I currently have HTTPS DNS proxy setup with DNS hijacking turned on. I always have had a nordvpn openvpn client setup in order to bypass geographical content blocks. I noticed recently that traffic forced through the NordVPN no longer is forced to use the NordVPN DNS servers which is causing problems for geo restricted content as my HTTPS DNS proxy dns providers are being used even on the VPN network. How can this be resolved?
I'd try to force the DNS for the traffic forced thru NordVPN, same way you're forcing traffic thru NordVPN (while potentially disabling the DNS hijacking in https-dns-proxy).
The most recent pbr
builds in upstream support the "dns policies" to help with that.
Just had time to find out exactly what is causing the problems. Disabled https-dns-proxy to see if it was actually causing the problem and it wasn't. I have actually verified that the DNS leak is occuring when Wan is set as the default gateway by adding pull-filter ignore "redirect-gateway"
to the VPN client config. The curious thing is that this behaviour is not how it used to behave and not sure why it has changed. With Openvpn set as the default gateway there are no DNS leaks.
That is the "normal" behaviour as DNSMasq or DNS http proxy will take the default route.
Granted OpenWRT does not deal with the pushed DNS servers of the OpenVPN provider in contrast to most other firmwares I have used. See my notes about DNS leak: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak#dns-leak
But there are multiple ways to deal with this yourself.
The PBR package has its DNS policies.
But you can also use DNSMasq option 6, or even use a script which grabs the DNS server pushed byt the provider routes it via the VPN and make sure that that DNS server is used as only one by DNSMasq (so it will not work with HTTPS DNS proxy, but as it is encrypted via the VPN it does not need to use it to be safe), see: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak/use-openvpn-dns
Thanks will have a look and try and implement one of the above. Will report back when I've tried it.
Just tried the script. Worked brilliantly. Many thanks. For now I've disabled HTTPS DNS proxy as it didn't seem to work with that but it did work perfectly with it disabled. If I could get both working together that would be perfect!
sorry, don't have time to peruse the entire thread, but maybe you can keep you current config working with https-dns-proxy if you disable DNS hijack in https-dns-proxy.
I think I could using pbr 1.1.8 but will wait until the next stable version of Openwrt when it is in the official repo.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.