Grepping & filtering text can easily wrap a few times on the tiny screens of phones.
That's not how you post logs/code. Use ``` before & after
like this
1 Like
That leads me to suspect the Netflix app has DNS baked into/hard coded it. The 'DNS Override' feature of the GL GUI should be helpful to wrangle that.
I'd really just remove any & all DNS:53/DOH/DOT from all devices & start over. As I've said elsewhere IDK why you wouldn't just go
$clientDevice -> DNS:53 -> Beryl AX -> DOH -> AGH -> DOH -> ControlD master profile for all white/blacklists or Quad9-filtered -> WAN
It's as straightforward as it comes with your goal of locking down the DNS on the Samsung Tizen TV & makes it overall easier to manage, VPN connection or not.
1 Like
I'm not an expert so I don't know what to say. I can only report my findings. That's why it was so odd that Netflix was the only app in the Samsung Tizen TV that worked while everything else failed to even load.
I agree and I decided to start over again. Took a bit of time to retrace my steps and see what worked and what caused the problem again. First time I've ever seen this but my TV froze when I tried to go to the network settings again. I had to power off and wait a bit before I could get the Samsung Tizen UI to appear again.
I'm convinced there is some sort of issue with my Samsung Tizen TV and AGH. It probably goes to @will.qiu 's advice earlier. The setup isn't stable. I have no idea why after my 7-hour power outage yesterday, the setup even with @will.qiu's instructions simply doesn't work anymore. Under network status, it says the TV is connected to the network, but no internet. It's not entirely true as I said Netflix works. No other streaming app worked. Why do I know AGH is the problem? As soon as I disabled AGH, gave a few moments for the changes to take effect in the Beryl, everything else worked again. YouTube is loading up fine. Obviously, ControlD isn't working due to the VPN on the Beryl.
One interesting thing I noticed is that ControlD can create device profiles for routers, including GL.iNet. It even specifically has GL.iNet in the device selection. I gave it a try to create the profile as it's only a few seconds of work. Now I get a set of resolvers including DoH for the Beryl AX. Maybe @bruce or @will.qiu can comment on this again. I'm wondering if I can go back to the TV and delete ControlD's DNS from the network settings and just go back to auto DNS/default. Somehow get ControlD's resolver, either DoH or DoT, preferably DoH, into the Beryl, and I'm assuming this will work. The TV is connected to the Beryl and it'll not only use the VPN that I set, but also use ControlD's resolver. Will this work and be more effective than what I was trying to do with @will.qiu's instructions? I'm hoping for more stability.
Thank you everyone for your time.
I'm just wondering if you have used ControlD before?
How would I get the TV to connect to DNS:53 and then Beryl AX? I don't know how to do that.
I haven't. I don't need it.
DNS:53 is standard/'traditional' DNS on port 53, unencrypted. It is the default.
$clientDevice -> DNS:53 -> Beryl AX -> DOH -> ControlD master profile for all white/blacklists or Quad9-filtered -> WAN
Use GL GUI -> Network -> DNS -> Encrypted DNS, Encryption Type DOH -> quad9-doh-ip4-port443-filter-pri if you suspect ControlD is causing issues.
Remember:
- DNS:53 is unencrypted. That's generally acceptable within the LAN but if it hits the WAN it should be thru a VPN.
- DOT/DOH is encrypted regardless if there's a VPN connection or not.
- DOH is better to use when travelling as DOT uses :853 which may be blocked upstream.
- This is just process of elimination. Simplify as much as you can before compounding variables.
- Log your changes inc. what does/doesn't work.
- Use https://ipleak.net to confirm WAN-side settings operate as expected.
- Confirm the settings wll survive a reboot. Reboot the Beryl AX after change/sets of related changes.
- Make a backup after each successful stage's reboot & confirmation.
- Draw a network diagram inc. all IPs, DNS, VPN links/addresses.
- Cat.5e+ Cable > Wi-Fi.
1 Like
Just want to thank you again for your time and effort to help me get this right. I think I'll have to buy another GL.iNet router just to get a hang of the GUI and learn OpenWRT. I really need a stable working router first. I'm thinking I should probably get a Flint 2 and flash it to firmware 4.8 so that I can get an identical UI to the Beryl AX. I'm hoping once we figure out how to get a stable setup working on my Beryl AX, I'll just reproduce everything on the Beryl AX onto the Flint 2. Then I can flash the Beryl AX to OpenWRT to play with. I gotta give this plan a bit more thought as Flint 2 isn't exactly dirt cheap.
I think what you said earlier in another thread probably makes the most sense and I'm sort of glad firmware 4.8 introduced that.
ISP modem -> Beryl AX -> client devices like a TV or streaming box.
My understanding of firmware 4.8 is barely basic right now. In case I didn't mention it earlier, I have both Proton VPN and Mullvad, but I prefer to use Proton for streaming since it's better at that. Since it can now run multiple VPN simultaneously, what I would like to do is to have one VPN server strictly for streaming. Even then, is there a way to configure the Beryl AX to route the apps from the TV to different servers around the world? For example, I will select New York as the VPN server. All other streaming apps from the TV like Netflix will use New York, but I want YouTube to use London, UK. Is this possible? Any way to get ControlD into this setup?
Then I'll set up a second VPN that is strictly about privacy and security. Either I use Proton or Mullvad and use a server in Iceland. I also want this VPN to use a good DoH like Quad9 to further harden the privacy and security of this connection. I want to use AdGuard Home for this connection as I want to filter ads and malware with blocklists and whatnot.
For the final connection (not sure what to call this), it won't have a VPN on. This is for use with any site that has issues with VPNs. This connection will be rarely used and only if I can't do what I need to do with the above. However, I still want to use a secure DoH to protect my queries. I won't need AGH for this.
So with a rough outline of what I ultimately want to deploy, and I am open to feedback to further optimize this, is this possible to do this with firmware 4.8? If not, I'm even open to buying multiple routers to cover each of the use cases I've described above, but buying three routers will be expensive!
Thank you for your time.
Maybe I'll create another topic about this as I still don't know too much about DoH and the best service to use.
I've been advised to use "https://dns.quad9.net/dns-query" as that's one of the best DoH services to use. I can't seem to find any specifics about this like what is actually blocked like ads, trackers, malware, and how it is better than other DoH providers.
In the Beryl AX's DNS page, if I select Encrypted DNS -> DoH -> quad9-doh-ip4-port443-filter-pri, is this the same as https://dns.quad9.net/dns-query? Isn't it kind of weird that when I select DoH, I can't just paste "https://dns.quad9.net/dns-query" into some field and then let the router figure it out? Why should I have to select a bunch of options that don't really match what's posted on the internet? GL.iNet's formatting is a bit confusing.
We already covered this. The GL GUI/latest firmware has PBR including the ability to not use a VPN.
Traditonally in network engineering the app's originating traffic/individual packets would have to be marked/'tagged' beforehand for proper routing/PBR upstream on the Beyl AX/Flint v2. Apps these days primarily use HTTP/S (:443) so there's no way to do it LAN-side that way. It's all mixed in one stream.
What you'd have to do is determine all the domains/endpoints the app in question hits. For example there's entire lists just for Netflix. You'd have to search for them but they're out there. IDK how up to date they may be but that's where AGH can help determine those domains that you'd have to record to as an addition list, manually.
Services like DeCloudUs or ControlD should already know Netflix's IP ranges within their blacklists. IDK if they'd share that blacklist so you could whitelist them. That list would have to be loaded into a PBR profile. Then assign said PBR profile to a VPN of choice. Just be aware all client devices that access Netflix within your LAN will use the same VPN.
You.
Need.
To.
Draw.
A.
Network.
Diagram.
1 Like
GL firmware uses dnscrypt-proxy2 to process DOH according to its conf (specific settings in the configuration files). quad9-doh-ip4-port443-filter-pri is "Quad9, DOH, using IPv4, on :443, with malware filters, using the primary DNS server". It is equivalent to the commonly & most used Quad9 DOH settings string of https://dns.quad9.net/dns-query. Android devices need that format, for example.
EDIT: Note dnscrypt-proxy2 is not related to AdGuard Home. It is a separate program just for DOH to an upstream provider like Quad9, Cloudflare, etc.
