Adguard not resolving with OpenVPN turned on

Router VPN, DNS, Leaks
1

Hello,

I’m testing Adguard Home on my Flint 3, firmware 4.8.4. Using a NextDNS upstream server using DNS over HTTP / HTTP3. Everything works fine by default.

gl_dns_1
gl_dns_1669×358 11.9 KB

gl_adguard_1
gl_adguard_11179×525 14.2 KB

Once I connect to my corporate VPN using an OpenVPN configuration, DNS resolution will fail network-wide for all devices, regardless of whether they’re using VPN or not. This does not happen instantly, sometimes it takes minutes, sometimes an hour, but it will always eventually break.

It seems AdGuard can’t reach the upstream servers, which the “Test Upstreams” button confirms.

gl_adguard_2
gl_adguard_21151×952 39.1 KB

As soon as the VPN is turned off, everything works again.

VPN configuration that breaks DNS:

gl_vpn_1
gl_vpn_11062×960 40 KB

I’m only routing my work computer and the corporate subnet through the VPN (Include mode). As far as I understand, this should not affect AdGuard.

I tested some more and moved my public VPN provider’s WireGuard VPN (Exclude mode) in priority higher than the work VPN and turned it on:

gl_vpn_2
gl_vpn_21041×1077 42.7 KB

DNS resolution works again. As expected, DNS resolution is now sent through the VPN.

If the public VPN is turned off while still highest in priority, AdGuard breaks again, so it doesn’t seem to be related to the priority alone.

Now it gets strange: putting a dummy VPN on top, which doesn’t actually route anything (guest network doesn’t exist + Include mode with invalid IP):

gl_vpn_3
gl_vpn_31024×1075 41.6 KB

AdGuard works again, as long as the dummy VPN is connected. So I can use this as a temporary workaround.

I’m not an expert on OpenWRT or Linux routing, so I can only assume that there’s an issue on the backend.

I also tested configuring any WireGuard VPN with Include mode to look similar to my work VPN. This also works flawlessly. So it might be related to OpenVPN, as AdGuard does work when using only WireGuard VPN. Unfortunately, I don’t have another OpenVPN server to test this with.

Notes regarding AdGuard’s “Test Upstreams” button:
Work + Dummy VPN + DNS over HTTP = OK
Work + Dummy VPN + DNS over HTTP3 (H3) = FAIL (but so far DNS is still working ~ 1 hour)

Lastly: This issue doesn’t happen when AdGuard is configured with unencrypted DNS. However, I require to use DNS over HTTP for my config.

Any help would be appreciated.

2

Any support here?? I’ll probably return my device, as advertised functionality DOES NOT WORK together.

Tested firmware 4.9 beta 4 by now, and this issue still exists, despite supposedly having fixed Adguard + VPN problems.

Forget anything working, eventually DNS will always fail after a few minutes/hours.

TLDR:

Adguard Home

  • Encrypted Upstream
  • any client using (Open-)VPN in INCLUDE mode
    = DNS fails network wide for ALL clients after an indefinite time.
3

Hi,

We are currently on a national holiday, so we may not be able to look into this further until we return on May 6.

Based on your description, this issue may be related to this thread. Please try the suggested adjustments to see if they help:

5

Also check your corporate OpenVPN client .conf.
Add pull-filter ignore "dhcp-option DNS" if it isn't there. Try that, but it will break corporate local dns resolution.

6

Thank you! That was indeed the solution. Everything seems to be working stably now.

In the future, it would be great if AdGuard respected the tunnel’s routing settings. It’s strange default behavior that it tries to send DNS queries through a tunnel explicitly configured to only allow one subnet of local IP addresses. In my case, the corporate firewall seems to block (encrypted) DNS coming through the VPN.

Also, I previously tried pull-filter ignore "dhcp-option DNS" but that didn’t make a difference.

7

Thank you for the update—we’re glad to hear everything is working normally.

We’ll discuss this further with our R&D team.

1 Like