I have a wan(6) external interface and a ProtonVPN external interface.
All clients of the VLAN called ProtonLAN, have their traffic routed via ProtonVPN. This is accomplished with a routing table numbered 100.
All other clients route their traffic via wan(6).
The wan (IPv4) interface is configured to use 10.2.0.1 as its upstream DNS server.
10.2.0.1 is a DNS service provided through ProtonVPN
I have installed the bind-dig package on OpenWrt.
How do I check that OpenWrt itself is in fact, using 10.2.0.1 for upstream DNS queries?
My LAN clients are using pi-holes which are configured to use Quad9 DNSSEC at the moment. I suppose if I configure my PC to use OpenWrt for its DNS temporarily, that will test dnsmasq is using 10.2.0.1 through https://dnsleaktest.com?
If you set this as your only DNS server (and to be sure you do not have a DNS leak you probably want to) then you might end up in a catch 22 situation.
After a reboot you need to get current time and resolve the tunnel endpoint but you cannot because DNS is only available after the tunnel is up
If you do not have this problem or you overcame this hurdle (there are scripts which change the DNS server after the tunnel is up) then note that the DNS server is used by DNSMasq which sits on the router and will use the default gateway which probably is the WAN unless. 10.2.0.1 is in the VPN's subnet
The ProtonVPN IP is 10.2.0.2. 10.2.0.1 is the DNS Proton advise to use when using their tunnel.
I tried changing the DNS server on my workstation to be 192.168.26.1 (the IP address of OpenWrt on this VLAN) and https://dnsleaktest.com still shows my ISPs IP address.
Thanks for the heads up about time-keeping, I will search for that script you mentioned once I get past this step.
Want I want to achieve is to make the 2 pi-holes use OpenWrt as their upstream DNS which in turn uses the Proton tunnel for upstream DNS. That way, the pi-holes deal with ads and malware etc., while OpenWrt does DNS.
If OpenWrt is set to option peerdns '0' and list dns '10.2.0.1', why is https://dnsleaktest.com showing my ISPs IP?
Is it because the rest of the traffic is going through that wan gateway?
I have 5 VLANs each with their own subnet range, 2 gateways (one from ISP, one from Proton) and 2 pi-holes doing DNS not DHCP.
All (V)LAN clients get their DHCP addresses from OpenWrt (some are static leases). I use DHCP Option 6 on each subnet to allocate the pi-holes as DNS servers (except ProtonLAN). The pi-holes are currently configured to use Quad9 DNSSEC.
The VLAN named ProtonLAN has its traffic forced over gateway ProtonVPN using IP table rule. DHCP Option 6 for this subnet is 10.2.0.1 (so the pi-holes are not used for traffic going out through the tunnel).
All other VLANs use wan as their gateway; this is the ISP gateway. These clients use the pi-holes for DNS.
I couldn't think of an elegant way of making the pi-holes use the ProtonVPN tunnel for upstream DNS, so I decided I would like to configure the pi-holes to use OpenWrt as their upstream DNS and then configure OpenWrt to route all upstream DNS requests to 10.2.0.1 (via the tunnel).
I still want other LAN clients to use the ISP gateway for other traffic at the moment, but I want ALL DNS traffic to go through the ProtonVPN gateway.
Does this make sense?
If there is an elegant way of letting the pi-holes use 10.2.0.1 via the ProtonVPN tunnel, then I would consider that as a solution, but I would rather use OpenWrt as the only DNS route to the outside world.
That is fine so all VPN clients are using the DNS server or the VPN provider so why bother with using the VPN DNS server for WAN traffic?
This will result in some websites (your bank, amazon , netflix etc) to balk about this as you now have a DNS leak (DNS takes another router than regular traffic)
I tried tcpdump -vn -i ProtonVPN port 53, which responds: tcpdump: listening on ProtonVPN, link-type RAW (Raw IP), snapshot length 262144 bytes
However, there is still nothing observed when using Nslookup in Luci?
Main reason being, I have to trust someone and I would prefer to trust only Proton. If there are going to be issues with DNS leaks as you point out, I may have to just send all traffic through the VPN, except nginx and certbot which are in Incus containers and are relying on my static public IP.
I have noticed some occasional slow-downs with ProtonVPN (I am a paid member), so I was hoping to have a backup that still obscures my DNS requests as much as possible.
This is like trying to ad-block the YT app: ProtonVPN is going to use whatever DNS it is set to. (other than manually setting each devices' DNS)
It might be a setting in the app; since they (ProtonVPN) allude to the the ability to choose a DNS other than theirs.
I added a route for 10.2.0.1/32 to go out over ProtonVPN in Luci and it appears to be working as expected.
tcpdump -vn -i ProtonVPN port 53 now shows activity and responds showing DNS traffic going from 10.2.0.2 (the address of the ProtonVPN interface), to 10.2.0.1, for DNS queries.
You need to create an IPv4 route for 10.2.0.1/32 via the WG tunnel (you need to also ensure in the firewall that your interface is setup to masquerade traffic egressing to ProtonVPN).
Thanks for your help. I hadn't considered that OpenWrt was sending DNS requests via the default gateway and that I needed to force DNS requests to 10.2.0.1 through the tunnel (of course).
I think what threw me was that OpenWrt was still resolving despite the option peerdns '0' and list dns '10.2.0.1' directives. I guess I thought it should simply stop resolving anything, whereas in fact it sent DNS requests via wan instead. Why does it continue to resolve and go against the configuration?
Or put another way, how would I force OpenWrt to only ever resolve DNS via a specific address?
