DNS broken after update to v4.6.4 on Flint

No DNS is working anymore with AdGuard enabled after upgrade to v4.6.4

image

image

image

If you disable AdGuard it is working again and VPN is able to connect.

Bump. Also update to 4.6.6. didnt solve it. You totally broke the router with the update of 4.6.4.

OpenVPN cant connect anymore, if you have Adguard Home enabled plus option "block non vpn traffic" enabled. Adguard Home doesnt resolve if OpenVPN is down.

Another bug I noticed with DNS on "automatic":

image

It claims DNS from OpenVPN is 10.0.0.243 which is totally wrong. OpenVPN has a totally diferent subnet. And 10.0.0.x is WG subnet.

image

I have the same configuration on a Brume 2 with 4.6.6. also with Adguard, and there it works fine, except I use Wireguard there, and on the Flint OpenVPN.

You broke Adguard Home DNS resolution with 4.6.4, so it wont resolve the initiation dns name of the OpenVPN name, and OpenVPN wont connect, and then also Adguard wont work. Disable Adguard and OpenVPN will resolve and connect.

Found a workaround to change the server name of the OpenVPN server in the OpenVPN config file from 87-1-de.cg-dialup.net to 181.214.173.196, and now it will connect again and then also vice versa Adguard will work too.

image

This obviously is just for clients behind the router, not the router itself. How would the router connect to the VPN, if it wont even resolve the VPN DNS in the first place. This worked in the past before 4.6.4, and it also works on Brume 2 with 4.6.6 with WG.

On Brume 2 this works totally fine with 4.6.6 but with Wireguard, there it also uses a name de966.nordvpn.com no IP and resolves it fine to initial connect.

Obviously Adguard needs to be excluded from the Block Non-VPN traffic, or the resolve of the OpenVPN server name and be resolved. Adguard is a service on the router itself, it is not a client.

Might be related to Unable to (re-)connect VPN and kept disconnecting as well?

1 Like

Temporary solution

sed -ie '/explict_vpn/d' /etc/init.d/adguardhome;/etc/init.d/adguardhome restart

Please execute this command in the background of the router, which may solve the problem you are facing now.

We will solve this issue in firmware v4.7

1 Like

Thank you very much. Will this get resolved in a next fw update? Is it a problem if I execute this and the config file will be changed with the next fw update?

Is it normal that there is a 2nd file called adguardhomee in the init.d folder? I just noticed it.

image

There are also lots of warnings and a few errors:

BusyBox v1.33.2 (2024-09-26 01:12:41 UTC) built-in shell (ash)


| |.-----.-----.-----.| | | || ||
| - || _ | -
| || | | | | | |
|
____|| |
||||||| ||
|__| W I R E L E S S F R E E D O M

ApNos-c904c53b-devel
OpenWrt 21.02-SNAPSHOT, r16399+174-c67509efd7

root@GL-AX1800:~# sed -ie '/explict_vpn/d' /etc/init.d/adguardhome;/etc/init.d/a
dguardhome restart
uci: Entry not found
uci: Entry not found
Warning: Section @defaults[0] requires unavailable target extension FLOWOFFLOAD, disabling
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section @zone[1] (wan) cannot resolve device of network 'wwan'
Warning: Section @zone[2] (guest) cannot resolve device of network 'guest'
Warning: Option 'ovpnclient'.masq6 is unknown
Warning: Option 'wgserver'.client_to_client is unknown
Warning: Option 'wgserver'.masq6 is unknown
Warning: Section 'wan_in_conn_mark' does not specify a protocol, assuming TCP+UDP
Warning: Section 'lan_in_conn_mark_restore' does not specify a protocol, assuming TCP+UDP
Warning: Section 'out_conn_mark_restore' does not specify a protocol, assuming TCP+UDP
Warning: Section 'safe_mode_mark' does not specify a protocol, assuming TCP+UDP
Warning: Section 'safe_mode_mark_save' does not specify a protocol, assuming TCP+UDP
Warning: Section 'safe_mode_mark_drop' does not specify a protocol, assuming TCP+UDP
Warning: Option 'sambasharewan'.dest_proto is unknown
Warning: Section 'sambasharewan' does not specify a protocol, assuming TCP+UDP
Warning: Option 'sambasharelan'.dest_proto is unknown
Warning: Section 'sambasharelan' does not specify a protocol, assuming TCP+UDP
Warning: Option 'glnas_ser'.dest_proto is unknown
Warning: Section 'glnas_ser' does not specify a protocol, assuming TCP+UDP
Warning: Option 'webdav_wan'.dest_proto is unknown
Warning: Section 'webdav_wan' does not specify a protocol, assuming TCP+UDP
Warning: Section @redirect[0] (GL-cam1_rtsp) has no target specified, defaulting to DNAT
Warning: Section @redirect[1] (GL-cam2_rtsp) has no target specified, defaulting to DNAT
Warning: Section @redirect[2] (GL-cam3_rtsp) has no target specified, defaulting to DNAT
Warning: Section 'dns_vpn' has no target specified, defaulting to DNAT
Warning: Section 'dns_vpn_guest' has no target specified, defaulting to DNAT
Warning: Option 'safe_mode_dns_drop'.name is unknown
Warning: Section @defaults[0] requires unavailable target extension FLOWOFFLOAD, disabling
Warning: Section @zone[2] (guest) has no device, network, subnet or extra options

