OpenVPN and DNS leak/config

Hi there,

I've been playing with OpenWRT for a few days. I installed and configured successfully an OpenVPN client on my router.
I had some DNS leaks though... I found a solution, but I'm not sure this is the best one, plus it is not working as I expected.

I tried to add an DHCP option 6 in the LAN interface with OpenDNS IPs. It did not change anything, DNS where still those of my ISP.

Then I edited /etc/config/dhcp to add noresolv '1' and list server a.a.a.a / list serve b.b.b.b (OpenDNS IPs).
From there, my DNS showed as my VPN provider's. That's a lot better than those of my ISP, but quite surprising since I specified OpenDNS' ones.
Plus it works for IPv4 but not on IPv6.

Note that I want ALL my traffic to go through my VPN.

What have I done wrong or missed ? Why aren't DHCP option 6 not working ? How to get it to work on IPv6 ?

Thanks in advance.

Methods to prevent DNS-leak:

Your VPN client should redirect both IPv4 and IPv6 gateways.
Otherwise you need to use either Dnsmasq-based methods or DNS hijacking to intercept DNSv6 queries.
Also you probably should disable ISP IPv6 prefix delegation.

odhcpd serving DHCPv6 uses different syntax for DHCP-option-6.
You likely can't add it via LuCI, see the link above how to perform it via CLI.
Don't forget that you need to reconnect your clients to apply the new settings.

Resolver-based method requires removing noresolv and server options which is default.
Forwarder-based method requires noresolv=1 and some server.

1 Like

Thanks a lot for your answer.
I tried the DHCP-option way, via CLI, still with OpenDNS IPs. It's even stranger now : DNS servers are now a mix of my DNS provider's and my ISP's... Still no trace of OpenDNS's anywhere even though that's the one I specified.

By the way, how is the router getting the VPN provider's DNS ? It's not the same IP as the VPN server and I did not specified it anywhere. Even that gets me puzzled. It would actually be alright to use them instead of OpenDNS's. But they only appear when I specify... OpenDNS IPs ^^.

If I simply use the resolve method and specify openDNS' in the resolvfile (ipv4 & 6) : all DNS are OpenDNS' but the trafic isn't going through the VPN right ?
Plus, that way, I still don't get any IPv6 address. I still need to figure out how to redirect the IPv6 gateway.

Might need some time to get it all figured out ;). It feels like I breaking things more than fixing it right now ^^.

DNS-leak tests show only recursive resolvers.
If your DNS-provider is not recursive, then it forwards the queries to some other DNS-servers which will be displayed in the test result.

Either manually or with scripting.

It should go when you establish VPN-connection with gateway redirect.

It depends on your VPN-provider.
If there's no IPv6-address, there's nothing to do.
And if you have an IPv6-address, but no IPv6-prefix, then the only way is NAT6.

redirect-gateway def1 ipv6

I'm not sure I get what you mean. The first DNS reached in the tests is my VPN provider's. But there is a handfull of other DNS servers which all are my ISP's (it's not random DNS servers) meaning there is still a leak somewhere.
I would understand if there was only my ISP's : classical leak.
I would eventually understand if there was only my VPN provider's (even though I never specified it manually, neither have I been using any script to retrive it). That actually what is happening when I use the fowarding method (except that I specified OpenDNS's IPs in dnsmasq and not my VPN provider's IP, so I was surprise to the the later appear).
I don't get how dns leak tests can get both as a result...

Alright, I feel quite stupid about that one... LuCI doesn't offer to select multiple values, I definitly need to use more CLI and less UI.
So I tried it, it seems to initiate quite well. But you might have a point, my VPN provider might not support IPv6.

Nevermind. I tried to disable IPv6 by simply stoping wan6 : it stops the IPv6 wan interface indeed, but for whatever reason, stops the correct IPv4 attribution also...
I had to reactivate it.

