Forcing Dnscrypt passing by the Vpn client -not before possible?

Hi
So i find out that when openwrt do boot, Dnscrypt do load up and start to do the server latency test.. But the VPN client is not fully up and not intiated. Like i get the init sequence complete sometime in the middle of the dnscrypt test. So it look like all the Dns request are just passing by the isp and not by the Vpn. Or my vpn kill switch is not working at all, that look weird too. It's a proper install from the wiki with the Tun and Tun+ Lan to vpn and wan have no forward to destination. Dnscrypt is quite default, just no doh.

So is there a way to force dnscrypt to pass only on the vpn ? To connect to the vpn provider, instead of putting : vpnprov.com we can only put his ip like 89.56.65.65

Here is my firewall and relevent info i think:

p:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'
        option network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option name 'ISAKMP old block'
        option target 'REJECT'

config include
        option path '/etc/firewall.user'

config zone
        list device 'tun+'
        option name 'openvpn'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'

config forwarding
        option dest 'openvpn'
        option src 'lan'

config redirect
        option name 'Divert-DNS, port 53'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config rule
        option name 'Reject-DoT, port 853'
        option src 'lan'
        option dest 'wan'
        list proto 'tcp udp'
        option dest_port '853'
        option target 'REJECT'

config redirect
        option name 'Divert-DNS, port 5353'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '53'
        option target 'DNAT'

-=-=-==-=-

~# ip route show table all
0.0.0.0/1 via vpn.ip.x.x dev tun0
default via 192.168.0.1 dev eth1  src 192.168.0.72
vpn.ip.x.x/27 dev tun0 scope link  src vpn.ip.x.x
128.0.0.0/1 via vpn.ip.x.x dev tun0
17x.7x.1xx.x0x via 192.168.0.1 dev eth1
192.168.0.0/24 dev eth1 scope link  src 192.168.0.72
192.168.40.0/24 dev br-lan scope link  src 192.168.40.1
broadcast vpn.ip.x.x dev tun0 table local scope link  src vpn.ip.x.x
local vpn.ip.x.x dev tun0 table local scope host  src vpn.ip.x.x
broadcast vpn.ip.x.x dev tun0 table local scope link  src vpn.ip.x.x
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.0.0 dev eth1 table local scope link  src 192.168.0.72
local 192.168.0.72 dev eth1 table local scope host  src 192.168.0.72
broadcast 192.168.0.255 dev eth1 table local scope link  src 192.168.0.72
broadcast 192.168.40.0 dev br-lan table local scope link  src 192.168.40.1
local 192.168.40.1 dev br-lan table local scope host  src 192.168.40.1
broadcast 192.168.40.255 dev br-lan table local scope link  src 192.168.40.1
fd85:eee2:1e51::/64 dev br-lan  metric 1024
unreachable fd85:eee2:1e51::/48 dev lo  metric 2147483647  error -113
fe80::/64 dev br-lan  metric 256
fe80::/64 dev eth1  metric 256
fe80::/64 dev tun0  metric 256
local ::1 dev lo table local  metric 0
anycast fd85:eee2:1e51:: dev br-lan table local  metric 0
local fd85:eee2:1e51::1 dev br-lan table local  metric 0
anycast fe80:: dev eth1 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev tun0 table local  metric 0
local fe80::20c:29ff:fe64:cc78 dev br-lan table local  metric 0
local fe80::20c:29ff:fe64:cc82 dev eth1 table local  metric 0
local fe80::a75a:20af:c96:8dc2 dev tun0 table local  metric 0
ff00::/8 dev br-lan table local  metric 256
ff00::/8 dev eth1 table local  metric 256
ff00::/8 dev tun0 table local  metric 256

-=-=-=-=-=-

p:~# ip rule show
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

root@OWrtHop:~# sysctl net 2> /dev/null | grep -e forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.br-lan.forwarding = 1
net.ipv4.conf.br-lan.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.br-lan.forwarding = 1
net.ipv6.conf.br-lan.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.tun0.forwarding = 1
net.ipv6.conf.tun0.mc_forwarding = 0

-=-=-=-=-=-

# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '0'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        list server '127.0.0.53#53'
        option noresolv '1'
        option localuse '1'
        option cachesize '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

-=-=-=-=-

# logread -e dnsmasq
Tue Apr 13 22:57:36 2021 daemon.info dnsmasq-dhcp[2423]: DHCPREQUEST(br-lan) 192.168.40.198 00:0c:29:a5:ea:5a
Tue Apr 13 22:57:36 2021 daemon.info dnsmasq-dhcp[2423]: DHCPACK(br-lan) 192.168.40.198 00:0c:29:a5:ea:5a w10Lt

-=-=-=-=-=-

p:~# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         .VPn. Ip. xx    128.0.0.0       UG        0 0          0 tun0
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth1
.VPn. Ip. xx    0.0.0.0         255.255.255.224 U         0 0          0 tun0
128.0.0.0       .VPn. Ip. xx    128.0.0.0       UG        0 0          0 tun0
.vpn .ip xxx    192.168.0.1     255.255.255.255 UGH       0 0          0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
192.168.40.0    0.0.0.0         255.255.255.0   U         0 0          0 br-lan

thank for hints.

Traffic from your router including DNSCrypt is outgoing.
The kill-switch applies only to transit traffic from your LAN.
It's possible to restart DNSCrypt upon connecting a VPN.

Currently the dnscrypt-proxy is at start level 18 and OpenVpn is at 90. Can i put Vpn at 60 ( before the ucitrack being at 80 ) and then dnscrypt at 92 ? and then be enought..

Or just put into System/ Startup/ local Startup -something like :
/etc/init.d/dnscrypt-proxy restart OpenVpn
?
I do have a second kill swith as :
/etc/hotplug.d/iface/99-prevent-leak

#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
        iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
        iptables -I forwarding_rule -j REJECT
fi

-=-=-=--
So is creating a second script like: 93-dnscryp-rebot and put:

if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
        /etc/init.d/dnscrypt-proxy restart

thanks again

You should be careful while customizing startup priorities.
It can result in race conditions since both services depend on RNG and NTP.
Utilizing hotplug or VPN-specific scripts is likely the preferred approach.

I try to put Device, for the tun0 , but it don't activate..

vi /etc/hotplug.d/iface/98-restart-dnscrypt-proxy

#!/bin/sh
#
if [ "${ACTION}" == "ifup" ] && [ "${DEVICE}" = "tun0" ]
then
    /etc/init.d/dnscrypt-proxy restart
fi
#  -=-=- fin script -

If i do put : Interface , instead of device, but it don't take it. I try to play around as per instruction.. but i guess i got it wrong.

+case "$ACTION" in

• up|down)

• if get_option command "$ACTION"; then
  

• 	exec /bin/sh -c "$command $ACTION $INSTANCE $*"
  

• fi
  

• ;;
  +esac

Look like the rc.local, might be the best bet... But i would like to know as well why the iface script don't want to play out ?

thanks again

If you want to troubleshoot hotplug, follow the respective section:
https://openwrt.org/docs/guide-user/base-system/hotplug#usagetroubleshooting