  • Clearing IPv4 filter table
  • Clearing IPv4 nat table
  • Clearing IPv4 mangle table
  • Clearing IPv4 raw table
  • Populating IPv4 filter table
    • Rule 'Allow-DHCP-Renew'
    • Rule 'Allow-IGMP'
    • Rule 'Allow-IPSec-ESP'
    • Rule 'Allow-ISAKMP'
    • Rule '118 firetv allow'
    • Rule '119 allow firetv'
    • Rule 'Allow-DHCP'
    • Rule 'Allow-DNS'
    • Rule 'safe_mode_lan'
    • Rule 'safe_mode_guest'
    • Rule 'safe_mode_mark_drop'
    • Rule #21
    • Rule #22
    • Rule #23
    • Rule #24
    • Rule 'wgserver_allow'
    • Redirect 'GL-cam1_rtsp'
    • Redirect 'GL-cam2_rtsp'
    • Redirect 'GL-cam3_rtsp'
    • Redirect 'dns for vpn'
    • Redirect 'dns for vpn guest'
    • Forward 'ovpnclient' -> 'wan'
    • Forward 'lan' -> 'ovpnclient'
    • Forward 'guest' -> 'ovpnclient'
    • Forward 'wgserver' -> 'wan'
    • Forward 'lan' -> 'wgserver'
    • Forward 'wgserver' -> 'lan'
    • Forward 'wgserver' -> 'wgserver'
    • Zone 'lan'
    • Zone 'wan'
    • Zone 'guest'
    • Zone 'ovpnclient'
    • Zone 'wgserver'
  • Populating IPv4 nat table
    • Redirect 'GL-cam1_rtsp'
    • Redirect 'GL-cam2_rtsp'
    • Redirect 'GL-cam3_rtsp'
    • Redirect 'dns for vpn'
    • Redirect 'dns for vpn guest'
    • Zone 'lan'
    • Zone 'wan'
    • Zone 'guest'
    • Zone 'ovpnclient'
    • Zone 'wgserver'
  • Populating IPv4 mangle table
    • Rule 'process_mark'
    • Rule 'wan_in_conn_mark'
    • Rule 'lan_in_conn_mark_restore'
    • Rule 'out_conn_mark_restore'
    • Rule 'safe_mode_mark'
    • Rule 'safe_mode_mark_save'
    • Rule 'process_mark_dns'
    • Rule 'process_explict_vpn'
    • Rule 'process_mark_stubby'
    • Zone 'lan'
    • Zone 'wan'
    • Zone 'guest'
    • Zone 'ovpnclient'
    • Zone 'wgserver'
  • Populating IPv4 raw table
    • Redirect 'GL-cam1_rtsp'
      • Auto-selected conntrack helper 'rtsp' based on proto/port
    • Redirect 'GL-cam2_rtsp'
      • Auto-selected conntrack helper 'rtsp' based on proto/port
    • Redirect 'GL-cam3_rtsp'
      • Auto-selected conntrack helper 'rtsp' based on proto/port
    • Zone 'lan'
      • Using automatic conntrack helper attachment
    • Zone 'wan'
    • Zone 'guest'
      • Using automatic conntrack helper attachment
    • Zone 'ovpnclient'
    • Zone 'wgserver'
      Warning: iptc_commit(): No chain/target/match by that name
  • Clearing IPv6 filter table
  • Clearing IPv6 nat table
  • Clearing IPv6 mangle table
  • Populating IPv6 filter table
    • Rule 'Allow-DHCPv6'
    • Rule 'Allow-MLD'
    • Rule 'Allow-ICMPv6-Input'
    • Rule 'Allow-ICMPv6-Forward'
    • Rule 'Allow-IPSec-ESP'
    • Rule 'Allow-ISAKMP'
    • Rule 'Allow-DHCP'
    • Rule 'Allow-DNS'
    • Rule 'safe_mode_lan'
    • Rule 'safe_mode_guest'
    • Rule 'safe_mode_mark_drop'
    • Rule #21
    • Rule #22
    • Rule #23
    • Rule #24
    • Forward 'ovpnclient' -> 'wan'
    • Forward 'lan' -> 'ovpnclient'
    • Forward 'guest' -> 'ovpnclient'
    • Forward 'wgserver' -> 'wan'
    • Forward 'lan' -> 'wgserver'
    • Forward 'wgserver' -> 'lan'
    • Forward 'wgserver' -> 'wgserver'
    • Zone 'lan'
    • Zone 'wan'
    • Zone 'guest'
    • Zone 'ovpnclient'
    • Zone 'wgserver'
  • Populating IPv6 nat table
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_guest_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_guest_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_ovpnclient_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_ovpnclient_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wgserver_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wgserver_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
    • Zone 'lan'
    • Zone 'wan'
    • Zone 'guest'
    • Zone 'ovpnclient'
    • Zone 'wgserver'
  • Populating IPv6 mangle table
    • Rule 'process_mark'
    • Rule 'wan_in_conn_mark'
    • Rule 'lan_in_conn_mark_restore'
    • Rule 'out_conn_mark_restore'
    • Rule 'safe_mode_mark'
    • Rule 'safe_mode_mark_save'
    • Rule 'process_mark_dns'
    • Rule 'process_explict_vpn'
    • Rule 'process_mark_stubby'
    • Zone 'lan'
    • Zone 'wan'
    • Zone 'guest'
    • Zone 'ovpnclient'
    • Zone 'wgserver'
  • Set tcp_ecn to off
  • Set tcp_syncookies to on
  • Set tcp_window_scaling to on
  • Running script '/etc/firewall.nat6'
  • Running script '/etc/firewall.swap_wan_in_conn_mark.sh'
  • Running script '/etc/firewall.vpn_server_policy.sh'
  • Running script '/etc/firewall.safe_mode_dns_drop'
  • Running script '/usr/bin/gl_block.sh'
    iptables: No chain/target/match by that name.
    Warning: Section @defaults[0] requires unavailable target extension FLOWOFFLOAD, disabling
    Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
    Warning: Section @zone[1] (wan) cannot resolve device of network 'wwan'
    Warning: Section @zone[2] (guest) cannot resolve device of network 'guest'
    Warning: Option 'ovpnclient'.masq6 is unknown
    Warning: Option 'wgserver'.client_to_client is unknown
    Warning: Option 'wgserver'.masq6 is unknown
    Warning: Section 'wan_in_conn_mark' does not specify a protocol, assuming TCP+UDP
    Warning: Section 'lan_in_conn_mark_restore' does not specify a protocol, assuming TCP+UDP
    Warning: Section 'out_conn_mark_restore' does not specify a protocol, assuming TCP+UDP
    Warning: Section 'safe_mode_mark' does not specify a protocol, assuming TCP+UDP
    Warning: Section 'safe_mode_mark_save' does not specify a protocol, assuming TCP+UDP
    Warning: Section 'safe_mode_mark_drop' does not specify a protocol, assuming TCP+UDP
    Warning: Option 'sambasharewan'.dest_proto is unknown
    Warning: Section 'sambasharewan' does not specify a protocol, assuming TCP+UDP
    Warning: Option 'sambasharelan'.dest_proto is unknown
    Warning: Section 'sambasharelan' does not specify a protocol, assuming TCP+UDP
    Warning: Option 'glnas_ser'.dest_proto is unknown
    Warning: Section 'glnas_ser' does not specify a protocol, assuming TCP+UDP
    Warning: Option 'webdav_wan'.dest_proto is unknown
    Warning: Section 'webdav_wan' does not specify a protocol, assuming TCP+UDP
    Warning: Section @redirect[0] (GL-cam1_rtsp) has no target specified, defaulting to DNAT
    Warning: Section @redirect[1] (GL-cam2_rtsp) has no target specified, defaulting to DNAT
