OpenWrt 19.07.4 r11208-ce6496d796 LuCI openwrt-19.07 branch (git-20.311.85693-0e6a8c2) vpn-policy-routing 0.2.1-13 Adblock Version 4.0.7 (Force Local DNS is off)
Goal: Alternative DNS when using other interface with policy bases routing.
I’m using expressvpn on my router, using openvpn. VPN is the default for all users.
In the policy bases routing settings, I can change VPN to WAN for specific user(s) The only thing is that the dns from the vpn provider is used, even if I use WAN.
When I kill the vpn connection, everything is going through wan and the dns from wan is being used. So without pbr it's working.
I now use a workaround, by adding this in dnsmasq.conf (example)
dhcp-host=A0:A4:C5:09:AD:03,set:watchDNS,10.0.1.16,laptop,1440m
# tag watch dns
dhcp-option=tag:watchDNS,option:dns-server,84.200.69.80,84.200.70.40
The problem with this is, is that when I set the client back to use vpn, the device still using the dns from dnsmasq.conf. This makes the client having a dns leak.
Is there a way to change the dns allong with the change of the interface in policy based routing from vpn to wan and back. Maybe in the vpn-policy-routing file?
Dnsmasq is a local service and request will always go out of the default gateway. There are 2 solutions to overcome this. The simplest is 2 Dnsmasq instances. The VPN instance uses the server=8.8.8.8@tun0
The optional string after the @ character tells dnsmasq how to set the source of the queries to this nameserver. It can either be an ip-address, an interface name or both. The ip-address should belong to the machine on which dnsmasq is running, otherwise this server line will be logged and then ignored. If an interface name is given, then queries to the server will be forced via that interface.
The second method uses a single Dnsmasq instances but requires conntrack which needs dnsmasq-full. Link below explains it.
A special case of --conf-file which differs in two respects. Firstly, only --server and --rev-server are allowed in the configuration file included. Secondly, the file is re-read and the configuration therein is updated when dnsmasq receives SIGHUP.
So I'ff I'm correct, I need to set up a second dnmasq instance, so I have an instance for wan and an instance for vpn. (do they have different ip ranges to make this work?)
Yes you would. If you want a single network segment then you need option 2 using conntrack. This also provides the killswitch to the VPN if you configure the firewall probably.
If you are using single network segment you will need to start marking packets and provide a blackhole rule for your vpn to stop data leaks
If I'm using two instances can I use for example 10.0.1.x and 10.0.2.x and make them communicate in LAN?
I'm asking because in LAN a user needs to get to the internal NAS, no matter if they are on VPN or WAN for internet access.