"Celo" Open VPN and "DNS over TLS from Cloudflare"

Hello Together,

i have a GL-AR150, on this device i have configured “Celo” OpenVPN as OpenVPN Client.

When i am using this OpenVPN with manuell DNS → “1.1.1.1” and “1.0.0.1” it works.
All works fine.
Manual DNS Server Settings (1.1.1.1 und 1.0.0.1)
https://ipx.ac/results/MwGFxEzdKpZMLrtG

When i am using this OpenVPN with “DNS over TLS from Cloudflare” it does not work.
I get an connection to the VPN-Server.
There is some upload and download.

But when i open a site in my browser,
i have errors:
ERR_NAME_RESOLUTION_FAILED
DNS_PROBE_FINISHED_NO_INTERNET
Some sites are working.

DNS over TLS from Cloudflare
https://ipx.ac/results/Pk3bebGwsVdydSYy

Do you have some tipps.
Bye the way, the setup with “DNS over TLS from Cloudflare” was working.
I think since 3 days not more.

Greet and thanks
Michael

Do you mean some websites with DNS over TLS can work, but some websites can’t work?

Could you please stop the OpenVPN, and try it again?

Hi,

only (without VPN) “DNS over TLS from Cloudflare” it works fine.
and
only (without VPN) DNS “1.1.1.1” / “1.0.0.1” it works fine.

In both cases i have no problem open websites.

Manuell DNS with “1.1.1.1/1.0.0.1” and “Celo” VPN it works.
No Problem to open websites.

But with “DNS over TLS from Cloudflare” and with “Celo” VPN it does not work,
i can not open websites.
DNS_PROBE_FINISHED_NO_INTERNET

I have restart the OpenVPN Client and i was trying a reboot,
nothing changes, i have same problem to open websites.

Greet and thanks
Michael

Hello,

any tipps for me ?
or do you need more Information ?

Greets and Thanks

If you manually set up dns the dns is not encrypted. So it is different from use dns tls.

So one explaination could be that your vpn blocks dns encryption to cloudflare. But I need to verify.

Anyway you could share with me your vpn profile ?

I have this found i my logs:

Could this that the reason ?

Thu Jun 27 22:05:16 2019 daemon.warn odhcpd[1521]: A default route is present
but there is no public prefix on br-lan thus we don’t announce a default route!

Thu Jun 27 22:09:18 2019 daemon.info dnsmasq[1263]: DNS service limited to local
subnets

Thu Jun 27 22:09:28 2019 authpriv.info dropbear[1574]: Not backgrounding
Thu Jun 27 22:09:35 2019 daemon.err stubby[1678]: [20:09:35.418318] STUBBY: Read
config from file /etc/stubby/stubby.yml
Thu Jun 27 22:09:35 2019 daemon.err stubby[1678]: error: Could not bind on given
addresses: Address not available

Thu Jun 27 22:10:02 2019 daemon.err openvpn[2817]: TLS Error: local/remote TLS
keys are out of sync: [AF_INET]199.233.235.205:1194 [0]

/etc/openvpn/update-resolv-conf tun0 1500 1560 172.16.0.6 255.255.255.0 init
Thu Jun 27 22:10:05 2019 daemon.warn odhcpd[1521]: A default route is present
but there is no public prefix on br-lan thus we don’t announce a default route!
Thu Jun 27 22:10:05 2019 daemon.info odhcpd[1521]: Using a RA lifetime of 0
seconds on br-lan

@kyson-lok pls have a look.

any news or infor for me ?

Could you please ssh to the router, and execute this command? Please show me the result.

cat /etc/config/dhcp

with manuell DNS (1.1.1.1/1.0.0.1):
root@GL-AR300M:~# cat /etc/config/dhcp

config dnsmasq
option domainneeded ‘1’
option boguspriv ‘1’
option filterwin2k ‘0’
option localise_queries ‘1’
option rebind_localhost ‘1’
option local ‘/lan/’
option domain ‘lan’
option expandhosts ‘1’
option nonegcache ‘0’
option authoritative ‘1’
option readethers ‘1’
option leasefile ‘/tmp/dhcp.leases’
option nonwildcard ‘1’
option localservice ‘1’
option rebind_protection ‘0’
list server ‘1.1.1.1’
list server ‘1.0.0.1’
option noresolv ‘1’
option resolvfile ‘/tmp/resolv.conf.vpn’

config dhcp ‘lan’
option interface ‘lan’
option start ‘100’
option limit ‘150’
option leasetime ‘12h’
option force ‘1’
option dhcpv6 ‘server’
option ra ‘server’

config dhcp ‘wan’
option interface ‘wan’
option ignore ‘1’

config odhcpd ‘odhcpd’
option maindhcp ‘0’
option leasefile ‘/tmp/hosts/odhcpd’
option leasetrigger ‘/usr/sbin/odhcpd-update’
option loglevel ‘4’

config dhcp ‘guest’
option interface ‘guest’
option start ‘100’
option leasetime ‘12h’
option limit ‘150’
option dhcpv6 ‘server’
option ra ‘server’

config domain ‘localhost’
option name ‘console.gl-inet.com
option ip ‘192.168.8.1’


with ‘DNS over TLS from Cloudflare’
root@GL-AR300M:~# cat /etc/config/dhcp

config dnsmasq
option domainneeded ‘1’
option boguspriv ‘1’
option filterwin2k ‘0’
option localise_queries ‘1’
option rebind_localhost ‘1’
option local ‘/lan/’
option domain ‘lan’
option expandhosts ‘1’
option nonegcache ‘0’
option authoritative ‘1’
option readethers ‘1’
option leasefile ‘/tmp/dhcp.leases’
option nonwildcard ‘1’
option localservice ‘1’
option rebind_protection ‘0’
option noresolv ‘1’
list server ‘127.0.0.1#53535’
option resolvfile ‘/tmp/resolv.conf.vpn’

config dhcp ‘lan’
option interface ‘lan’
option start ‘100’
option limit ‘150’
option leasetime ‘12h’
option force ‘1’
option dhcpv6 ‘server’
option ra ‘server’

config dhcp ‘wan’
option interface ‘wan’
option ignore ‘1’

config odhcpd ‘odhcpd’
option maindhcp ‘0’
option leasefile ‘/tmp/hosts/odhcpd’
option leasetrigger ‘/usr/sbin/odhcpd-update’
option loglevel ‘4’

config dhcp ‘guest’
option interface ‘guest’
option start ‘100’
option leasetime ‘12h’
option limit ‘150’
option dhcpv6 ‘server’
option ra ‘server’

config domain ‘localhost’
option name ‘console.gl-inet.com
option ip ‘192.168.8.1’

root@GL-AR300M:~#

Hi,

any news or infos ?

Greet and Thanks

Thanks for your information. The configuration file is fine. Would it caused by your VPN provider block DNS over TLS?

Thanks a lot.
I will ask my VPN - Provider.

Hey kyson-lok,

i got an answer from the VPN-Provider.
“DNS over TLS” do not work with this server, that i am using.

Thanks for the support.

I suggest that you change the service provider.

Because this means that they may use your DNS data. Otherwise they may allow DNS encryption.

The Provider told me:
The Server that I am use, is a special only for Streaming, and it has multi-hop vpn-connections.
Because of that multi-hop, i should not use “DNS over TLS” .