DD-WRT :: View topic - (OLD) DD-WRT (Openvpn client) DNS Leak help

(OLD) DD-WRT (Openvpn client) DNS Leak help

DD-WRT Forum Index -> Advanced Networking

View previous topic :: View next topic

Author

Message

wildcat2083
DD-WRT Novice

Joined: 10 Apr 2016
Posts: 24

Posted: Wed Mar 29, 2017 3:48 Post subject: (OLD) DD-WRT (Openvpn client) DNS Leak help

Here is the issue I am facing
I currently have static address assigned to dd-wrt
8.8.8.8
8.8.4.4
and 10.0.0.0 <<< thats just a dummy one
I have both a VPN server and client setup through DD-wrt
got the proper rules firewall etc all setup and it all works
except one thing, due to having web servers and such running I was forced to use policy based routing for my local clients and my vpn clients so all the internet traffic would pass properly through the VPN (the client - paid service) and I could still use things like ssh and whatever without the vpn breaking it, the problem is the DNS that the VPN pushes, again from the paid service (not my server) the router uses the static assigned google DNS setting supplied in the main page instead, how do I make any ip in the policy based routing use ONLY the DNS provided by the Paid VPN service, ive tried iptables the route command and nothing aside from manually changing the clients individually works, that can be cumbersome as everytime the vpn reconnects its DNS changes

any logs or configuration needed please tell me i will copy and paste any additional info
netstat
route commands etc

Startup Box

Code:

#!/bin/sh
export DEBUG= # uncomment/comment to enable/disable debugging mode
# ---------------------------------------------------------------------------- #
# ddwrt-ovpn-table-10-fix.sh: v2.0.0, 28 February 2017, by eibgrad
# bug report: http://svn.dd-wrt.com/ticket/5690
# install this script in the dd-wrt startup script
# ---------------------------------------------------------------------------- #

SCRIPT_DIR="/tmp"
SCRIPT="$SCRIPT_DIR/ddwrt-ovpn-table-10-fix.sh"
mkdir -p $SCRIPT_DIR

cat << "EOF" > $SCRIPT
#!/bin/sh
(
[ "${DEBUG+x}" ] && set -x

MAX_PASS=0 # max number of passes through routing tables (0=infinite)
SLEEP=60 # time (in secs) between each pass

# ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #

TID="10"
ROUTES="/tmp/tmp.$$.routes"

# initialize this run
pass_count=0

while :; do
# initialize this pass
pass_count=$((pass_count + 1))
table_changed=false

# wait for creation of OpenVPN client alternate routing table
while [ ! "$(ip route show table $TID)" ]; do sleep 10; done; sleep 3

echo "$(ip route show | \
grep -Ev '^default|^0.0.0.0/1|^128.0.0.0/1')" > $ROUTES

# add routes to pbr found in main routing table
while read route; do
if ! ip route show table $TID | grep -q "$route"; then
ip route add $route table $TID && table_changed=true
fi
done < $ROUTES

echo "$(ip route show table $TID | grep -Ev '^default')" > $ROUTES

# remove routes from pbr not found in main routing table
while read route; do
if ! ip route show | grep -q "$route"; then
ip route del $route table $TID && table_changed=true
fi
done < $ROUTES

# force routing system to recognize our changes
[[ $table_changed == true ]] && ip route flush cache

# quit if we've reached any execution limits
[ $MAX_PASS -gt 0 ] && [ $pass_count -ge $MAX_PASS ] && break

# put it bed for a while
[ $SLEEP -gt 0 ] && sleep $SLEEP
done

# cleanup
rm -f $ROUTES

echo "done"
exit 0

) 2>&1 | logger -t $(basename $0)[$$]
EOF

chmod +x $SCRIPT
nohup $SCRIPT > /dev/null 2>&1 &

Firewall Box

Code:

#!/bin/sh
# name: ddwrt-ovpn-pbr-block-wan.sh
# version: 2.0.2, 12-Feb-2016, by eibgrad
# purpose: block access LAN->WAN for IPs in OpenVPN client policy based routing
# script type: firewall
# dd-wrt ref: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=288852
# instructions:
# 1. set VPN_ENABLED_ONLY to your preference
# 2. set FW_STATE to your preference
# 3. install this script in the router's firewall script
# 4. reboot router

VPN_ENABLED_ONLY="1" # (0 = apply rules 24/7, 1 = apply rules only if VPN enabled)

