2 more assists for my router

I apmost have the router set up the way I want it. Thanks for the help in getribg my 2 subnets configured mostly. There are 2 niggling details for me:

  1. I use AGH for my dns, on my router. However its traffic is being sent through the unsecure wan interfaces, i would rather it went through the NordVPN tun interface (which i call vpnwan). Any suggestions on how to route that over correctly? Is it a PBR rule maybe?

2. My two subnets - 10.18.75.0/24 and 10.2.18.0/24, need to be able to talk to each other. How would i go about accomplishing this?

1 Like

If you're only sending DNS over VPN, why not use https-dns-proxy ?

I am not only sending DNS over VPN. I have 1 subnet that is a DMZ, no VPN. And the otger subnet which is over VPN. And AGH which is on the router wants to communicatr through the non-VPN wan interfaces. I need it to go through the VPN, so that the DNS that is detected by things like ipleak.net is correct. When outside the VPN, it is not correct (using the VPN's DNS servers for upstream).

If i use DoH, it won't work correctly. In fact, i m hijacking all DNS queries srnt from my subnets to go through AGH, and have disabled DoH and DoT from functioning in my home network at all, on purpose, as i have teenagers that i am cobtrolling some of the internet access through rules in AGH, for them and friends.

For #2, i am wondering - do i need this or not. Because if i can have the ability to see wan and have the router accept connections from it, then forward ports/connections to clients behind the VPN, then i could have all my clients in the VPN network, and still have the ability to acceas my services remotely from the web, and i won't have anything actually on the DMZ subnet.

Or am i wrong on this?

N/M i figured this one out.

#1 still needs to be figures out though.

What i want is a way to make dns requests on port 53, originating from the router, and being sent to wan, to be redirected to be sent through the vpn (vpnwan).

I know this has to be possible.

PBR / MWAN3 using Destination Port 53 as the trigger?

1 Like

Use PBR to route the DNS server via the VPN:

2 Likes

Setting the PBR rule didn't seem to do anything.

When i use my router directly as DNS server, the client reports the wrong DNS server used on ipleak.net.

When i manually set the client to the DNS servers for the VPN (rather than rely on AGH to do it) everything works correctly.

My guess is that AGH is not routed through the VPN, while manual configuration is, even with AGH using the VPN DNS upstream, it is reporting the wrong thing. This seems to trigger stuff like Amazon Prime Video to not work, which i am trying to avoid.

Here's the PBR rule I used:

config policy
	option name 'route dns to nordvpntun'
	option interface 'nordvpntun'
	option dest_port '53'

Huh. That ought to work. Not sure why it doesn't.

I've got WireGuard running on one of my OpenWRT instances; I'll test it later this week when I'm back at the device in question. In the meantime, if you do get it working, it'd be useful to document your solution.

1 Like

Still stumped on this.

If I switched the order - and had AGH use dnsmasq as its upstream, and then had that do upstream to the VPN's providers, is there a way to force dnsmasq use the VPN connection to contact those upstream DNS providers?

I'd be able to use dnsmasq still for local resolution in this configuration, right?

Also, wouldn't the PBR route I showed redirect remote traffic request received by the router to the vpn, rather than requests from the router itself being sent to the vpn?

I want requests made by the router (with AGH) to be redirected into the VPN. This seems possible, I just don't know how to do so.

What about a custom nft entry to use, maybe with prerouting, to change all requests being sent from the router to wan port 53, instead to be changed to my tun0 device?

Just not familiar enough with this to hand-code it myself.