    Warning: Section @redirect[2] (GL-cam3_rtsp) has no target specified, defaulting to DNAT
    Warning: Section 'dns_vpn' has no target specified, defaulting to DNAT
    Warning: Section 'dns_vpn_guest' has no target specified, defaulting to DNAT
    Warning: Option 'safe_mode_dns_drop'.name is unknown
    Warning: Section @defaults[0] requires unavailable target extension FLOWOFFLOAD, disabling
    Warning: Section @zone[2] (guest) has no device, network, subnet or extra options
  • Clearing IPv4 filter table
  • Clearing IPv4 nat table
  • Clearing IPv4 mangle table
  • Clearing IPv4 raw table
  • Populating IPv4 filter table
    • Rule 'Allow-DHCP-Renew'
    • Rule 'Allow-IGMP'
    • Rule 'Allow-IPSec-ESP'
    • Rule 'Allow-ISAKMP'
    • Rule '118 firetv allow'
    • Rule '119 allow firetv'
    • Rule 'Allow-DHCP'
    • Rule 'Allow-DNS'
    • Rule 'safe_mode_lan'
    • Rule 'safe_mode_guest'
    • Rule 'safe_mode_mark_drop'
    • Rule #21
    • Rule #22
    • Rule #23
    • Rule #24
    • Rule 'wgserver_allow'
    • Redirect 'GL-cam1_rtsp'
    • Redirect 'GL-cam2_rtsp'
    • Redirect 'GL-cam3_rtsp'
    • Redirect 'dns for vpn'
    • Redirect 'dns for vpn guest'
    • Forward 'ovpnclient' -> 'wan'
    • Forward 'lan' -> 'ovpnclient'
    • Forward 'guest' -> 'ovpnclient'
    • Forward 'wgserver' -> 'wan'
    • Forward 'lan' -> 'wgserver'
    • Forward 'wgserver' -> 'lan'
    • Forward 'wgserver' -> 'wgserver'
    • Zone 'lan'
    • Zone 'wan'
    • Zone 'guest'
    • Zone 'ovpnclient'
    • Zone 'wgserver'
  • Populating IPv4 nat table
    • Redirect 'GL-cam1_rtsp'
    • Redirect 'GL-cam2_rtsp'
    • Redirect 'GL-cam3_rtsp'
    • Redirect 'dns for vpn'
    • Redirect 'dns for vpn guest'
    • Zone 'lan'
    • Zone 'wan'
    • Zone 'guest'
    • Zone 'ovpnclient'
    • Zone 'wgserver'
  • Populating IPv4 mangle table
    • Rule 'process_mark'
    • Rule 'wan_in_conn_mark'
    • Rule 'lan_in_conn_mark_restore'
    • Rule 'out_conn_mark_restore'
    • Rule 'safe_mode_mark'
    • Rule 'safe_mode_mark_save'
    • Rule 'process_mark_dns'
    • Rule 'process_explict_vpn'
    • Rule 'process_mark_stubby'
    • Zone 'lan'
    • Zone 'wan'
    • Zone 'guest'
    • Zone 'ovpnclient'
    • Zone 'wgserver'
  • Populating IPv4 raw table
    • Redirect 'GL-cam1_rtsp'
      • Auto-selected conntrack helper 'rtsp' based on proto/port
    • Redirect 'GL-cam2_rtsp'
      • Auto-selected conntrack helper 'rtsp' based on proto/port
    • Redirect 'GL-cam3_rtsp'
      • Auto-selected conntrack helper 'rtsp' based on proto/port
    • Zone 'lan'
      • Using automatic conntrack helper attachment
    • Zone 'wan'
    • Zone 'guest'
      • Using automatic conntrack helper attachment
    • Zone 'ovpnclient'
    • Zone 'wgserver'
      Warning: iptc_commit(): No chain/target/match by that name
  • Clearing IPv6 filter table
  • Clearing IPv6 nat table
  • Clearing IPv6 mangle table
  • Populating IPv6 filter table
    • Rule 'Allow-DHCPv6'
    • Rule 'Allow-MLD'
    • Rule 'Allow-ICMPv6-Input'
    • Rule 'Allow-ICMPv6-Forward'
    • Rule 'Allow-IPSec-ESP'
    • Rule 'Allow-ISAKMP'
    • Rule 'Allow-DHCP'
    • Rule 'Allow-DNS'
