ublock etc?

Correct.

I backed up my Jffs and settings. Should I do a reset unplug my usb stick and restore both files?

No, because restoring the settings file would bring back the state of the router before the reset. You would have to be willing to enter your settings by hand to have a truly clean start.

I don't understand why your DHCP static list appears and disappears at random. And generally, when something can't be explained and isn't reliable, it's time to factory reset and setup from scratch. Take screenshots of important settings.

 

[Dee dee]

Correct.

No, because restoring the settings file would bring back the state of the router before the reset. You would have to be willing to enter your settings by hand to have a truly clean start.

I don't understand why your DHCP static list appears and disappears at random. And generally, when something can't be explained and isn't reliable, it's time to factory reset and setup from scratch. Take screenshots of important settings.

Ok sounds good, can you post a link to the nuclear reset thing I need todo.

All I need to screengrab is

Dhcp reservations
Openvpn screen for client and server
System settings
Wan dns
DNS filter screen

Anything else I am missing?

Also how do I backup my settings files for skynet and diversion to restore those or should they be from scratch as well?

Sent from my SM-A505U1 using Tapatalk

 

[Dee dee]

Also how do I get my vpn client to work through the vpn server.

I posted above just didn't get a answer

Sent from my SM-A505U1 using Tapatalk

 

[L&LD]

https://www.snbforums.com/members/l-ld.24423/

Look at the M&M Config and Nuclear Reset guides and after you have a stable setup, you may want to follow the amtm Step-by-Step guide too if the scripts on these forums interest you.

 

[Dee dee]

https://www.snbforums.com/members/l-ld.24423/

Look at the M&M Config and Nuclear Reset guides and after you have a stable setup, you may want to follow the amtm Step-by-Step guide too if the scripts on these forums interest you.

Yes I had all that setup clean from like Sunday monday and didn't want to reformat usb and replace all my rules etc

Sent from my SM-A505U1 using Tapatalk

 

[Marin]

Ah I see!

So if I set to strict and put in the 2 values it should use those dns servers and still allow diversion and skynet.

My last q is how come when I put in my vpn policy routing the following ip into openvpn client (as assigned to me via vpn server) in cidr notation as 10.8.0.1/24 it doesn't allow me to surf web only allows internal ips.

I was told that on openvpn server I had to select advertise dns to clients and I did and put that back to basic.

Any idea why I can connect but not get web access?

Sent from my SM-A505U1 using Tapatalk

You will find this link useful:

https://www.ipaddressguide.com/cidr

I route everything through my VPN (including my router) so the only line that I have under Policy rules is:

192.168.50.0/24 VPN

Some people people like to have the router go through WAN and the everything else through VPN. This is particularly useful when VPN server goes down and your router does not loose connectivity when you are using the Kill Switch feature (or “block connection when VPN is down...” setting).

So, using my router IP from the example above, this in the Policy Rules section would like:

192.168.50.1 WAN

192.168.50.0/24 VPN

I have chosen to have everything go through VPN as I have not experienced any server downtimes from NordVPN so far (have been lucky so far with my server choices [emoji6]).

If you need more info regarding selective routing through VPN, etc., consider the following link to these excellent scripts from @Xentrk and @Martineau:

https://github.com/Xentrk/x3mRouting/blob/master/README.md

and don’t bypass the excellent router setup/other guides from @L&LD- Search for any of his postings in the forums and the links are included in his signature.

And this:

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

Hope these help.



















Sent from my iPhone using Tapatalk

 

[Dee dee]

Marin,

Still a incorrect dns leak on Strict.

I still don't get it.

When I am on my local network at home:
For my OpenVPN Settings:

When I set to Exclusive dnsleak shows Nordvpn dns' and diversion doesn't work (expected).

When I set to Disabled / Skynet/Diversion works fine/ dnsleak shows cloudflare only and that's going over DNS over TLS so I assume that's fine.

When I set to Strict(THIS ONE I WANT TO USE) (To use custom dns ip's on the bottom)/ Skynet/Diversion works fine/ dnsleak shows my real dns server and doesn't follow the below. Is it spelled wrong or does the order matter? Here is the custom configuration from the bottom of my openvpn page.

resolv-retry infinite
remote-random
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
ping-timer-rem
remote-cert-tls server
pull
fast-io
dhcp-option DNS 103.86.96.100
dhcp-option DNS 103.86.99.100

 

[Marin]

Marin,

Still a incorrect dns leak on Strict.

I still don't get it.

When I am on my local network at home:
For my OpenVPN Settings:

When I set to Exclusive dnsleak shows Nordvpn dns' and diversion doesn't work (expected).

When I set to Disabled / Skynet/Diversion works fine/ dnsleak shows cloudflare only and that's going over DNS over TLS so I assume that's fine.

When I set to Strict(THIS ONE I WANT TO USE) (To use custom dns ip's on the bottom)/ Skynet/Diversion works fine/ dnsleak shows my real dns server and doesn't follow the below. Is it spelled wrong or does the order matter? Here is the custom configuration from the bottom of my openvpn page.

resolv-retry infinite
remote-random
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
ping-timer-rem
remote-cert-tls server
pull
fast-io
dhcp-option DNS 103.86.96.100
dhcp-option DNS 103.86.99.100

So, what happens if:

1. you remove your “dhcp-option....” from your VPN custom configuration, set your your VPN profile to Strict and instead add your NordVPN server IPs on the WAN DNS profile?

2. you remove your “dhcp-option....” from your VPN custom configuration, set your your VPN profile to Disables and instead add your NordVPN server IPs on the WAN DNS profile?

3. you remove your “dhcp-option....” from your VPN custom configuration, set your your VPN profile to Disabled and instead add the Cloudflare’s server IPs on the WAN DNS profile?

I use option 3 with my NordVPN and don’t get any IP leaks. After changing to each of these options try below to see if you get any leaks:

https://dnsleaktest.com/

(Use the extended option)

Or:

https://browserleaks.com/ip

Or:

https://2ip.io/privacy/

(click on Check and look toward the bottom where it says “DNS leak...... if it says something like “No DNS info found”, then you should have no leaks)

Hope this helps.



Sent from my iPhone using Tapatalk