1 Like
I do want to say sorry if I caused you any frustration. You've been a very big help. I will draw the diagram for you as soon as possible. I promise. In the meantime, can we do the best we can while I have only a phone?
Yes, we talked about PBR, but unless my memory is mistaken, we didn't go into the exact specifics. I suppose if I buy three routers and connect to the ISP-supplied modem in repeater mode, I can call this a day with about an hour of work to install and set them up.
I don't understand the last sentence. Both my Apple TV and Samsung Tizen TV have Netflix installed. Are you saying that they can both only use the same New York server?
You don't need to buy more hardware. You need to make a backup of your existing Beryl AX. Then flash v4.8.0 to get the PBR feature. Then start putting into practice what we've been discussing. I'd start with DOH before PBR.
(FYI: There's a post history that you can use to pull up our past threads.)
I'm sorry, but I find the forum UI to be confusing.
As I have indicated before, I have already flashed my Beryl AX to firmware 4.8.
At the time of this post, I have disabled AGH so that my TV is working. I have already enabled DoH in the UI and selected the Quad9 string that you specified.
Thank you.
The quickest way to find your activity is to click your screen name, then your name again in that popup. 'Activity' should be there somewhere. I'm not sure if it's the same layout using this forum on a phone.
I must have missed that. Cool. So set up a test VPN profile for PBR & then whitelist just https://ipleak.net to use it. That should show the VPN IP while everything else goes through the WAN (aka a 'split tunnel'). Then you're all set to set up Netflix, Youtube, etc. using the same steps.
You'll need an as up to date list of Netflix domains as possible to use within the policies of PBR for a 'Netflix' VPN tunnel. I don't use Netflix. Happy hunting!
1 Like
I'm playing with it as I type this, but will AGH cooperate and let me do what I want to do with the three use cases that I outlined earlier?
I don't see why not but don't compound variables. Pull a backup in LuCI when your PBR is set up/tested beforehand. I could be wrong. I'd be very interested to read your results.
1 Like
I'll post my initial results later in the day for you. The GL.iNet GUI seems more intuitive than I thought. I should have the second VPN enabled and set this up before I leave the house soon.
However, I still can't help but ask how to get ControlD involved in this process. The VPN is a brute-force way to get this to work. It seems like omitting ControlD is the best way to keep this set up simple and I have a good feeling it'll work and be stable. Ideally, I do want to use the Samsung Tizen TV with the Beryl AX and VPN. ControlD will then allow me to set which server to use with Netflix, YouTube, YouTube TV, etc. It's hard to do that with a VPN, at least based on my primitive understanding of how this whole process works. I do hope to read your response while I'm out and hopefully incorporate your knowledge to fine-tune things when I return home later.
Thank you again.
Use Quad9 until you get PBR set up. That DOH is supported out of the box by the GL firmware. Then switch out the DOH to ControlD if you like after pulling a backup.
Always have a 'known good' backup to fall... back on.
1 Like
This is why I'm confused. The VPN, DNS, and AGH are all different pages in the GUI. Let's say I do have AGH disabled, which then lets me use the DNS page, I can only use one DoH string. In the PBR page, I don't see any way, for example, and not saying this is how I want to do it, to set Quad9 to use with VPN 1 and ControlD with VPN2.
You cannot assign DOH to a VPN profile. DNS/DOT/DOH is device/system-wide unless you use IPv4 DNS:53 within the individual WG confs.
Use quad9-doh-ip4-port443-filter-pri with GL DNS -> DOH. Use ControlD for AGH's DOH upstream. Toggle between them as desired.
1 Like
That's pretty disappointing news. Maybe buying and deploying multiple routers is the way to go?
With a vanilla/pure OpenWRT, is there a way to use PBR to configure multiple VPNs and DoH?
Just want to inform you that I got the PBR to work with the GL.iNet GUI. Way easier than I had anticipated, but I'm not sure if it really solves the broader problem. With two VPNs on, I can get the Samsung TV to connect to a different VPN to solve the previous problem. It's a brute force way of doing things. I miss the granular control that ControlD gives me. If I don't use AGH, how do I try to get ControlD to play nicely with the VPN? I'm not sure if we ever truly addressed this issue.
With AGH on, is @will.qiu's solution the only possible option?