I want to use NordVPN and the Flint 2 Router. All devices that connect to the Flint Router should only use the VPN. I already enabled Block non vpn traffic.
But the DNS settings are confusing. Do I have to to set up the DNS manually from the Nord website or should I leave it as it is? It is confusing, because in the docs of GL.iNet it states the following: "Automatic, use the gateway of the parent router." I don't want that in any case my real dns is exposed and used by the devices connected to the router. This includes if the VPN connection drops.
Can someone explain what the right settings are for this case? I uploaded two screenshots. One is the settings I applied to the VPN section and the other one is the DNS settings page. The DNS from repeater shows the local IP adress of my real router.
Again I am really confused and I hope that someone can explain what the correct (no possible leak of my actual DNS) settings are for my case.
Usually the DNS settings are taken from your wireguard / openvpn config. I believe the settings your are looking at are the upstream DNS settings which are not what your VPN will be using.
Ensure you are using global proxy mode (from VPN dashboard)
This will then force all clients via the tunnel. You have blocked non wan So that should stop any device connecting to WAN even when the VPN gets disabled. This is different to a killswitch as the killswitch is only on when the tunnel up (you haven't turned off the VPN client) but again, this seems to be the behaviour you want as it will ensure everything is killed regardless.
The allow custom DNS VPN isn't needed here either, so you can keep that toggled off.
Now just connect your clients to your flint 2 and visit a site like ipleak.net - here you can see your clients external VPN IP address, ensure its reporting correctly. It will also list the DNS further down the page and they should be reporting the same country region as your VPN WAN IP
You can also test the DNS by visiting dnsleaktest.com - this will then report your DNS servers too. Usually the VPN WAN IP and the DNS would match.
I asked the same question to support and I got instructed to turn on Override all clients. "Please select override all clients, then all devices include this router will use the VPN DNS as outgoing DNS "
Now I'm even more confused. Can maybe an official or anyone else explain what the right settings are and what they do?
I have not selected override all clients yet. I did do an DNS leak test and it only shows the dns servers of my VPN. Is there a way to test this further? What is the right setting?
I presume they mean "override DNS settings of all clients" not the option to have highlighted in your previous post.
That option would force any client to use the DNS of the router and since the router is going out via global proxy (VPN) then they too would force clients to use the VPN. Some devices can ignore DNS and use public facing DNS to bypass hence that option.
The option: Allow custom DNS to Override VPN DNS - This option means that you can use other DNS other than your VPN Providers however I would recommend keeping that toggled off so you are using your default VPN provider DNS that's inside their config files.
Each option in the GUI has a tooltip you can read too
That's my take on it. Anyway an official response is worth a confirmation.
I just do what I posted prior. I found that using encrypted DNS and selecting: Allow custom DNS to Override VPN - I could potentially get leaks, this was on older frmware though.
^ that would confirm you are using the VPN and getting no leaks, it's that simple really.
If your WAN and DNS settings are that of the VPN / VPN location then its working.
An easier way to tell would be to use a VPN server that's not located in the same country, that way you can visually see the country / region of your VPN IP / DNS, the results should be different compared to devices that are not going via VPN.
I still don't understand the difference between leaving: Override DNS settings of all clients on or off. What difference would it make if I turn this on?
Have you pondered the possibility of adding kill switch
so that all the traffic goes through the wireguard interface only
and all other traffic is blocked.
The question is answered in the tooltip next to the option.
Override DNS settings of all clients -> It will intercept plain (!) DNS, so UDP 53, and will replace the server by the router. So if your PC has the setting of 8.8.8.8 for DNS, the request won't reach the Google server but only the router - which will do whatever the router is configured to do.
And in this case, the router is configured as a VPN client which (ideally) points to the VPN server IP as the DNS resolver. So yes, the idea is to force the client (ex. Laptop) to use the router’s DNS and not its own whether set by browser or even DNS software installed (ex. corporate).
Okay so if I want to use the VPN DNS I have to enable it right? And it forces the traffic through the VPN DNS settings right? I'm referring to the "Override DNS Settings of All Clients" option.
Isn't this done automatically when I enable "Block non VPN traffic"? Does this mean that when it's enabled and I want to use a custom DNS on my computer that this isn't possible? I'm asking, because I want to use a different VPN client on my computer. My VPN provider that is used by the Gl-inet router is getting blocked a lot, even on youtube. I heard about MysteriumVPN. It is a decentralized VPN so you get a real residential IP.
You can't install them on a router level though. So I want to use NordVPN on my Router and then connect to MysteriumVPN on my Computer. In case MysteriumVPN leaks anything (killswitch fails or similar issues) I want that only the NordVPN IP Adress or DNS servers are leaked. What are the correct settings?
We would need to know the details of both the NordVPN config and the MysteriumVPN config to know whether it would even be possible for these to be cascaded together.
So my goal is to always have the VPN DNS of flint in case MysteriumVPN fails to protect me. If I leak anything (through WebRTC, DNS, IP-leak and so on) it should only leak the VPN DNS or IP of the Router. Under no circumstance my real IP (from my ISP) should leak.
If I disable "Override DNS Settings of All Clients", but keep "Block non VPN" enabled is it less safer then before? Is an DNS leak more likely?
What has the automatic setting to do with anything? If Block non VPN traffic is enabled, does automatic mean that the Router uses the VPN DNS?
Unfortunately if you don't use "Override DNS Settings for all Clients" then the DNS that the router uses will be down to whatever NordVPN has configured. In a normal WireGuard situation, it would just use whatever is in the config file, but in your case NordVPN's DNS may take precedence.
The "Block Non-VPN Traffic" is just protection for all internet traffic (incl. DNS). If the VPN tunnel isn't established, you will get no internet. There is no way for DNS to leak. Whatever DNS server is used will be resolved at the server side of the VPN tunnel (in your case, at the NordVPN server).
Automatic will either use the client device's VPN servers or the WireGuard VPN's DNS servers. But, again, in your case you don't have your own WireGuard server. You're using NordVPN, so it will be whatever their DNS servers are.