GL-MT1300 - openVPN ON & policy ON & kill switch ON > dns resolution GONE

GL-FUN · 2022-04-01T17:19:24.082Z

GL-MT1300 - OpenWrt 19.07.8 r11364-ef56c85848 / LuCI openwrt-19.07 branch git-21.189.23240-7b931da kernel 4.14.241

openVPN - Ivacy, VPN Policies - exclude local net where have own recursive DNS
Internet Kill Switch - Enabled: no DNS resolution / but OK if ask directly
Internet Kill Switch - Disabled: WORKS

have the same config on GL-MT300N-V2 - and all works fine.

please, help

[22/04/01 18:13:09 BST +0100]
$ dig microsoft.com

; <<>> DiG 9.11.9 <<>> microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53520
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d18e44f031c6c84101000000624732a8096c2e6d77686e51 (good)
;; QUESTION SECTION:
;microsoft.com.                 IN      A

;; Query time: 5006 msec
;; SERVER: 192.168.8.1#53(192.168.8.1)
;; WHEN: Fri Apr 01 18:13:12 BST 2022
;; MSG SIZE  rcvd: 70

[22/04/01 18:13:12 BST +0100]
$ dig microsoft.com @192.168.1.111

; <<>> DiG 9.11.9 <<>> microsoft.com @192.168.1.111
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36396
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 024f78a2033b7c0701000000624732c086f17510c42f7dc3 (good)
;; QUESTION SECTION:
;microsoft.com.                 IN      A

;; ANSWER SECTION:
microsoft.com.          3600    IN      A       104.215.148.63
microsoft.com.          3600    IN      A       40.113.200.201
microsoft.com.          3600    IN      A       13.77.161.179
microsoft.com.          3600    IN      A       40.76.4.15
microsoft.com.          3600    IN      A       40.112.72.205

;; Query time: 20 msec
;; SERVER: 192.168.1.111#53(192.168.1.111)
;; WHEN: Fri Apr 01 18:13:36 BST 2022
;; MSG SIZE  rcvd: 150

[22/04/01 18:13:36 BST +0100]
$

wcs2228 · 2022-04-01T21:56:00.429Z

What is the DNS server hostname or IP address that Ivacy VPN clients uses?

I do not work for and I do not have formal association with GL.iNet

GL-FUN · 2022-04-01T22:36:22.729Z

How does this mater if one router works, another model in the same setup, does not?

wcs2228 · 2022-04-01T22:48:47.196Z

Clearly, you have proved otherwise. It’s okay that you don’t want to give information to me though. Good luck,.

I do not work for and I do not have formal association with GL.iNet

GL-FUN · 2022-04-02T05:21:29.640Z

Ok, let’s see)

The router is the client, as you can see from dig command it is 192.168.8.1 (internal) and 192.168.1.105 (external) as it is connected to another router.

The one which works has .104 external interface.

please, now help me understand, how this matters?

GLrs · 2022-04-02T05:34:22.929Z

GL-FUN:

VPN Policies - exclude local net where have own recursive DNS

did you enable that policy on the MT1300 (i.e. switch it on)?
If so there already might be the issue, MT1300s logic is vice versa - to include host processes:

P.S. You forgot to mention if the problem occurs when VPN is connected/disconnected/both?

GL-FUN · 2022-04-02T05:49:47.435Z

@GLrs policy is enabled to let access to my recursive DNS: .1.111 & .8.100

this problem is when vpn is connected and kill switch is on.

I tried include/exclude internal processes with no difference in outcome.

GLrs · 2022-04-02T06:22:44.014Z

GL-FUN:

this problem is when vpn is connected

sounds like you forgot to exclude 192.168.1.0/24 (or at least 192.168.1.111) from VPN…

GL-FUN · 2022-04-02T08:36:11.037Z

@GLrs
No, I excluded both: .8.0/24 and .1.0/24
As you can see from dig @192.168.1.111 - all works even if kill switch is on

Remember: same config on GL-MT300N-V2 works fine.

but DNS forwarder on the router itself is not working when kill switch is on (see SERVFAIL in dig command)

GL-FUN · 2022-04-05T11:20:22.167Z

team! any other idea?

robotluo · 2022-04-07T09:55:47.525Z

You can try this by opening KillSwitch before applying Policy.

GL-FUN · 2022-04-07T10:27:16.205Z

@robotluo - wow - it works! but now another way around: killswitch as intended, but once apply policy - it stops working. well, at least it does have access to my recursive dns on 192.168.1.111 (without 192.168.1.0/24 policy applied) - and that is an unexpected reverse failure.

what that could be?

robotluo · 2022-04-08T09:41:01.991Z

The priority here deals with some issues, and the rules applied later have higher priority.

GL-FUN · 2022-04-08T09:44:26.661Z

@robotluo all right, but the same config on GL-MT-300N-V2 does not cause any problems. hence there is something different and wrong with GL-MT-1300

what that is and how to fix it?

GL-FUN · 2022-04-11T11:23:15.815Z

team! any idea what’s going on?