GL-FUN
April 1, 2022, 5:19pm
1
GL-MT1300 - OpenWrt 19.07.8 r11364-ef56c85848 / LuCI openwrt-19.07 branch git-21.189.23240-7b931da kernel 4.14.241
openVPN - Ivacy, VPN Policies - exclude local net where have own recursive DNS
have the same config on GL-MT300N-V2 - and all works fine.
please, help
[22/04/01 18:13:09 BST +0100]
$ dig microsoft.com
; <<>> DiG 9.11.9 <<>> microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53520
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d18e44f031c6c84101000000624732a8096c2e6d77686e51 (good)
;; QUESTION SECTION:
;microsoft.com. IN A
;; Query time: 5006 msec
;; SERVER: 192.168.8.1#53(192.168.8.1)
;; WHEN: Fri Apr 01 18:13:12 BST 2022
;; MSG SIZE rcvd: 70
[22/04/01 18:13:12 BST +0100]
$ dig microsoft.com @192.168.1.111
; <<>> DiG 9.11.9 <<>> microsoft.com @192.168.1.111
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36396
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 024f78a2033b7c0701000000624732c086f17510c42f7dc3 (good)
;; QUESTION SECTION:
;microsoft.com. IN A
;; ANSWER SECTION:
microsoft.com. 3600 IN A 104.215.148.63
microsoft.com. 3600 IN A 40.113.200.201
microsoft.com. 3600 IN A 13.77.161.179
microsoft.com. 3600 IN A 40.76.4.15
microsoft.com. 3600 IN A 40.112.72.205
;; Query time: 20 msec
;; SERVER: 192.168.1.111#53(192.168.1.111)
;; WHEN: Fri Apr 01 18:13:36 BST 2022
;; MSG SIZE rcvd: 150
[22/04/01 18:13:36 BST +0100]
$
What is the DNS server hostname or IP address that Ivacy VPN clients uses?
I do not work for and I do not have formal association with GL.iNet
GL-FUN
April 1, 2022, 10:36pm
3
How does this mater if one router works, another model in the same setup, does not?
Clearly, you have proved otherwise. It’s okay that you don’t want to give information to me though. Good luck,.
I do not work for and I do not have formal association with GL.iNet
GL-FUN
April 2, 2022, 5:21am
5
Ok, let’s see)
The router is the client, as you can see from dig command it is 192.168.8.1 (internal) and 192.168.1.105 (external) as it is connected to another router.
The one which works has .104 external interface.
please, now help me understand, how this matters?
GLrs
April 2, 2022, 5:34am
6
did you enable that policy on the MT1300 (i.e. switch it on )?include host processes:
P.S. You forgot to mention if the problem occurs when VPN is connected/disconnected/both?
GL-FUN
April 2, 2022, 5:49am
7
@GLrs policy is enabled to let access to my recursive DNS: .1.111 & .8.100
this problem is when vpn is connected and kill switch is on.
I tried include/exclude internal processes with no difference in outcome.
GLrs
April 2, 2022, 6:22am
8
sounds like you forgot to exclude 192.168.1.0/24 (or at least 192.168.1.111) from VPN…
GL-FUN
April 2, 2022, 8:36am
9
@GLrs @192.168.1.111 - all works even if kill switch is on
Remember: same config on GL-MT300N-V2 works fine.
but DNS forwarder on the router itself is not working when kill switch is on (see SERVFAIL in dig command)
You can try this by opening KillSwitch before applying Policy.
GL-FUN
April 7, 2022, 10:27am
12
@luochongjun - wow - it works! but now another way around: killswitch as intended, but once apply policy - it stops working. well, at least it does have access to my recursive dns on 192.168.1.111 (without 192.168.1.0/24 policy applied) - and that is an unexpected reverse failure.
what that could be?
The priority here deals with some issues, and the rules applied later have higher priority.
GL-FUN
April 8, 2022, 9:44am
14
@luochongjun all right, but the same config on GL-MT-300N-V2 does not cause any problems. hence there is something different and wrong with GL-MT-1300
what that is and how to fix it?
GL-FUN
April 11, 2022, 11:23am
15
team! any idea what’s going on?
