Routing DNS through VPN

Dumb question time - I have set:

And I also use my own VPN PBR (netifd, right?) with the following IP rules:

Resulting in:

root@OpenWrt:~# ip rule
0:      from all lookup local
10000:  from 192.168.1.1 lookup br-lan
10000:  from 10.241.219.131 lookup wan
10000:  from 10.5.0.2 lookup vpn
14000:  from all to 192.168.8.1 iif br-lan lookup wan
14000:  from 192.168.1.10 iif br-lan lookup wan
14000:  from 192.168.1.9 iif br-lan lookup wan
14000:  from 192.168.1.8 iif br-lan lookup wan
14000:  from all iif wan lookup veth-lan
14000:  from all iif vpn lookup veth-lan
15000:  from all iif br-lan lookup vpn
20000:  from all to 192.168.1.1/24 lookup br-lan
20000:  from all to 10.241.219.131/8 lookup wan
20000:  from all to 10.5.0.2 lookup vpn
32766:  from all lookup main
32767:  from all lookup default
40000:  from all iif br-lan lookup wan
90007:  from all iif lo lookup wan
90014:  from all iif lo lookup br-lan
90016:  from all iif lo lookup veth-lan
90022:  from all iif lo lookup vpn

But DNS queries from my router are going straight to WAN.

What should I set to ensure DNS queries go through VPN?

I guess:

15000: from all iif br-lan lookup vpn

Is not covering traffic from 192.168.1.1?

@vgaetera any ideas?

If the source is the router itself, then you must use iif lo

1 Like

Hey, thanks it worked - now I have:

root@OpenWrt:~# ip rule
0:      from all lookup local
10000:  from 192.168.1.1 lookup br-lan
10000:  from 10.241.219.131 lookup wan
10000:  from 10.5.0.2 lookup vpn
14000:  from all iif wan lookup veth-lan
14000:  from all iif vpn lookup veth-lan
14000:  from 192.168.1.8 iif br-lan lookup wan
14000:  from 192.168.1.9 iif br-lan lookup wan
14000:  from 192.168.1.10 iif br-lan lookup wan
14000:  from all to 192.168.8.1 iif br-lan lookup wan
15000:  from all iif br-lan lookup vpn
15000:  from all iif lo lookup vpn
20000:  from all to 192.168.1.1/24 lookup br-lan
20000:  from all to 10.241.219.131/8 lookup wan
20000:  from all to 10.5.0.2 lookup vpn
32766:  from all lookup main
32767:  from all lookup default
40000:  from all iif br-lan lookup wan
90007:  from all iif lo lookup wan
90014:  from all iif lo lookup br-lan
90016:  from all iif lo lookup veth-lan
90040:  from all iif lo lookup vpn

So compared to what I had, I now have an extra 15000 priority rule:

15000:  from all iif lo lookup vpn

Does this seem right? Certainly tcpdump now shows DNS requests from the router now going through VPN.

By the way, maybe you can help me with another routing question since you seem like an expert?

As reflected in the IP rules above, I route download traffic from both WAN and VPN to go through 'veth-lan', which is one end of a veth pair, the other end of the pair being 'veth-br', the latter being a part of 'br-lan'.

This trick allows me to apply SQM on veth-lan to handle the combined VPN and non-VPN flows through my LTE connection. Buy unfortunately it does not catch download traffic destined for the router itself.

Is it possible to have traffic destined for the router itself, i.e. traffic with destination 192.168.1.1 go via veth-lan?

Reason being is that I really want all download traffic to go veth-lan whereas now it is everything except download to router, which instead bypasses veth-lan.

Any thoughts?

Traffic destined to the router will certainly not hit the br-lan interface, but the wan interface. I guess you'll have to apply SQM on the wan interface as well.

Is there a way you can think of to have traffic destined to the router go from WAN through to veth-lan (in the same way that traffic for br-lan goes from either WAN or VPN through to veth-lan)? You see I am trying to have just one CAKE instance for upload and one instance for download so that I get flow fairness across all the flows that are passed over the LTE connection.

I really don't think that's possible you don't want traffic destined for the router to be sent by the veth my advice would be to just ignore traffic destined to the router because it should be a tiny fraction of the total traffic

2 Likes

Intriguingly I found that:

Initially worked, but eventually resulted in loss of internet connectivity. That seemed a nice sort of 'catch all' to catch any outgoing traffic originating from router and ensure it goes through VPN.

So I have instead opted for:

14000:  from all to 185.228.168.168 lookup vpn
14000:  from all to 185.228.169.168 lookup vpn

Does that look OK for redirecting output DNS queries from router to VPN rather than WAN?

I'm not sure what the correct way to do any of this is. Will my router still use DNS caching?

You need to add a rule for traffic from "iif lo" to the vpnserver will use wan with higher priority.

1 Like

Does setting up the VPN tunnel require a DNS query? If yes and you lose the VPN it won't be able to start up again. Make sure you use IP addresses for the VPN endpoint and then it might work better.

You might also want a hot plug rule to change the routing if the VPN goes down

Would you be able to put that another way? I can't compute.

Traffic trying to reach the VPN server can't go inside the VPN tunnel obviously (it is the tunnel) it needs to be sent out the actual wan. So you need an earlier rule that selects wan for traffic going to the VPN provider.

2 Likes

Right - thanks both!

How do I know whether DNS caching is being used? I have different DNS for televisions (to get round CleanBrowsing's filters for YouTube).

DNS traffic will use the same rules that you have. However if the nameservers belong to your ISP, then you must use the wan uplink to reach them, as they won't allow IPs outside their address space to use recursion.
Regarding caching, it usually is being used for as long as the TTL of the record is configured.

Thanks. So I have this set up in firewalls:

Will caching apply in respect of the 8.8.8.8 hijacks and also the router hijacks to the custom DNS I have set?

I am not sure what have you done there, so my answer might be wrong.
In the first redirect you are forcing dns queries pointed to the router to go to GoogleDNS? Why not advertise GoogleDNS directly to that host?
In the second redirect you hijack everything to dnsmasq, so dnsmasq will be caching the answers.

Wouldn't that then get hijacked by the router?

The context is I want to block immoral material using CleanBrowsing but allow televisions to access YouTube material without restriction.

Ah great - this is most important since the televisions are only the exception. So I'm more bothered about caching everything else.

You can add a rule to circumvent the hijack for this mac address.

1 Like

I use WireGuard with source IP: 10.5.0.2. Rather than setting traffic to VPN server IP to use WAN can I instead have traffic from iif lo with source 10.5.0.2 use WAN? I tried to set this, but this gave rule:

14000: from 10.5.0.2 iif lo lookup wan

Does that seem right?

So in sum I have:

14000:  from 10.5.0.2 iif lo lookup wan
15000:  from all iif br-lan lookup vpn
15000:  from all iif lo lookup vpn

No, that is wrong.
Although I need to say that it would be easier to setup the policy routing with pbr package

Please can you elaborate?