Ask about IP request from router

For this you need to run a VPN + DNS over TLS.
Both are available on the v3 firmware that is coming to the AR150 shortly.

You can run just the VPN on the v2 firmware, but without DNS over TLS the ISP will still see what domains you are trying to access, but not the data sent.

1 Like

For this you need to run a VPN + DNS over TLS.
Both are available on the v3 firmware that is coming to the AR150 shortly.

You can run just the VPN on the v2 firmware, but without DNS over TLS the ISP will still see what domains you are trying to access, but not the data sent.

So you mean in v2 using VPN like IPVanish, ExpressVPN, etc? I’ve changed the DNS accordingly to my VPN (NordVPN) suggested. ISP can read domains, but is encrypted so it can’t be seen. It seems like using the usual Gl-Inet simple settings right?

Is v3 a new beta firmware from GL-inet? Can I use it on V2 using advanced settings or I must use the v3 version?

Thanks!

dnsleaks only happens if you have implemented split vpn.

If your default route is your VPN provider, all your traffic goes through to the VPN tunnel.
If your dns forwarder is your ISP, they will see the request comes from the VPN provider IP.
Unless you have a unique VPN IP or your are the only one making the dns request from the VPN IP towards your ISP, your ISP cannot correlate the data.

What if in fact, I want the ISP to see the request IP. But the request seen coming not from a VPN IP, for example from m.youtube.com?

Can we do that?

You cannot do that. m.youtube.com is not something you can control. Unless it is a http proxy or vpn server you cannot achieve what you want.

Actually no. We talked about this in a thread a few months back. Unless you specifically tell openvpn to use your VPN’s DNS using scripts or set the DNS manually, the default OpenVPN action is to only tunnel the data.

When you request a URL, say google.com, the domain name is looked up at the DNS to get an IP, and a connection is made via the VPN, hiding the data but, not the request. If you are using the default, which is your ISP’s, then they can see you have gone into google.com, but can’t see what you did there.

So DNS leaking protection happens when you either use the scripts, or set your DNS to either Cloudflare, Google, or DNS over TLS.

Here are the scripts to set the DNS from the VPN provider:

a connection is made via the VPN, hiding the data but, not the request.

So whats the source IP address of the DNS request? Would that be the VPN provider IP as it tunnels through that? So they dont know who made the request other than it come from the VPN provider.

When you run https://www.whatismyip.com/ does it report your ISP IP or VPN Provider IP when all traffic goes through the tunnel?

You can’t use whatsmyip to see what DNS is being used.
You can check using a DNS leak testing service like this one:

You can try it yourself. You will see your ISP DNS in the default VPN configuration, while the IP is of the VPN using whatsmyip.

So answer me this does dns request carrys the source IP of you ISP provider or VPN provider when it goes through the tunnel?

No.
What is happening is like so:

image

The issue is that yes, OpenVPN does tunnel dns, but it does not enforce it. It is up to the client to enforce it.
By default the router/pc whatever you are using will use it’s cached DNS as primary.
If you take a look at the scripts i sent you, you will see how they are enforcing the change of DNS on VPN connection.

If i remember correctly, this has been added to the v3 firmware, but not 100% sure. Someone has to test it.
For the v2 firmwares the scripts are required, or it will be using VPN but DNS requests via your ISP, unless you set a DNS server in the UI manually.

Thats what I said in message 4(four)

If your default route is your VPN provider, all your traffic goes through to the VPN tunnel.
If your dns forwarder is your ISP, they will see the request comes from the VPN provider IP.

and the forced action happens here, these 2 routes short circuits your main default routes

openvpn[2911]: /sbin/ip route add 0.0.0.0/1 via 10.8.8.1
openvpn[2911]: /sbin/ip route add 128.0.0.0/1 via 10.8.8.1

You are still only doing IP traffic, not DNS. It written right in the command “ip route”.

You need update the /tmp/resolv.conf.auto for the router to use the upstream DNS. Look at the scripts.

