I finally got around to configuring Mullvad with multihop with the Beryl AX. I'm using the latest firmware 4.8.1. So far, the results don't look good after using dnscheck.tools.
On my Mullvad account, I selected an exit destination. I enabled multihop, selected Switzerland as an entry server, selected IPv4 as the server selection protocol, both IPv4 and IPv6 as the tunnel traffic, and the custom port is 51820.
I uploaded this profile to the Beryl AX and enabled it. The connection does work and has Internet access. However, I knew something was horribly wrong when I couldn't even access Mullvad's own website with their VPN on the router. I can't even run Mullvad's connection test as that's blocked no matter which browser I try to use on my phone.
I have Adguard Home running and it's using Quad9 as the upstream DNS server.
Here are the results from dnscheck.tools:
Your IP addresses are:
Tech Futures Interactive
104.193.135.206 ns: ns1.cloudsingularity.io
Nonpublic Reserved IP Space
192.168.8.103
Your DNS resolvers are:
mnt-ca-techfutures-1
193.188.15.195 ns: rdns.cloudsingularity.net
WoodyNet
2620:171:b5::176 ptr: res100.yvr2.rrdns.pch.net
Oh no! Your DNS responses are not authenticated with DNSSEC:
ECDSA P-256 ECDSA P-384 Ed25519
Valid signature PASS PASS PASS
Invalid signature PASS PASS FAIL
Expired signature PASS PASS PASS
Missing signature FAIL FAIL FAIL
I don't know what is this "Nonpublic Reserved IP Space". I can't tell if it's using Quad9 as the DNS resolver. Why is DNSSEC failing? What is with the signature fails?
So many issues and I don't know how to resolve them. Obviously, I can't continue using this profile as I don't believe it's secure.
I just looked up that IP on IP Address Lookup | Geolocation ; how's the weather out there in Vancouver? Check Mullvad.net; the banner @ the very top of the page is relevant to your interests.
Remove variables I'd temporarily disconnect AGH, Quad9 from the situation. Then I'd test a Mullvad profile without it using multihop. 'Process of elimination,' remember?
When using Mullvad VPN, all unencrypted DNS requests are redirected to Mullvad own DNS servers.
This means that if you configure Quad9 UDP 53 addresses as the upstream DNS in AdGuard Home, you will not see Quad9 listed in the results from dnscheck.tools.
Instead, you will see Mullvad’s DNS server addresses.
To avoid this and ensure that Quad9 is being used, we recommend configuring an encrypted DNS server (such as DoH/DoT/DoQ) in AdGuard Home.
I don't understand. I basically did everything that you told me before with AGH's upstream DNS server. What's different now? Can you post detailed instructions and specifics and I'll retest it?
The difference is that Mullvad VPN redirects unencrypted DNS requests.
Could you tell us whether the servers configured in the Upstream DNS server in AdGurd Home are encrypted or unencrypted?
If it is unencrypted, please try encrypted DNS servers such as DoH/DoT/DoQ/DoH3.