Back to resolve method VS fowoarding. Fowarding works, not as planned as I said above, but works. Resolving just doesn't. Even if resolv.conf.auto is correctly generated, (#interface lan + OpenDNS IP's), DNS are not inheritied by wan/wan6 which keep using my ISP's. I targeted the lan interface to be able to avoid to setup every interface.

I will keep trying to change and test settings tomorrow 'til I figure it out.

I think it's about time to move from theorizing to practice and, in particular, to correctly diagnose the issue:

uci show network; uci show firewall; uci show dhcp
ip -4 addr show; ip -4 route show; ip -4 rule show; iptables-save
ip -6 addr show; ip -6 route show; ip -6 rule show; ip6tables-save
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

Alright.

192.168.31.1 is my router's local IP.
192.168.1.1 is my ISP box's IP.

My ISP box is working as a router for several home devices. It offers an unencrypted wifi network which I want to keep as it is.
My Mi Router is connected to the ISP box by ethernet. It is serving up a different WiFi network which I want to be fully wrapped into the VPN's tunnel (all traffic, http, DNS, torrenting...).

Below are the last settings used. With those, when connected to the Mi Router's WiFi network, my IP is the VPN's one, but DNS servers are my ISP's.
Following settings might not have any sense sometimes since I've been editing and trying every combinaison all day long :).

uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdce:cb14:7f60::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.31.1'
network.lan.peerdns='0'
network.lan.dns='208.67.222.222 208.67.220.220'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='50:xx:xx:xx:xx:xx'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 6t'
network.TIGER_VPN=interface
network.TIGER_VPN.proto='none'
network.TIGER_VPN.ifname='tun0'
network.TIGER_VPN.auto='1'
uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='tiger_fw'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='TIGER_VPN'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='tiger_fw'
firewall.@forwarding[1].src='lan'

uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'

IPv4 :

ip -4 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.84/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
24: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.31.1/24 brd 192.168.31.255 scope global br-lan
       valid_lft forever preferred_lft forever
29: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 100.97.0.107/16 brd 100.97.255.255 scope global tun0
       valid_lft forever preferred_lft forever

ip -4 route show
0.0.0.0/1 via 100.97.0.1 dev tun0
default via 192.168.1.1 dev eth0.2  src 192.168.1.84
100.97.0.0/16 dev tun0 scope link  src 100.97.0.107
128.0.0.0/1 via 100.97.0.1 dev tun0
188.172.219.42 via 192.168.1.1 dev eth0.2
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.84
192.168.31.0/24 dev br-lan scope link  src 192.168.31.1

