I am trying to set up OpenVPN split tunneling (with one WiFI network connected to the VPN and all the other interfaces going via the normal WAN) and (after many, many hours being wasted to a stupid bug that breaks a firewall zone if the interface in it has an all caps name!) I have finally got it mostly working.
But it has a problem of leaking the DNS requests out the standard WAN interface and to whatever DNS server the WAN interface has been set to.
I have set up OpenVPN with the route-nopull option and I am using a policy based routing rule to direct all traffic from the subnet I set up for that WiFi network to the VPNs tun0 interface.
I can see the DNS server the OpenVPN connection is trying to push, but I am not sure how to make dnsmasq use that server for all requests from that WiFi networks subnet and only send them out via tun0, while at the same time not doing it for the other subnet (and thus a normal setup of sending those requests out the normal WAN interface).
-Is your wifi logically separated? ( i.e. Explain the router subnet structure )
-Will you require fallback to WAN ( dns/traffic ) for the tunneled hosts
##################################### Add to /etc/openvpn/"vpn".conf
#script-security 2
#up "/etc/openvpn/tunup.sh"
#down "/etc/openvpn/tundown.sh"
then add /tmp/resolv.dnsmasq2 to conf for the second dnsmasq instance listening on the WIFI subnet instance under resolv files etc.
The second instance is way simpler Use a down script to switch back the resolv.wan if you want no killswitch. Also will depend on how much resources you have.....
I don't know if it's possible. But you could configure the dhcp server with the dns servers from the VPN provider. It is done as custom dhcp options. You can also block access to port 53 on the router itself from the WiFi network to stop the clients from using its dnsmasq.
The WiFi SSID I want to use for the VPN is a second SSID off the 5ghz radio (physical interface wl0.1) and that is put in a separate interface that is using a static address that I set in a different subnet than the normal LAN interface and with DHCP running, that is then put into a firewall zone that is connected with an other zone I setup with tun0 in it.
I will not be needing fallback, I want this network to be completely VPN only.
If you're trying to separate your upstream DNS providers, you'd then likely need two instances of adblock as well (I'm assuming it works as a DNS proxy between the local server and the upstream servers).
adblock doesn't really work like a proxy, instead it merely injects local DNS overrides (based on the fetched block lists) into dnsmasq's configuration answering with NXDOMAIN (server=/example.com/).
Out of those options I think multiple instances of dnsmasq would be what I will try for, the problem is that the linked wiki page is a bit sparse in how to configure it.
I am mainly not sure if the given example of
config 'dnsmasq' 'hotspot'
is meant to replace the
config dnsmasq
at the top of /etc/config/dhcp or if it is in addition to it (and if so, do I need 2 of them or just the normal one plus the extra instance)?
But no DNS access for the VPN or the normal network, both being sent to 10.255.255.2 (which is not what I want) but never getting a response (indicating it is try to reach it over the WAN).