OpenVPN DNS doesn't work on 4.2.1

I just upgraded to 4.2.1. on my MT-3000 and the DNS setting no longer are pulled down from the VPN server. I tested on multiple devices and was only able to fix by downgrading back to 4.2.

Anyone else see this problem?

What’s your VPN service provider? Could you paste the log? Do you use multiple-wan?

I’m using my own server (Asuswrt-Merlin 386.10). Here’s the config minus the certificates:

dev tun
proto udp
remote XXXXX
resolv-retry infinite
ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC
auth SHA256
keepalive 15 60
remote-cert-tls server

server-ipv6 2001:0db8:ee00:abcd::/64
push tun-ipv6
ifconfig-ipv6 2001:0db8:ee00:abcd::1 2001:0db8:ee00:abcd::2
push “route-ipv6 2001:0db8:ee00:ee00::2/64”
push “route-ipv6 2000::/3”
auth SHA256
tls-version-min 1.2
cipher AES-256-GCM
push “block-outside-dns”
push “dhcp-option DNS”
push “dhcp-option DNS”*

I have some similar issues. I think this might have to do with the Global Proxy and Auto Detect options, and how the Beryl is handling push options.

1 Like

Yes i have this exact issue will go back to the old firmware I guess.

I didn’t reproduce the issue. I tested an MT3000 with keep-setting sysupgrade from version 4.1.3 to 4.2.0 to 4.2.1.

Could you guys describe the configurations you made?
If use the version 4.2.1 setup from scratch, will it work?


My OpenVPN server configuration has these lines:

push "route vpn_gateway 500"
push "dhcp-option DOMAIN Workgroup"
push "dhcp-option DNS"
push "redirect-gateway def1"

In order, these tell the Beryl to route traffic to my server’s local lan through the tunnel; advertise my server’s dns server to the Beryl, and redirect the gateway to the server.

When the Beryl connects using “Auto Detect”, these server messages are logged:

BerylAX/ip.ip.ip.ip:35163 SENT CONTROL [BerylAX]: 'PUSH_REPLY,route vpn_gateway 500,dhcp-option DOMAIN Workgroup,dhcp-option DNS,redirect-gateway def1,sndbuf 512000,rcvbuf 512000,route-gateway,topology subnet,ping 15,ping-restart 60,ifconfig,peer-id 1,cipher AES-256-GCM' (status=1)

BerylAX/ip.ip.ip.ip:35163 PUSH: Received control message: 'PUSH_REQUEST'

 BerylAX/ip.ip.ip.ip:48987 [BerylAX] Inactivity timeout (--ping-restart), restarting

I don’t have access at the moment to the Beryl log, but on its side I get three error messages about “no such program”. No traffic flows over the tunnel, all DNS and internet traffic go outside the tunnel.

If I use the same configurations and connect using “Global Proxy”, I do not get these error messages and traffic is directed over the tunnel. However, if on the Beryl side I include a “pull filter ignore” command, that is ignored.

I conclude that Global Proxy is inserting its own version of the pushed options, and that Auto Detect, instead of following the push options and the pull filter options, is not reading them. I cannot tell at the moment if it is processing the other pushed options, like sndbuf.

Hope that helps.

1 Like

I installed 4.2.1 from scratch and the DNS is working again!

It turns out a bug related to keep-setting sysupgrade:
run this command in the router terminal

cp /rom/etc/openvpn/scripts/ovpnclient-up /etc/openvpn/scripts/ovpnclient-up

and toggle the OpenVPN client for a temporary workaround.
Thank yo all for the feedback and info provided.

any news on a proper fix?

This issue has already been fixed in release 4.2.2 (mt3000) and release 4.2.1 (axt1800/ax1800).