ip -4 rule show
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
iptables-save
# Generated by iptables-save v1.6.2 on Tue Apr 16 13:01:22 2019
*nat
:PREROUTING ACCEPT [229474:57852471]
:INPUT ACCEPT [461:27301]
:OUTPUT ACCEPT [873:62443]
:POSTROUTING ACCEPT [3:726]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_tiger_fw_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_tiger_fw_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_tiger_fw_postrouting - [0:0]
:zone_tiger_fw_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_tiger_fw_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_tiger_fw_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_tiger_fw_postrouting -m comment --comment "!fw3: Custom tiger_fw postrouting rule chain" -j postrouting_tiger_fw_rule
-A zone_tiger_fw_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_tiger_fw_prerouting -m comment --comment "!fw3: Custom tiger_fw prerouting rule chain" -j prerouting_tiger_fw_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Apr 16 13:01:22 2019
# Generated by iptables-save v1.6.2 on Tue Apr 16 13:01:22 2019
*mangle
:PREROUTING ACCEPT [461942:284281358]
:INPUT ACCEPT [227928:136513307]
:FORWARD ACCEPT [140718:114718630]
:OUTPUT ACCEPT [67314:12241558]
:POSTROUTING ACCEPT [207908:126955228]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone tiger_fw MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Apr 16 13:01:22 2019
# Generated by iptables-save v1.6.2 on Tue Apr 16 13:01:22 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_tiger_fw_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_tiger_fw_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_tiger_fw_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_tiger_fw_dest_ACCEPT - [0:0]
:zone_tiger_fw_dest_REJECT - [0:0]
:zone_tiger_fw_forward - [0:0]
:zone_tiger_fw_input - [0:0]
:zone_tiger_fw_output - [0:0]
:zone_tiger_fw_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_tiger_fw_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_tiger_fw_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_tiger_fw_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to tiger_fw forwarding policy" -j zone_tiger_fw_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_tiger_fw_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_tiger_fw_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_tiger_fw_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_tiger_fw_forward -m comment --comment "!fw3: Custom tiger_fw forwarding rule chain" -j forwarding_tiger_fw_rule
-A zone_tiger_fw_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_tiger_fw_forward -m comment --comment "!fw3" -j zone_tiger_fw_dest_REJECT
-A zone_tiger_fw_input -m comment --comment "!fw3: Custom tiger_fw input rule chain" -j input_tiger_fw_rule
-A zone_tiger_fw_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_tiger_fw_input -m comment --comment "!fw3" -j zone_tiger_fw_src_REJECT
-A zone_tiger_fw_output -m comment --comment "!fw3: Custom tiger_fw output rule chain" -j output_tiger_fw_rule
-A zone_tiger_fw_output -m comment --comment "!fw3" -j zone_tiger_fw_dest_ACCEPT
-A zone_tiger_fw_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Apr 16 13:01:22 2019

IPv6 :

ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 1000
    inet6 fe80::5264:2bff:fead:9343/64 scope link
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a02:8428:80aa:2c01:5264:2bff:fead:9343/64 scope global dynamic
       valid_lft 604667sec preferred_lft 604667sec
    inet6 fe80::5264:2bff:fead:9343/64 scope link
       valid_lft forever preferred_lft forever
24: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdce:cb14:7f60::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::5264:2bff:fead:9344/64 scope link
       valid_lft forever preferred_lft forever
26: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::5264:2bff:fead:9345/64 scope link
       valid_lft forever preferred_lft forever
27: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::5264:2bff:fead:9346/64 scope link
       valid_lft forever preferred_lft forever
29: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
    inet6 fe80::54b8:bea2:a993:6af2/64 scope link
       valid_lft forever preferred_lft forever
ip -6 route show
default from 2a02:8428:80aa:2c01::/64 via fe80::e65d:51ff:fee6:5b38 dev eth0.2  metric 384
2a02:8428:80aa:2c01::/64 dev eth0.2  metric 256
fdce:cb14:7f60::/64 dev br-lan  metric 1024
unreachable fdce:cb14:7f60::/48 dev lo  metric 2147483647  error -148
fe80::/64 dev eth0  metric 256
fe80::/64 dev eth0.2  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wlan1  metric 256
fe80::/64 dev wlan0  metric 256
fe80::/64 dev tun0  metric 256
anycast 2a02:8428:80aa:2c01:: dev eth0.2  metric 0
anycast fdce:cb14:7f60:: dev br-lan  metric 0
anycast fe80:: dev eth0  metric 0
anycast fe80:: dev eth0.2  metric 0
anycast fe80:: dev br-lan  metric 0
anycast fe80:: dev wlan1  metric 0
anycast fe80:: dev wlan0  metric 0
anycast fe80:: dev tun0  metric 0
ff00::/8 dev eth0  metric 256
ff00::/8 dev eth0.2  metric 256
ff00::/8 dev br-lan  metric 256
ff00::/8 dev wlan1  metric 256
ff00::/8 dev wlan0  metric 256
ff00::/8 dev tun0  metric 256

ip -6 rule show
0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo lookup unspec 12
4200000007:     from all iif eth0.2 lookup unspec 12
4200000007:     from all iif eth0.2 lookup unspec 12
4200000024:     from all iif br-lan lookup unspec 12
4200000029:     from all iif tun0 lookup unspec 12

