DNS leak via OpenVPN and policy based routing

My ISP blocks medium.com via DNS (I think so). On my phone, I just connect to OpenVPN and access medium normally, therefore I want to fix the DNS leak on the router and skip VPN step on my phone and laptop.

  1. If it is just DNS-block, just use public DNS-servers for LAN-clients.
  2. If not, start from adding IP of medium.com into PBR.

yes, I want to setup openvpn-client on the router with openwrt, and I can skip VPN step on my phone and laptop. After using pbr, I checked on https://whoer.net/ and got VPN IP but I still have access to medium.com. I think that it may be blocked by DNS.
After checking, I see DNS leak

'DNS leak' is not critical in your case.

If you have access to medium.com, what do you want?

1 Like

Okay, we forgot the DNS leak.

I try to use public DNS and I still cannot access medium.com
Here is my traceroute. Can you guess the root of my problem?
P/s Sorry for my bad, I'm newbie with openwrt

image

Sorry, it looks like it has been resolved like IPv6-'localhost'.

Run following:

ping medium.com
ping google.com

Here is the ping log

image

OK, it is resolved as IPv6-'localhost'. Give output of:
cat /tmp/resolv.conf.d/resolv.conf.auto

Here is the content of /tmp/resolv.conf.d/resolv.conf.auto

# Interface wan
nameserver 192.168.0.1
search lan
# Interface wan6
nameserver fd85:26ed:1eab::1

image

It looks like your ISP DNS, not public one, specified in /etc/config/network

192.168.0.1 is a gateway to my other router. It is used to connect to ISP via PPPoE. I don't have any idea about that ipv6.

All config networks are default values. Have you guess the root of my problem?
I tried to set DNS 8.8.8.8 1.1.1.1, It still not working

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd35:d028:6e7f::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'openvpn'
	option proto 'none'
	option device 'tun0'

Please, comment strings from 'wan6' section, and try to add public DNS, as you have already done before.

I commented wan6, and still not working :frowning:


Please, restart router. Check, as before: cat /tmp/resolv.conf.d/resolv.conf.auto

Add also ipv6-string into 'wan' section:

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option ipv6 '0'

It still ping to localhost-v6 :frowning:

OK, add option 'ipv6' to 'wan' section, as I have written above. Please, also specify password with command passwd

It is possible that the ISP does DNS hijacking so that in the end you have to use a DNS server via the tunnel (or use encrypted DNS)

It still ping localhost :frowning:

OK, have you restarted router?

yes of course, and I still got the error :frowning:

P/s My main account excessed max reply today :frowning: