Glad you solved it 
Yeah, I figured. Sorry about that. When I said private DNS, I always referred to my ISP DNS.
1 Like
I tried to set the IP of the selected speedtest server as well. Not working either.
config policy
option name 'speedtest use vpn3'
option dest_addr 'xxx.xxx.xxx.xxx'
option interface 'wg0'
root@OpenWrt:~# ip route get xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx via 192.168.10.1 dev eth1 src 192.168.10.41 uid 0
cache
Not sure why the rule isn't applied at all.
The request comes from the router so you need to use the OUTPUT chain and not the default PREROUTING chain
option chain 'output'
It does not create a route it is using fwmark so you can view it with: nft tables list ruleset and ip rule
1 Like
I found DNS the stickiest part of getting my VPN connection set up. Basically I have a couple of devices whose traffic I want to route through the VPN, however, I also want those devices to benefit from local DNS caching, and I want the ability to block certain domains. So I don't want to simply route all of their DNS queries through the VPN.
I have ended up with a second Dnsmasq instance running on another machine, with Dnsmasq on the main router configured to tell the VPN-routed clients (via DHCP) to use that machine's IP for DNS. That other Dnsmasq instance is then configured to use the VPN provider's DNS server as its upstream, and PBR is configured on the main router to send all traffic to that server over the VPN.
This is obviously all a bit clunky. What I really need is the ability to use different upstream DNS servers for different clients, then I could handle this all on the main router with a single Dnsmasq instance, but Dnsmasq doesn't provide that capability.
Adguard Home does have this feature, but I also need to add IPs for certain hostnames to nftables sets as they are resolved, and AGH can't do that yet.
1 Like
Seriously, how much are they paying you for each one of these posts?!?
1 Like
Cheers! Everything is running smoothly now. 2 questions left:
- Like explained earlier, I have this kill-switch configured:
root@OpenWrt:~# cat /etc/config/firewall
config rule
option name 'No WAN/WAN6 for connected devices'
list proto 'all'
option src '*'
option dest 'wan'
option target 'REJECT'
config rule
option name 'Router still allowed to access WAN/WAN6'
list proto 'all'
option src '*'
list src_ip '192.168.1.1'
option dest 'wan'
option target 'ACCEPT'
This works fine. What I am still missing though is a kill-switch for the VPN dns. I want every bit of traffic that goes through the VPN to be only allowed with the DNS of the VPN interface. At the moment, when I turn off the pbr dns rule or restart pbr entirely, my ISP dns is leaked:
config policy
option name 'All LAN devices use VPN'
option src_addr '@br-lan'
option interface 'wg0'
config dns_policy
option name 'All LAN devices use VPN DNS'
option src_addr '@br-lan'
option dest_dns 'wg0'
- I'm not 100% happy with the domain-based solution regarding the speedtest. It does appear to be working as of now, but it's not the perfect flexible solution I'm looking for. Can I use a pbr rule to force the traffic of my router itself to go through the VPN interface as well? (without it stopping working like earlier
)
This rule doesn't seem to do anything at all:
config policy
option name 'Router itself uses VPN'
option src_addr '192.168.1.1'
option chain 'output'
option interface 'wg0'
You can try to make a firewall rule to block port 53 for your LAN clients both to the router (INPUT) and to the internet (FORWARD), but this rule must be after the PBR DNS rule
You might consider turning things around and route everything by default via the VPN and only make exceptions you want but you might end up with more or less the same problems.
The router itself is using the OUTPUT chain so using this chain will route traffic from the router itself.
Note that the router must be able to route via the WAN e.g. traffic for the VPN endpoint and traffic of clients which are using the WAN.
So that needs careful planning, good luck with that.
If you are satisfied with the result so far, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
1 Like
This seems to work a little:
config rule
option src 'lan'
option dest_port '53'
option target 'REJECT'
As soon as I disable the dns pbr rule for the VPN, connected devices can't access website addresses any more that haven't been visited before. For some reasons 'known' websites still work and use the VPN dns. Not sure why? Router still uses ISP dns.
Why isn't that working then?
config policy
option name 'Router itself uses VPN'
option src_addr '192.168.1.1'
option chain 'output'
option interface 'wg0'
Because clients can have a DNS cache
Because 192.168.1.1 is not the address of the router but the address of br-lan.
the OUTPUT chain does not need an address as it only applies to traffic coming from the router itself.
note my earlier warning for doing this.
At the moment I have other things to do so cannot assist you at this moment so good luck with it for now. But i am sure others will chime in
I even got a warning to back off:
You’ve posted a lot in this topic! Consider giving others an opportunity to reply here and discuss things with each other as well.
When I do this, I get an error (no specifics):
config policy
option name 'Router itself uses VPN'
option chain 'output'
option interface 'wg0'
lol. I really do appreciate your help a lot. Thanks!