Hi
So i find out that when openwrt do boot, Dnscrypt do load up and start to do the server latency test.. But the VPN client is not fully up and not intiated. Like i get the init sequence complete sometime in the middle of the dnscrypt test. So it look like all the Dns request are just passing by the isp and not by the Vpn. Or my vpn kill switch is not working at all, that look weird too. It's a proper install from the wiki with the Tun and Tun+ Lan to vpn and wan have no forward to destination. Dnscrypt is quite default, just no doh.
So is there a way to force dnscrypt to pass only on the vpn ? To connect to the vpn provider, instead of putting : vpnprov.com we can only put his ip like 89.56.65.65
Here is my firewall and relevent info i think:
p:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
option network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option name 'ISAKMP old block'
option target 'REJECT'
config include
option path '/etc/firewall.user'
config zone
list device 'tun+'
option name 'openvpn'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
config forwarding
option dest 'openvpn'
option src 'lan'
config redirect
option name 'Divert-DNS, port 53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config rule
option name 'Reject-DoT, port 853'
option src 'lan'
option dest 'wan'
list proto 'tcp udp'
option dest_port '853'
option target 'REJECT'
config redirect
option name 'Divert-DNS, port 5353'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '53'
option target 'DNAT'
-=-=-==-=-
~# ip route show table all
0.0.0.0/1 via vpn.ip.x.x dev tun0
default via 192.168.0.1 dev eth1 src 192.168.0.72
vpn.ip.x.x/27 dev tun0 scope link src vpn.ip.x.x
128.0.0.0/1 via vpn.ip.x.x dev tun0
17x.7x.1xx.x0x via 192.168.0.1 dev eth1
192.168.0.0/24 dev eth1 scope link src 192.168.0.72
192.168.40.0/24 dev br-lan scope link src 192.168.40.1
broadcast vpn.ip.x.x dev tun0 table local scope link src vpn.ip.x.x
local vpn.ip.x.x dev tun0 table local scope host src vpn.ip.x.x
broadcast vpn.ip.x.x dev tun0 table local scope link src vpn.ip.x.x
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth1 table local scope link src 192.168.0.72
local 192.168.0.72 dev eth1 table local scope host src 192.168.0.72
broadcast 192.168.0.255 dev eth1 table local scope link src 192.168.0.72
broadcast 192.168.40.0 dev br-lan table local scope link src 192.168.40.1
local 192.168.40.1 dev br-lan table local scope host src 192.168.40.1
broadcast 192.168.40.255 dev br-lan table local scope link src 192.168.40.1
fd85:eee2:1e51::/64 dev br-lan metric 1024
unreachable fd85:eee2:1e51::/48 dev lo metric 2147483647 error -113
fe80::/64 dev br-lan metric 256
fe80::/64 dev eth1 metric 256
fe80::/64 dev tun0 metric 256
local ::1 dev lo table local metric 0
anycast fd85:eee2:1e51:: dev br-lan table local metric 0
local fd85:eee2:1e51::1 dev br-lan table local metric 0
anycast fe80:: dev eth1 table local metric 0
anycast fe80:: dev br-lan table local metric 0
anycast fe80:: dev tun0 table local metric 0
local fe80::20c:29ff:fe64:cc78 dev br-lan table local metric 0
local fe80::20c:29ff:fe64:cc82 dev eth1 table local metric 0
local fe80::a75a:20af:c96:8dc2 dev tun0 table local metric 0
ff00::/8 dev br-lan table local metric 256
ff00::/8 dev eth1 table local metric 256
ff00::/8 dev tun0 table local metric 256
-=-=-=-=-=-
p:~# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@OWrtHop:~# sysctl net 2> /dev/null | grep -e forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.br-lan.forwarding = 1
net.ipv4.conf.br-lan.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.br-lan.forwarding = 1
net.ipv6.conf.br-lan.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth1.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.tun0.forwarding = 1
net.ipv6.conf.tun0.mc_forwarding = 0
-=-=-=-=-=-
# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '0'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
list server '127.0.0.53#53'
option noresolv '1'
option localuse '1'
option cachesize '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
-=-=-=-=-
# logread -e dnsmasq
Tue Apr 13 22:57:36 2021 daemon.info dnsmasq-dhcp[2423]: DHCPREQUEST(br-lan) 192.168.40.198 00:0c:29:a5:ea:5a
Tue Apr 13 22:57:36 2021 daemon.info dnsmasq-dhcp[2423]: DHCPACK(br-lan) 192.168.40.198 00:0c:29:a5:ea:5a w10Lt
-=-=-=-=-=-
p:~# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 .VPn. Ip. xx 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth1
.VPn. Ip. xx 0.0.0.0 255.255.255.224 U 0 0 0 tun0
128.0.0.0 .VPn. Ip. xx 128.0.0.0 UG 0 0 0 tun0
.vpn .ip xxx 192.168.0.1 255.255.255.255 UGH 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.40.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
thank for hints.