ip6tables-save
# Generated by ip6tables-save v1.6.2 on Tue Apr 16 13:06:05 2019
*mangle
:PREROUTING ACCEPT [217946:96862786]
:INPUT ACCEPT [1813:174717]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1846:229896]
:POSTROUTING ACCEPT [1846:229896]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone tiger_fw MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Apr 16 13:06:05 2019
# Generated by ip6tables-save v1.6.2 on Tue Apr 16 13:06:05 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_tiger_fw_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_tiger_fw_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_tiger_fw_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_tiger_fw_dest_ACCEPT - [0:0]
:zone_tiger_fw_dest_REJECT - [0:0]
:zone_tiger_fw_forward - [0:0]
:zone_tiger_fw_input - [0:0]
:zone_tiger_fw_output - [0:0]
:zone_tiger_fw_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_tiger_fw_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_tiger_fw_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_tiger_fw_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to tiger_fw forwarding policy" -j zone_tiger_fw_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_tiger_fw_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_tiger_fw_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_tiger_fw_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_tiger_fw_forward -m comment --comment "!fw3: Custom tiger_fw forwarding rule chain" -j forwarding_tiger_fw_rule
-A zone_tiger_fw_forward -m comment --comment "!fw3" -j zone_tiger_fw_dest_REJECT
-A zone_tiger_fw_input -m comment --comment "!fw3: Custom tiger_fw input rule chain" -j input_tiger_fw_rule
-A zone_tiger_fw_input -m comment --comment "!fw3" -j zone_tiger_fw_src_REJECT
-A zone_tiger_fw_output -m comment --comment "!fw3: Custom tiger_fw output rule chain" -j output_tiger_fw_rule
-A zone_tiger_fw_output -m comment --comment "!fw3" -j zone_tiger_fw_dest_ACCEPT
-A zone_tiger_fw_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Apr 16 13:06:05 2019

Resolver config :

ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
lrwxrwxrwx    1 root     root            16 Jan 30 12:21 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Apr 15 20:10 /tmp/resolv.conf
-rw-r--r--    1 root     root           158 Apr 15 20:43 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface lan
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface wan
nameserver 192.168.1.1
# Interface wan6
nameserver 2a02:8428:80aa:2c01::1

NB : resolv.conf.auto is overriden at each DHCP use. My local ISP box's IP is automatically added.

1 Like

As it is now all the hosts in the LAN of the Openwrt router will use Openwrt to resolve, which in turn uses OpenDNS and the router of your ISP.

As mentioned here add the desired NS from your VPN provider to be advertised to the hosts.

uci add_list dhcp.lan.dhcp_option="6,8.8.8.8,8.8.4.4"
uci add_list dhcp.lan.dns="2001:4860:4860::8888"
uci add_list dhcp.lan.dns="2001:4860:4860::8844"
uci commit dhcp
service dnsmasq restart
service odhcpd restart
2 Likes

To use the resolver-based method, you need to disable ISP-DNS:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

1 Like

That did the trick.
I had tried with lan.dhcp_option and lan.dns before and it wasn't enough. I put it back + peerdns disabled and it was alright.

Still a small odd thing : in DNS tests, the only DNS that appear now is my VPN provider's. It's perfectly okay, but I still didn't put it anywhere. It has a different nameserver/IP from the VPN server so I still don't know where and how the system gets it.
If I disable the VPN interface, my real IP appears and DNS are OpenDNS' ones, as set in dhcp.
It seems like my VPN provider forces somehow the use of its own DNS. It's alright with me but I'd like to now how.

Thanks a lot for your help ! I've got it working thanks to you guys.

1 Like

Probably your VPN-provider uses DNS-hijacking to intercept the DNS-queries.
If you ever feel concerned about it, utilize DNS-encryption.

1 Like

I will look into it later, for intellectual curiosity.
But I'm alright with that right now.
Thanks for the clarification !

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.