Here is DDWRT how they need to do it. The same just different files changed:
https://zorrovpn.com/howto/openvpn/ddwrt

If your default route is your VPN provider, where is your all traffics (udp/tcp/icmp) is going to go?
DNS traffic is IP. There is nothing special about DNS traffic.

When the router turns on and connects to the network, the first thing it does is get the local DNS, either from your ISP or from your upstream router, which will still be the ISP unless you manage your own DNS server. Even if you have a killswitch on the router until the VPN is up, this has already happened in the background in linux. Now, your VPN is up, and you go to google.com. Well guess what, sure, the connection to the DNS is being routered into the tunnel but surprise, you are connecting to your ISP DNS anyway. Depending on their software they can track you in many ways, as they do in Egypt, even send you to sites that look like the ones you are trying to access, injecting malware and other things.

Again, unless you explicitly set the DNS in linux, you are still using the one that it has cached which is the ISP’s. OpenVPN can not change the DNS routes in linux, you have to do that via scripts on connection. Changing routes is not enough!

If you don’t understand this and you check whatsmyip and think everything is fine, that is your problem.

Isn’t that the case for any DNS provider,VPN provider, ISP provider? Trust?

Sure, i never said that VPN is the way to be safe on the net. You are still connecting to a remote server directly, and not making hops like Tor. As PureVPN did, they can tell anyone who is connected to their servers at any time. It offers a “mainstream” level of security. For people that don’t understand how it all works, it offers a false sense of security. The VPN provider can be compromised and you are maybe even reducing your security by connecting to them, vs being just one of the millions of connections at your ISP (unless you are in a country like China, Egypt etc where all ISP’s are monitored).

I would recommend something like Riffle or HORNET for browsing, and something like Tribler for torrenting.

Using a VPN + Tor combined with a large list of anonymous proxies would be best.

Qubes OS with a Whonix as the base of the containers is also secure (uses TOR).

Glad we agreed on something! Interesting conversation.

BTW, I have implemented my scripts for AR150/6164.

The discussion is a bit deep :smiley: nice

How about we actually want them to read that we are accessing from a.com, instead actually we are accessing from b.com & c.com?

Can we use http proxy or vpn server to do that? Is there a simplified tool for router?

Have just found on the internet that we can use proxy to

Before modifying settings, we are to choose a server, let’s say in the United States

Then modify several things such as

  1. Stealth tunnel
  2. Connection protocol: SSL
  3. Connection port:
  4. Connect via parent proxy:
  5. Custom TCP/HTTP Headers: ON
  6. Advanced SSL Settings
  7. True SSL (Anti DPI) On
  8. Then modify host and port

Then after that, we change host (for example m.youtube.com) in detailed SSL Settings

Sorry I’m too noob, i understand nearly nothing in the steps. :frowning:

The application described is in a foreign language website
https://tinyurl.com/ycu7qysj
.

Could it work and what are your opinions?

Thanks!!

Scripts has a flawed. What if the VPN provider don’t push dns All your $foreign_option_X are emptied and you have an empty file. You need some backup DNS address if they don’t advertised the DNS.

@Azndfc The ISP can send you to a fake page by changing the DNS record on you, but you can’t do that the other way around so that the ISP thinks you are going to another page. If it was that simple then there would be no need for VPN.

You can only either actually go to the page directly, or not show it to the ISP, no other way.

@sammo
Actually this is good. If the VPN does not push DNS, then you end up with no DNS and can’t access any page. The user is then forced to set the DNS manually in the settings. If you backup the DNS, you are just backing up the ISP one in most cases.

All the mayor VPN providers usually ask you in the setup instructions to manually set the DNS to theirs.

The recommended procedure is:

  1. Use the scripts, they will give you the latest DNS from the VPN, since it can change at any time. People are not going to go onto their DNS provider page to check if the DNS is the same every time they connect. If the DNS were to change, an attacker would be able to use the old IP and force you to other pages. You want the correct DNS at all times.

  2. If the scripts fail, ie you end up not being able to access any page, then as you saw it means your provider is not pushing the DNS settings, and you have to set it manually but also keep an eye for when it changes.