I have the following simple experimental setup:
- A DSL router with an interface connected to a private LAN (192.168.2.0/24)
- A Raspberry Pi acting as a VPN router in the same range (192.168.2.14)
- One physical interface on the pi (eth0)
- Two virtual devices (br-lan and tun0)
I have set the addresses of the VPN provider's DNS under "DNS-forwardings"
and also put them in /etc/resolv.conf.
Yet dnsleaktest shows the VPN DNS as well as all of my ISP's DNS servers.
Do I have to restrict forwarding of DNS requests to the tunnel interface only?
How do your client devices use the Pi's VPN connection? If they are connected to your DSL router, they won't use the VPN by default unless you have done something to enable this. Have you verified that your devices are indeed running through the tunnel (you can compare the apparent IP address by googling "what's my IP" vs the WAN of your DSL router, assuming you do have a standard public IP on the WAN).
What OS is your Pi running -- I assume it is OpenWrt?
What about the DSL modem?
I assume you've done this in your OpenWrt Pi setup?
Clients, dsl-modem/router and pi are using the same switch (actually multiple switches).
The idea is that the clients can decide to either route through the DSL-Router
or the Pi by specifying the corresponding gateway IP.
The clients are indeed using the VPN tunnel as well as the correct DNS.
It's just that dnsleaktest shows the ISP's DNS in addtion to the VPN's DNS. I'm assuming that dnsmasq
is forwarding requests to both the router/modem as well as the VPN's DNS.
The OS on the Pi is OpenWrt, the OS on the router/modem is an unknown
OS provided by the ISP.
yes, I've entered the IPs of the VPN-DNS in Luci in the box labeled "DNS-Forwardings"
and in addition added them manually to /etc/resolv.conf and removed all previous entries
(which were just loopback IPs for ipv4 and ipv6)..
I'm using Luci (and ssh) on openwrt-21.02 branch (git-21.340.48972-61cc3b1)(https://github.com/openwrt/luci) / OpenWrt 21.02.1 r16325-88151b8303
What do the client devices have as their DNS info? If they have the dsl modem/router as one of their DNS servers, it would be the clients themselves that are causing the problem, not OpenWrt/VPN.
On the client side I've tried assigning the IP of the Pi as DNS (in which case it should forward DNS lookups to the VPN), as well as assigning the IPs of the VPN's DNS directly as primary and secondary DNS.
In both cases the extended test at dnsleaktest.com shows the correct DNS as the first result but in addition to that it also shows the addresses of my ISP's DNS.
Now I could simply add a firewall rule on the Pi to block my ISP's DNS, but I'd like to understand why it does that. I'm still suspecting that dnsmasq is somehow misconfigured on the pi and
forwards requests to both VPN and DSL-modem.
uci show dhcp; head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
==> /etc/resolv.bac <==
==> /etc/resolv.conf <==
==> /tmp/resolv.conf <==
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
interfaces "lan" and "wan" don't exist, only "eth0", the bridge interface "br-lan" and the tunnel interface "tun0" do. 192.168.2.1 would be the address of the dsl modem/router. The two public IPs are the DNS of the VPN provider (surfshark).