I installed from scratch an openwrt router (OpenWrt 24.10.0 r28427) with a banana pi R4 and 0 knowledge except for linux. Thanks to luci. So i read a lot on this forum, on openwrt.org/docs/ and others tutorials… It's been a long road.
But I now have :
Different interfaces for different computers groups (private, privatevpn, guest, etc.) with different firewall zones
a LAN interface
an interface (DMZ) for a server with ip 192.168.10.1
PBR with WAN by default and WGAN as other gateway and VPN policy for IP range / interface
different interfaces for wireless network with different bands with vpn or not
statics leases, custom device bridges, trafic rules, port forwarding, etc.
So the server and some computers uses VPN via their own interface and the dedicated interface (WGAN) and PBR policy while some computers use the WAN (no VPN).
So that queries from computers in the LAN to the server don't go through an external DNS server but are managed locally, I've added the following in dnsmasq (network > DNS & DHCP > General) : Addresses = /mydomain.com/192.168.10.1
To avoid DNS leaks for computers using the VPN, I've added a DNS Policy in PBR with the VPN interface WGAN as the remote DNS for only computers using the VPN.
As a result, computers using the VPN, and therefore the VPN DNS, don't use the dnsmasq rule Addresses = /mydomain.com/192.168.10.1 and so I have some errors like HTTP 400 or certificate errors.
How can I avoid this behavior ? Is there another way to have DNS VPN and local server DNS rule ?
(After that i should use dot or doh for the wan dns).
I tried to find my answer everywhere, so thanks for your help
Using a second DNSMasq instance listening on another port and then redirect port 53 from the local LAN clients using your VPN to the port the second instance of DNSMasq is listening on, set as upstream resolver the VPN DNS server and also add the address=/mydomain.com/192.168.10.1
Thanks you very much for you answer.
I understand there's no simple way to do it. So I have to understand how to run (if I understand) a second dnsmask instance as an upstream resolver for LAN clients using VPN : it looks complicated.
I still find it hard to understand why my clients behave the way they do.
If one of my clients connects to the VPN's DNS, then the VPN resolve the request by sending my public IP address, which points to openwrt router, which redirects to my server thanks to the port-forwarding rules, right? When does this scheme fail? Could remote port forwarding of the VPN help with that?
Another example : If I connect my main laptop to the vpn (airvpn) trough their wireguard client (named eddie which use their DNS) there is no probblem at all. If I connect my laptop to my wifi-VPN-interface I have the following error when i try to reach my server trough its domain name : "Forbidden Rejected request from RFC1918 IP to public server address". However in both cases I use the dns of my vpn.
Because of the PBR DNS policy the clients involved directly use the VPN DNS server and not DNSMasq
You are trying to reach your server from the LAN using its public WAN address.
I think if you enable Reflection on the port forwarding rule it should solve this (Advanced tab > Enable NAT loopback )
You are trying to reach your server from the LAN using its public WAN address.
Yes, but i don't understand the difference with the situation my wireguard client eddie : for me it's the same situation. In both situation my laptop use the dns of the vpn so i sohould have the same answer from it...
Maybe i don't undersand something fundamental in DNS or TCPIP or i don't know.
Nevertheless, I try your trick and the reflection with "Enable NAT loopback" and this one was already enabled. So I try different combination of "Use internal IP adress" or "Use external IP adress" with different reflection zone (LAN, server, WGAN) and the couple of "LAN" and "Use internal IP adress" solve the problem.