    • Rule 'safe_mode_lan'
    • Rule 'safe_mode_guest'
    • Rule 'safe_mode_mark_drop'
    • Rule #21
    • Rule #22
    • Rule #23
    • Rule #24
    • Forward 'ovpnclient' -> 'wan'
    • Forward 'lan' -> 'ovpnclient'
    • Forward 'guest' -> 'ovpnclient'
    • Forward 'wgserver' -> 'wan'
    • Forward 'lan' -> 'wgserver'
    • Forward 'wgserver' -> 'lan'
    • Forward 'wgserver' -> 'wgserver'
    • Zone 'lan'
    • Zone 'wan'
    • Zone 'guest'
    • Zone 'ovpnclient'
    • Zone 'wgserver'
  • Populating IPv6 nat table
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_guest_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_guest_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_ovpnclient_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_ovpnclient_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wgserver_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wgserver_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
    Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
    • Zone 'lan'
    • Zone 'wan'
    • Zone 'guest'
    • Zone 'ovpnclient'
    • Zone 'wgserver'
  • Populating IPv6 mangle table
    • Rule 'process_mark'
    • Rule 'wan_in_conn_mark'
    • Rule 'lan_in_conn_mark_restore'
    • Rule 'out_conn_mark_restore'
    • Rule 'safe_mode_mark'
    • Rule 'safe_mode_mark_save'
    • Rule 'process_mark_dns'
    • Rule 'process_explict_vpn'
    • Rule 'process_mark_stubby'
    • Zone 'lan'
    • Zone 'wan'
    • Zone 'guest'
    • Zone 'ovpnclient'
    • Zone 'wgserver'
  • Set tcp_ecn to off
  • Set tcp_syncookies to on
  • Set tcp_window_scaling to on
  • Running script '/etc/firewall.nat6'
  • Running script '/etc/firewall.swap_wan_in_conn_mark.sh'
  • Running script '/etc/firewall.vpn_server_policy.sh'
  • Running script '/etc/firewall.safe_mode_dns_drop'
  • Running script '/usr/bin/gl_block.sh'
    iptables: No chain/target/match by that name.
    root@GL-AX1800:~#

I think a proper solution to this issue would be to implement a DNS whitelist into the Glinet Web GUI under the block all non vpn GUI, where you can put exceptions into a list, which are not blocked, even with VPN down. This would include ALL OpenVPN and Wireguard VPN server names to initiate the VPN, and also include the Glinet DDNS name. Instead of just alloweing Adguard service full access outside VPN. And use a fallback DNS resolver for this exception list you can add, like 1.1.1.1 or another one you configure.

Whitelist DNS:

Fallback resolver: ____

Whitelist of DNS names:

  1. OpenVPN 1
  2. OpenVPN 2
  3. Wireguard 1
  4. Glinet DDNS
  5. ...

Unfortunately, upgrading the firmware will invalidate this change, we plan to fix this in v4.7.0.

This file should not exist. I think it may be a manual backup of the adguardhome file.

This is a new issue caused by solving a security problem. This problem occurs because the router's DNS request is not handled correctly. The code to fix the DNS problem was not included in the current firmware due to a merge error.

That's awesome. The way we handle DNS in the background is similar to what you said. But it cannot be configured on the web.