Using the VPN DNS - Split Tunneling with PBR and an OpenVPN Client

sTeve51 · December 24, 2024, 6:54pm

I have 2 VPNs instances running, they work as expected. I use PBR to manage the VPN policy which also works normal, the goal I want to achieve is to use the VPN DNS when I make a policy to send traffic to a VPN interface, with the policy based on domain names specifically. I am using AdGuard home, I installed it following the official OpenWrt documentation.

Trying a DNS leak test, I made a policy to send the https://browserleaks.com/dns traffic through my "vpndom" instance, it shows the VPN IP, but it is using the DNS from AdGuard Home, it should show the DNS from the VPN thus it would be the DNS of the country I am connected to.

I don't want to use my AdGuard DNS for the traffic sent though the VPN, not only with policies based on domain name. I tried to use the DNS policies options we have on PBR, but I had no success on that.

I am trying this on a GL.iNet MT3000 and with the original firmware it works the way I explained, showing the VPN IP and the VPN DNS when I set a policy based on domain name.
Thanks in advance.

egc · December 25, 2024, 7:17am

The PBR DNS policies do not work as intended if there is another DNS hijacking (force DNS redirection) active.
If you are using the Adguard package on the router then that could use DNS hijacking, if so disable DNS hijacking.

Furthermore if you have implemented IPv6 you also have to take care of a DNS policy which also redirects IPv6, so use MAC address or interface and redirect to your VPN interface which has IPv4 and IPv6 DNS addresses or make two rules one with an IPv4 DNS address and one with an IPv6 DNS address, also described in my notes see link below

For some background reading:

sTeve51 · December 28, 2024, 3:16am

yes, I have AdGuard listening on 192.168.1.1:53 and for some other interfaces like guest I have the AdGuard DNS as a DHCP option because it is not using the DNS on the tunnel so it just does not work