Thanks to @will.qiu, I am now able to use the apps in my Samsung TV with my Beryl AX and VPN on.
I thought I would be able to connect my Apple TV to my TV's other HDMI input and use it. While it does work, I noticed ControlD isn't working with the Apple TV while it's connected to my Beryl. What's making this complicated is that the Apple TV has a VPN app installed and I am using that to connect to another server. Why? For the Beryl AX, it seems like the VPN can only connect to one server at a time. For example, if the router has a Hong Kong IP and I want to watch Japanese content that's restricted to Japanese content, the easiest way is to use the VPN within the app and connect to a Japanese server. After my recent experience getting the Samsung Tizen TV to work, I'm now under the impression that the Apple TV is using its VPN's DNS rather than ControlD. So how do I fix this? I do think I have a complicated setup. Is there a way to simplify this and make things easy?
I think you're going to need to start thinking about getting a network topology together. Be sure to note all the IPs including via VPN(s). Date/timestamp everything... & keep an admin/maintenance/dev log for your device(s).
You'll thank yourself later & so will your sanity.
When the Apple TV runs a VPN, its DNS requests are encrypted via VPN, so the Beryl AX can't take over its DNS requests and send them to Adguard Home and then to ControlD.
The easiest way to do this would be to turn off the VPN on the Apple TV and use the GL.iNet App to switch the VPN region of the Beryl AX on your mobile phone.
This way you don't have to deal with the problems caused by the dual VPN, and you don't have to open the browser and visit the Admin Panel to switch Beryl AX's VPN region.
Wouldn't it be easier, more manageable & long term less bothersome to just use PBR? I'd update the Beryl AX to v.4.8.0 & assign a dedicated tunnel/VPN profile (which includes those preferred DNS IPs) to the MAC of the Apple TV. Then I'd whitelist the domains/IP that tunnel could talk to.
Which router(s) do you have? Have you tried the PBR feature yet? I'd love to see how you're going to set it up. My only concern is that I don't have a spare GL.iNet device to play with. My Beryl is working well at the moment.
I have a Slate AX currently running v4.8.0-beta9 (after flashing back from OWRT-SNAPSHOT) which I'm auditing before I begin testing,^1 a Flint v1 that needs flashing over pure OWRT-SNAPSHOT once I get the time to do so, a Certa (a discontinued GL.iNet travel router — a very small unit!) configured to use GL GUI from a 16GB microSD for its primary storage instead of the puny onboard 16MB flash that I really should get updated, too.
I'm currently using Stangri's PBR ATM on a wired-only router running OWRT 23.05.5 I keep on hand in 'in the lab.' I'm going to do some through testing of GL.iNet implementation to check for leaks, etc. Even then I doubt I'm going to put the Slate AX's v4.8.0-beta9 into prod. I'm just going to get it all reviewed, make some suggestions/bug reports, pull a backup of the confs, then wait for a stable release.
Of course I'm not counting my OWRT VMs. I spin those up/tear them down like perti dishes.
Pull your confs, put them aside, flash v4.8.0-stable on your Beryl AX. If all else fails you can always revert back to the current firmware you're running & restore your confs (LuCI -> System -> Backup / Flash Firmware -> Restore). It takes all of 3 min to reflash using U-boot & restore one tarball.
Here, this should be handy. There's a script, a few tips, you might want to have on your device within the following thread(s):
I'm nowhere near your level yet. I'm still learning. It's like networking 101. I know the real learning begins when I leave the GL.iNet GUI and learn luCI. Right now I just want to get my Beryl AX just right so that I have something to use. Then I'll have the time to play.
Hey guys, I figured out a better way to do this and I'm so glad I got a paid subscription to ControlD. In ControlD, I created a new profile just for the Apple TV. I entered what seems like a DoH address into the Apple TV's settings and now it works. I achieved my goal of having the Apple TV with a disabled VPN connecting to the Beryl AX with a VPN enabled. Then I can use blocklists and whatnot from ControlD for the Apple TV.
Now, I've come up with a new issue that needs to be addressed. I'm sure you guys remember my issue of trying to connect my Samsung Tizen TV to the Beryl AX with a VPN, and then using ControlD's DNS. Ultimately, we figure everything out and I put the ControlD's DoH address in AGH's upstream DNS server.
