DNS config is confusing when using VPN

paya · 2022-12-01T00:27:55.061Z

So I installed ProtonVPN WireGuard profile on my GL-AXT1800. This comes with VPN-provided DNS (called NetShield) which does basically the same thing as AdGuard Home, but it’s bundled with the VPN service.

It seems the Slate AX advertises itself as a DNS resolver over DHCP to the connected devices. This was surprising to me at first, but it looks like this is the “standard” in OpenWrt. I always assumed the DNS servers configured in the settings would be forwarded via DHCP to the clients, but that’s not what’s happening.
A tiny feature suggestion here - it would be good to have a simple option to forward the upstream DNS via DHCP to the devices without Slate acting as a DNS middleman, because from my research this change looks like a rather involved process and not a simple drop-down button switch.

Anyway, my Slate AX DNS is set to Automatic, and it retrieved 2 DNS servers from Ethernet and 1 DNS server from WireGuard.

Now, how do I choose which server is going to be used by the Slate DNS resolver? I want to make sure it always 100% ignores the DNS servers coming from ethernet, even if the VPN DNS is down. Yet, there seems to be zero configuration available here - I cannot choose DNS server priority, allow/disallow DNS servers from a particular source, etc. And there is no indication as to which upstream DNS server is going to be used by the Slate resolver. Any tips how to do any of these things?

From the looks of it, the best bet seems to be to use manual DNS config and just hard-code the VPN DNS server. That’s gonna get annoying quickly though when I switch from one VPN profile to another and each time I will have to go update the hard-coded DNS server. Am I missing something?

yuxin.zou · 2022-12-01T01:42:41.572Z

The Block Non-VPN Traffic option may be helpful.
If DNS is set to Automatic, the VPN interface will only use the DNS from WireGuard. When the Block Non-VPN Traffic option is enabled, data sent over the Ethernet interface will be blocked. In other words, the DNS for Ethernet is still in the settings, but no data will be sent.

paya:

I want to make sure it always 100% ignores the DNS servers coming from ethernet, even if the VPN DNS is down.

So when the VPN is not available, do you want to block internet or use another manually set up DNS?

paya · 2022-12-01T09:50:04.008Z

From Ethernet DHCP, the router obtained one ISP DNS server and also one Google DNS server. If I use Block Non-VPN Traffic, is there a guarantee the router will not send any requests to the ISP/Google DNS servers via the VPN interface? Because that’s another thing the router could do - perhaps with “Block Non-VPN Traffic” enabled, it won’t send requests via ethernet interface, but it might still use ISP/Google DNS servers, except it will talk to them via VPN connection first? It is just not very clear which DNS server is the router going to use.

So when the VPN is not available, do you want to block internet or use another manually set up DNS?

It depends. If the VPN is not available I would say block the internet. If just the VPN DNS is not available for some reason, perhaps using a manually configured fallback is okay too.

yuxin.zou · 2022-12-02T01:27:18.742Z

paya:

If I use Block Non-VPN Traffic, is there a guarantee the router will not send any requests to the ISP/Google DNS servers via the VPN interface?

There is no guarantee that no traffic will be sent. It only blocks requests from the client. If you have not manually installed any applications on your router, there should be no traffic sent to ISP/Google DNS servers when VPN is enabled.

paya:

If just the VPN DNS is not available for some reason, perhaps using a manually configured fallback is okay too.

In this case, you should disable Block Non-VPN Traffic and set up DNS for the interface on the LuCI ->Network → Interfaces → WAN → Advanced Settings (this feature is not yet supported by the GL UI).

chrisd · 2022-12-06T22:36:13.016Z

See GL-AXT1800: One DNS server per VLAN

Best regards

AdamK · 2024-07-27T22:30:26.459Z

yuxin.zou:

If DNS is set to Automatic, the VPN interface will only use the DNS from WireGuard.

Are you sure about that? The default Wireguard client config on GL.iNet routers is Verisign DNS. Unless you manually edit the "DNS =" line in the config to point to your Wireguard server, it's not going to use the DNS from Wireguard.

AdamK · 2024-07-27T22:35:47.735Z

I think the OP wants to conceal their location, in which case disabling "Block Non-VPN Traffic" would be a bad idea even if it meant using preferable DNS servers...

yuxin.zou · 2024-08-01T11:02:17.675Z

Sorry, I mean the DNS in the WireGuard configuration file, not the WireGuard servers.