Been using VPN. DNS not working when not connected to VPN

xhslh78e · August 2, 2023, 1:49pm

I'm hoping to get some help here.
Googling some articles suggest changing the button in Windows>network properties or rebooting router/computer, but neither are working.

I use PIA VPN sometimes (Private Internet Access).

The situation that has developed is when I am using the VPN, DNS works fine.
When I am not using the VPN, DNS completely breaks.
Since it affects all network devices, I suppose it is not windows settings, but at the router level.

I'm not super savvy with openwrt so basic answers may help. Can I provide any screenshots from my openwrt admin pages to help?

One article suggested renewing/refreshing DHCP, although I do not know how to do that via the interface.

Thank you all, much gratitude! This is affecting me because a number of services don't allow VPN access so I always have to turn it off, and currently I can not use those services.

egc · August 2, 2023, 2:26pm

Are you using a VPN on the router or via an app on your PC?

If you are using PIA on the router what instructions did you follow?

Have you set PIA's private DNS servers as only DNS servers?

If not please show output of these commands (entered via Putty/SSH):

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

xhslh78e · August 2, 2023, 3:14pm

Thanks. Nothing for PIA VPN has been set on openwrt, I turn it on/off with the app. My TV for example, which does not have the app available - can not resolve websites/DNS at all.

Here is output from the above:

root@OpenWrt:~# ubus call system board
{
"kernel": "5.4.179",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link Archer C59 v2",
"board_name": "tplink,archer-c59-v2",
"release": {
"distribution": "OpenWrt",
"version": "21.02.2",
"revision": "r16495-bf0c965af0",
"target": "ath79/generic",
"description": "OpenWrt 21.02.2 r16495-bf0c965af0"
}
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd87:fd68:552a::/48'

config interface 'wan'
option device 'eth1'
option proto 'dhcp'

config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.1.193'
list dns 'fd87:fd68:552a:0:c34:fae7:bb5:3f0e'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra 'server'
option dhcpv6 'server'
list dhcp_option '6,192.168.1.193'
list dns 'fd87:fd68:552a:0:c34:fae7:bb5:3f0e'
list ra_flags 'none'

config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config host
option name 'yodahut'
option mac 'C0:B5:D7:71:56:AF'
option ip '192.168.1.163'

config host
option name 'pi'
option ip '192.168.1.193'
option mac 'B8:27:EB:AA:95:7E'

config host
option ip '192.168.1.228'
option mac '88:A4:C2:52:C9:F1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'

config include
option path '/etc/firewall.user'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'incoming_80_nginx'
list proto 'tcp'
option src_dport '80'
option dest_ip '192.168.1.163'
option dest_port '80'
option src 'wan'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'incoming_443_nginx'
list proto 'tcp'
option src_dport '443'
option dest_ip '192.168.1.163'
option dest_port '443'
option src 'wan'

A few other things I thought to mention - this occurs whether I have the app open or closed, and I with or without the 'kill switch' options on the PIA app.

egc · August 2, 2023, 3:58pm

To recap your router has actually nothing to do with your VPN, you use PIA's app on your client (phone/laptop/PC etc).

When using PIA's app you have internet, if not you do not have internet?
So also other clients which do not have PIA's app never have internet as it is now?

If above is true then I suspect that you might have a DNS problem.

It looks like you use a Pi as DNS server (192.168.1.193) on your network is that working?

If you are not sure, you can check if a malfunction Pi is your problem by setting another DNS server:

replace: list dhcp_option '6,192.168.1.193' with: list dhcp_option '6,9.9.9.9'

Under /etc/config/network

add: list dns '9.9.9.9'

Reboot router and reboot your clients!

BTW it seems you are also having a webserver running on your network?