When I created a new profile for the Apple TV in ControlD, I got a new set of resolvers. The DoH address for the Apple TV differs from the DoH for the Samsung Tizen TV. I remember all of the issues with having multiple upstream DNS servers. Ultimately, I went with one and that's with ControlD. The problem is that the one DoH belongs to the Tizen TV. The Apple TV works as is, but without putting its own DoH address into the upstream DNS server, what are the consequences? Everything seems to be working great. If I were to make a guess, is the Apple TV able to provide data about the queries to Adguard Home without its DoH address in the upstream DNS server?
If I create a new MacBook profile, I'm sure it'll have its own resolvers. How do I add this to my setup as easily as possible? It's important to get this right to minimize any potential problems down the line.
I've never used ControlD. So you have one ControlD profile for the Apple TV & another for the Samsung Tizen if I'm to understand you. So what are you trying to do? Ea. device can have a custom DOH or DNS (insecure/clear/plain DNS on port 53) set in their settings, correct?
Why do you think you need two different ControlD profile for two devices? What you seem to be describing is:
Apple TV -> DOH -> ControlD
Samsung Tizen TV -> DOH -> ControlD
I'd just centralize them thru $device -> DNS (:53) -> Beryl AX -> DOH -> AGH -> DOH -> ControlD unless there's some insane reason you really, really think there's need to maintain two different sets of custom white/blacklists instead of just consolidating it all into one.
I totally screwed this up. It's early in the morning over here.
At the moment, it's the following:
Samsung TV -> IPv4 DNS -> ControlD
Apple TV -> DoH -> ControlD
Then in the Beryl AX, I actually took the Samsung TV's DoH address from ControlD and put it in AGH's upstream DNS server.
It's sort of hard to explain unless you've used ControlD. When you create a profile for a device, it seems to have presets for the common devices like TV, phones, tablets, etc. After it's created, they give you a bunch of addresses that the user can utilize to connect to ControlD. Samsung Tizen TVs don't have any way to utilize secure DNS entries under network settings. Instead, I can utilize an unsecured (according to ControlD) DNS, which I put into the TV.
Apple TV seems to have a way to use DoH through the use of a profile or at least that's the impression that I got. I looked at the activity log in ControlD and it describes the traffic from the Apple TV as DoH.
I don't know if I need to. I guess I probably could have used the resolvers from the Samsung Tizen TV and then seen what would happen.
No, I think you're confused about how ControlD works. They have something called profiles and it is there that you can create blocklists and whitelists. I already did the work and configured that. After I create the device profile, I can link it to the configuration profiles. It's much faster and easier than you think.
I think I'm familiar with the premise. I used to use DeCloudUs & would set different DOH URLs/profiles/lists per device. Then I switched to on-client block lists so I cancelled that subscription.
So the Samsung TV is currently hitting the WAN with cleartext DNS. Yeah, that's insecure as all hell. Why don't you go Samsung Tizen TV -> DNS :53 -> Beryl AX -> DOH -> AGH -> ControlD -> $profileSamsungTizen? Then you could leave your Apple TV as Apple TV -> DOH -> ControlD -> $profileAppleTV
You really should draw up a network diagram with these details & timestamp it if you're not already logging your changes.
I'll try to draw a network topology for you when I have access to a laptop. It's very hard to do when all I have is a phone. Earlier, when I copied your format and described how my devices connect to ControlD is pretty accurate in my opinion. I just followed the advice that ControlD's tech support also gave me and that IPv4 DNS is the only way. Not their fault since that's how Samsung designed Tizen. It would have been nice if Samsung Tizen TVs could use a secure DNS.
Even then, is it really as bad as it seems? Yes, Samsung TV is using an unsecured DNS. However, it's connected to the Beryl AX, which has a VPN on. In AGH, I am using a DOH upstream DNS. Do you have a rough idea of what my setup is like? This was @will.qiu's advice. Is my Samsung TV relatively private and secure then? I just don't know how the IPv4 DNS weakens the overall setup.
Well if everything is being wrapped in a/tunneled thru a VPN then no worries. Just keep in mind DNS:53 (what you're incorrectly calling 'IPv4 DNS') hits the wire unencrypted (in 'cleartext'). It's insanely easy to sniff/packet capture... but that's assuming there's no VPN in play.
So you running:
... with all WAN-side traffic in a VPN tunnel? That pretty much mirrors my DNS setup, sans AGH, using Quad9-filtered DOH instead of ControlD:
