Using custom DNS whilst VPN Policy Based on the Target Domain or IP is configured

Pro4TLZZ · June 4, 2024, 9:25pm

Hi folks,

I'm on the Flint 2 here.

Is it possible using custom DNS whilst VPN Policy Based on the Target Domain or IP is configured?

Ideally I want my DNS for non VPN Policy traffic to be from Cloudflare and for VPN Policy DNS traffic to go over the VPN provider.

However when I set DNS to manual mode and specify Cloudflare all my DNS queries end up getting routed abroad, so if I do a DNS leak test online I get back results for Cloudflare in the country my VPN is connected to.

I found a similar topic VPN Policy Based On The Target Domain Or IP Not Working - #20 by Radiocrazy but the user was using Adguard and seems to have resolved it. I don't use adguard currently.

Edit: just occurred to me that I can set the DNS in the DHCP, any concerns with this?

Edit 2: had some weirdness where all traffic started to go out via VPN, inbound connections were affected by this too. Rebooted and toggled the VPN client off and it seems to have solved it for now. But I can't ping my wan from an external source and get a response unless I turn the wire guard client.

Edit 3: lol seems ddns updated to use the VPN address

admon · June 5, 2024, 5:35am

You need to use the router as your primary DNS server. All clients have to use it or VPN policy won't work.

The DNS upstream of the router itself doesn't matter then.

Pro4TLZZ · June 5, 2024, 7:59am

I just factory reset the router, that dynamic dns thing I mentioned above wasn't the issue. The router doesn't seem to allow inbound ICMP when the VPN client is enabled, but I'm sure it was working fine when I first got the Flint 2 and had tested the Wireguard client.

Anyway let's look at this behaviour now, I've configured it as specified with PBR but for some reason all traffic was going out of the VPN. I then adjusted the domain in the PBR and that seems to have fixed things and I'm no longer seeing the VPN use all of the traffic.

But I have seen this behaviour on and off when testing the Wireguard Client VPN.

Any suggestions? Also would like to know if there is anything I can do to fix the inbound ICMP issue.

I dug around Luci and specified upstream DNS and then replicated the problem I initially described

I then turned off the VPN and voila I'm back in the UK

Edit: just reset the router again (flash 4.5.8. firmware and choose to erase settings), didn't touch anything with DNS and just setup the VPN again but it's using VPN DNS for everything

Pro4TLZZ · June 5, 2024, 8:21am

Think I found a bug.

Simply configure a domain for VPN PBR and then go to domain and everything is routed via VPN

cat /etc/config/vpnpolicy

config policy 'global'
        option kill_switch '0'
        option service_policy '1'
        option wan_access '1'
        option vpn_server_policy '0'

config service 'route_policy'
        option proxy_mode '3'

config policy 'vlan'
        option private '1'
        option guest '1'

config policy 'domain'
        option default_policy '0'
        option domain 'whatismyipaddress.com'

cat /etc/config/wan-access/

config main
    option whitelist 0

#config whitelist
#   option name 'test1'
#   option ipaddr '192.168.1.2'

#config whitelist
#   option name 'test2'
#   option ipaddr '192.168.12.0/24'

cat /etc/config/wireguard

config proxy 'global'
        option global_proxy '1'

config providers 'AzireVPN'
        option auth_type '1'
        option procedure '0'
        option group_id '8248'

config providers 'Mullvad'
        option auth_type '2'
        option procedure '1'
        option group_id '1215'

config providers 'FromApp'
        option auth_type '1'
        option procedure '0'
        option group_id '4181'

config groups 'group_8248'
        option group_name 'AzireVPN'
        option group_type '1'
        option auth_type '1'
        option procedure '0'

config groups 'group_1215'
        option group_name 'Mullvad'
        option group_type '1'
        option auth_type '2'
        option procedure '1'

config groups 'group_4181'
        option group_name 'FromApp'
        option group_type '3'
        option auth_type '1'
        option procedure '0'

config groups 'group_6467'
        option group_name 'New Provider'
        option group_type '2'
        option auth_type '0'

config peers 'peer_2001'
        option group_id '6467'
        option name 'ProtonVPN Estonia #9'
        option address_v4 '10.2.0.2/32'
        option address_v6 ''
        option end_point '95.153.31.114:51820'
        option private_key 'REDACTED'
        option public_key 'REDACTED'
        option presharedkey_enable '0'
        option allowed_ips '0.0.0.0/0'
        option dns '10.2.0.1'
        option persistent_keepalive '25'
        option local_access '0'
        option masq '1'

route

route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         lns6.thw.as5156 0.0.0.0         UG    10     0        0 pppoe-wan
188.240.160.85  *               255.255.255.255 UH    0      0        0 pppoe-wan
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan

alzhao · June 5, 2024, 11:09am

I will test asap. Thanks

Pro4TLZZ · June 6, 2024, 7:30am

On 4.5.8

Configure router language then password, connect internet via PPPOE
Configure timezone
Enable Allow Access WAN in Global options
Configure VPN PBR domain list to use VPN for domains (I used f1tv.formuia1.com
whatismyipaddress.com)
Add Wireguard Client
Enable Wireguard client
No traffic for PBR domains go through VPN but DNS leak test show VPN DNS servers
A minute or so later the traffic starts to go through VPN for the domains in PBR but DNS leak still shows queries coming back from VPN DNS

Perform the exact same configuration on beta 4.6.0 and the VPN works correctly from the get go as defined with the PBR rules, DNS leak tests show the ISPs DNS which is correct

edit: I see the spelling mistake above for that domain so I should retest on 4.5.8, I copied that from the 4.6.0 config which was working fine till I changed the LAN subnet to 192.168.1.0/24 at which point everything started going through the VPN, presumably because of a spelling mistake?

Anyway retesting on 4.5.8. and I'll copy paste the domains to ensure no error.

Edit 2: Retested on 4.5.8 with the correct spelling. VPN PBR routing is working, the correct domains are going through VPN however getting the shenangians with the DNS leak again.
Retesting on 4.6.0 and I took the same steps but didn't change the LAN and everything works fine.
Let me change the LAN to 192.168.1.0/24 and see if that causes any issues

Edit 3: changed the LAN to 192.168.1.0/24 and all works fine, VPN PBR Routing works as well as DNS leak tests show ISP DNS.
So it appears then that the 4.5.8 firmware has a bug with PBR routing.

alzhao · June 6, 2024, 7:53am

I am on 4.6.0 and did a lot of test. Everything is correct.

The only problem is that you need to flush the dns cache.
Need to do this on both Windows and reopen the browser.
Maybe wait a while and reopen the browser.

The IP and DNS seems always be cached for a while, no matter what I do.

Pro4TLZZ · June 6, 2024, 7:54am

I've just flushed DNS cache because the PBR routing stopped working after I configured WiFi SSIDs.

Now everything is going over the VPN again.

Going to test configuring the WiFI SSIDs before the VPN next.

alzhao · June 6, 2024, 7:55am

Please confirm that DNS cache is the only problem, also on 4.5.8 so that I do not need to go back and test.

Pro4TLZZ · June 6, 2024, 8:14am

VPN flushing didn't help me with my problem, also tried another browser to no avail.

Setting up the SSIDs prior to the VPN seems to have helped on 4.6.0.

I've got a stable setup for now so I'll have to wait for another free morning to test 4.5.8 again.

alzhao · June 6, 2024, 8:18am

My experience is that the three steps helps. Only one or two may not help. But wait for longer definately helps.

flushdns
relaunch browser
wait 2 or 3 minutes

Pro4TLZZ · June 6, 2024, 8:34am

Thanks. I haven't changed anything since I sent that message, I went to the bathroom and came back. But everything is going over the VPN again.

I've done a traceroute to 104.21.92.106 which is A host for ifconfig.io and it's going over the VPN. Same on my phone, I guess DNS can't be the problem here because I'm using the IP now. 2nd hop is the VPN DNS server.

tracert  104.21.92.106

Tracing route to 104.21.92.106 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  console.gl-inet.com [192.168.8.1]
  2    44 ms    45 ms    44 ms  10.2.0.1
  3    44 ms    44 ms    44 ms  m95-153-31-113.cust.tele2.ee [95.153.31.113]
  4    45 ms    44 ms    45 ms  static-212-107-37-113.cust.tele2.ee [212.107.37.113]
  5    79 ms    79 ms    79 ms  fra36-core-1.bundle-ether8.tele2.net [130.244.39.206]
  6     *        *        *     Request timed out.
  7    78 ms    78 ms    78 ms  162.158.108.2
  8    79 ms    79 ms    79 ms  104.21.92.106

 cat vpnpolicy

config policy 'global'
        option kill_switch '0'
        option service_policy '1'
        option vpn_server_policy '1'
        option wan_access '1'

config service 'route_policy'
        option proxy_mode '3'

config policy 'vlan'
        option private '1'
        option guest '1'

config policy 'domain'
        option default_policy '0'
        option manual '1'
        option domain 'f1tv.formula1.com
whatismyipaddress.com'

cat wan-access
config main
    option whitelist 0

#config whitelist
#   option name 'test1'
#   option ipaddr '192.168.1.2'

#config whitelist
#   option name 'test2'
#   option ipaddr '192.168.12.0/24'

cat wireguard

config proxy 'global'
        option global_proxy '1'

config providers 'AzireVPN'
        option auth_type '1'
        option procedure '0'
        option group_id '9728'

config providers 'Mullvad'
        option auth_type '2'
        option procedure '1'
        option group_id '2694'

config providers 'FromApp'
        option auth_type '1'
        option procedure '0'
        option group_id '5661'

config groups 'group_9728'
        option group_name 'AzireVPN'
        option group_type '1'
        option auth_type '1'
        option procedure '0'

config groups 'group_2694'
        option group_name 'Mullvad'
        option group_type '1'
        option auth_type '2'
        option procedure '1'

config groups 'group_5661'
        option group_name 'FromApp'
        option group_type '3'
        option auth_type '1'
        option procedure '0'

config groups 'group_6165'
        option group_name 'New Provider'
        option group_type '2'
        option auth_type '0'

config peers 'peer_2001'
        option group_id '6165'
        option name 'ProtonVPN Estonia #9'
        option address_v4 '10.2.0.2/32'
        option address_v6 ''
        option end_point '95.153.31.114:51820'
        option private_key 'REDACTED'
        option public_key 'REDACTED'
        option presharedkey_enable '0'
        option allowed_ips '0.0.0.0/0'
        option dns '10.2.0.1'
        option persistent_keepalive '25'
        option local_access '0'
        option masq '1'

Pro4TLZZ · June 6, 2024, 9:02am

Perhaps something is afoul with /etc/wireguard/scripts/wgclient-route-update.sh ?

ip route list
default via 188.240.160.83 dev pppoe-wan proto static metric 10
188.240.160.83 dev pppoe-wan proto kernel scope link src WAN_IP
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1

I can't view the default route tables

ip route show table default
Dump terminated

I did a ip route flush cache too but that didn't help

Edit: looks like there is no default route table, other name of prelocal instead

ip route show table prelocal
Dump terminated

ip route show table local
local 10.2.0.2 dev wgclient proto kernel scope host src 10.2.0.2
local WAN_IP dev pppoe-wan proto kernel scope host src WAN_IP
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.8.0 dev br-lan proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev br-lan proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev br-lan proto kernel scope link src 192.168.8.1

ip route show table main
default via 188.240.160.83 dev pppoe-wan proto static metric 10
188.240.160.83 dev pppoe-wan proto kernel scope link src WAN_IP
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1

Edit: my theory is something is resetting the routing table during normal operation, hence why VPN initially works

Edit: since adding/removing domains and toggling VPN client off everything seems to work for now

Pro4TLZZ · June 6, 2024, 10:52am

Having had the VPN off for a bit I can report another bug on 4.6.0

When the VPN client is off the domains defined in PBR cannot be routed or even DNS queries performed.

 nslookup whatismyipaddress.com
;; connection timed out; no servers could be reached

nslookup f1tv.formula1.com
;; connection timed out; no servers could be reached

I expect these domains to be routed over the main wan when the VPN client is off

admon · June 6, 2024, 3:07pm

Traceroute won't work because the DNS request will tell the router to modify the routing table.
Since your traceroute isn't by DNS, it won't show the correct way.

Pro4TLZZ · June 6, 2024, 3:26pm

So the default routing rule is to send all IP traffic over the VPN?
Because not all connections use hostnames.

Shouldn't only domains be routed with VPN PBR?

admon · June 6, 2024, 3:28pm

Depends which mode is active:

Exclude domains

or

Include Domains

Pro4TLZZ · June 6, 2024, 3:28pm

I am using include domains in my usage

Pro4TLZZ · June 6, 2024, 6:17pm

I've got Adguard enabled now, will test VPN PBR over the next few days

alzhao · June 7, 2024, 6:58am

This is a problem in 4.6.0 and was fixed yesterday.