# state checking: "state NEW" vs. no state
# state NEW (default):
# * any pre-existing LAN->WAN connections persist until/unless they timeout/close
# * remote access (WAN->LAN) is allowed (provided port forwarding is enabled)
# * more efficient (only LAN->WAN packets used to establish NEW connections are inspected)
# no state:
# * any pre-existing LAN->WAN connections are stopped/blocked
# * remote access (WAN->LAN) is denied (even if port forwarding is enabled)
# * less efficient (every LAN->WAN packet is inspected)

FW_STATE="-m state --state NEW"
#FW_STATE="" # uncomment/comment to disable/enable state checking

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
FW_CHAIN="blocked-ips"

# cleanup from possible prior execution
(
iptables -D FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN
iptables -F $FW_CHAIN
iptables -X $FW_CHAIN
) > /dev/null 2>&1

# quit if no IPs in policy based routing
[ -z "$(nvram get openvpncl_route)" ] && exit

# quit if vpn disabled (unless firewall rules still need to be enforced)
[[ "$(nvram get openvpncl_enable)" == "0" && "$VPN_ENABLED_ONLY" != "0" ]] && exit

# create firewall chain for blocked IPs
iptables -N $FW_CHAIN

# read IP addresses from OpenVPN client policy based routing
echo -e "$(nvram get openvpncl_route)" | \
while read ip; do
ip=${ip//$'\r'} # remove carriage returns

[ -z "$ip" ] && continue # skip blank lines

# block access LAN->WAN for this IP address
iptables -A $FW_CHAIN -p tcp -s $ip -j REJECT --reject-with tcp-reset
iptables -A $FW_CHAIN -s $ip -j REJECT --reject-with icmp-host-prohibited
done

# begin blocking: force LAN->WAN traffic thru firewall chain for inspection
iptables -I FORWARD -o $WAN_IF $FW_STATE -j $FW_CHAIN
iptables -I INPUT -p tcp --dport 81 -j ACCEPT
iptables -I INPUT -p udp --dport 81 -j ACCEPT

route -n

Code:

root@DD-WRT:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 75.111.156.x 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun2
10.86.1.201 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
75.111.15x.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0

netstat -r

Code:

netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 75-111-15x-x.lb 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 * 255.255.255.0 U 0 0 0 tun2
10.86.1.201 * 255.255.255.255 UH 0 0 0 tun1
75.111.156.0 * 255.255.252.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0

Policy Based Routing

Code:

192.168.1.15/32
192.168.1.100/30
192.168.1.104/29
192.168.1.112/28
192.168.1.128/28
192.168.1.144/30
192.168.1.148/31
10.8.0.0/24

openvpn logs (server and client)

Code:

Serverlog:
19691231 18:00:38 W WARNING: file '/tmp/openvpn/ta.key' is group or others accessible
19691231 18:00:38 I OpenVPN 2.4.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 8 2017
19691231 18:00:38 I library versions: OpenSSL 1.0.2h 3 May 2016 LZO 2.09
19691231 18:00:38 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
19691231 18:00:38 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 18:00:38 Diffie-Hellman initialized with 2048 bit key
19691231 18:00:38 W WARNING: Your certificate is not yet valid!
19691231 18:00:38 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
19691231 18:00:38 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
19691231 18:00:38 I TUN/TAP device tun2 opened
19691231 18:00:38 TUN/TAP TX queue length set to 100
19691231 18:00:38 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
19691231 18:00:38 I /sbin/ifconfig tun2 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
19691231 18:00:38 Socket Buffers: R=[180224->180224] S=[180224->180224]
19691231 18:00:38 I UDPv4 link local (bound): [AF_INET][undef]:1194
19691231 18:00:38 I UDPv4 link remote: [AF_UNSPEC]
19691231 18:00:38 MULTI: multi_init called r=256 v=256
19691231 18:00:38 IFCONFIG POOL: base=10.8.0.2 size=252 ipv6=0
19691231 18:00:38 IFCONFIG POOL LIST
19691231 18:00:38 I Initialization Sequence Completed
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170328 22:36:02 D MANAGEMENT: CMD 'state'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170328 22:36:02 D MANAGEMENT: CMD 'state'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170328 22:36:02 D MANAGEMENT: CMD 'state'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 NOTE: --mute triggered...
20170328 22:36:02 1 variation(s) on previous 3 message(s) suppressed by --mute
20170328 22:36:02 D MANAGEMENT: CMD 'status 2'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170328 22:36:02 D MANAGEMENT: CMD 'status 2'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170328 22:36:02 D MANAGEMENT: CMD 'log 500'
19691231 18:00:00

dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem keepalive 10 120 verb 3 mute 3 syslog writepid /var/run/openvpnd.pid management 127.0.0.1 14 management-log-cache 100 topology subnet script-security 2 port 1194 proto udp4 cipher aes-256-cbc auth sha512 client-connect /tmp/openvpn/clcon.sh client-disconnect /tmp/openvpn/cldiscon.sh client-config-dir /jffs/etc/openvpn/ccd comp-lzo yes tls-server ifconfig-pool-persist /tmp/openvpn/ip-pool 86400 push "redirect-gateway def1" tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 fast-io tun-mtu 1500 mtu-disc yes server 10.8.0.0 255.255.255.0 dev tun2 tls-auth /tmp/openvpn/ta.key 0 push "route 192.168.1.0 255.255.255.0" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "dhcp-option DNS 192.168.1.1"

Clientlog:
19691231 18:00:38 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
19691231 18:00:38 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
19691231 18:00:38 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
19691231 18:00:38 I OpenVPN 2.4.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 8 2017
19691231 18:00:38 I library versions: OpenSSL 1.0.2h 3 May 2016 LZO 2.09
19691231 18:00:38 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
19691231 18:00:38 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 18:00:38 W WARNING: Your certificate is not yet valid!
19691231 18:00:38 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
19691231 18:00:38 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
19691231 18:00:38 I TCP/UDP: Preserving recently used remote address: [AF_INET]147.255.39.xxx:1195
19691231 18:00:38 Socket Buffers: R=[180224->180224] S=[180224->180224]
19691231 18:00:38 I UDPv4 link local: (not bound)
19691231 18:00:38 I UDPv4 link remote: [AF_INET]147.255.39.250:1195
19691231 18:00:38 TLS: Initial packet from [AF_INET]147.255.39.xxx:1195 sid=7608d596 a390a426
19691231 18:00:38 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
19691231 18:00:38 N VERIFY ERROR: depth=1 error=certificate is not yet valid: C=VG ST=BVI O=ExpressVPN OU=ExpressVPN CN=ExpressVPN CA emailAddress=support@expressvpn.com
19691231 18:00:38 N OpenSSL: error:14090086:lib(20):func(144):reason(134)
19691231 18:00:38 N TLS_ERROR: BIO read tls_read_plaintext error
19691231 18:00:38 NOTE: --mute triggered...
19691231 18:00:38 2 variation(s) on previous 3 message(s) suppressed by --mute
19691231 18:00:38 I SIGUSR1[soft tls-error] received process restarting
19691231 18:00:38 Restart pause 5 second(s)
20170328 22:15:46 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170328 22:15:46 I TCP/UDP: Preserving recently used remote address: [AF_INET]104.238.32.xxx:1195
20170328 22:15:46 Socket Buffers: R=[180224->180224] S=[180224->180224]
20170328 22:15:46 I UDPv4 link local: (not bound)
20170328 22:15:46 I UDPv4 link remote: [AF_INET]104.238.32.105:1195
20170328 22:15:46 TLS: Initial packet from [AF_INET]104.238.32.xxx:1195 sid=45c1cec4 66bbcd49
20170328 22:15:46 VERIFY OK: depth=1 C=VG ST=BVI O=ExpressVPN OU=ExpressVPN CN=ExpressVPN CA emailAddress=support@expressvpn.com
20170328 22:15:46 VERIFY OK: nsCertType=SERVER
20170328 22:15:46 NOTE: --mute triggered...
20170328 22:15:46 2 variation(s) on previous 3 message(s) suppressed by --mute
20170328 22:15:46 I [Server-927-1a] Peer Connection Initiated with [AF_INET]104.238.32.xxx:1195
20170328 22:15:46 Key [AF_INET]104.238.32.xxx:1195 [0] not initialized (yet) dropping packet.
20170328 22:15:46 Key [AF_INET]104.238.32.xxx:1195 [0] not initialized (yet) dropping packet.
20170328 22:15:46 Key [AF_INET]104.238.32.xxx:1195 [0] not initialized (yet) dropping packet.
20170328 22:15:46 NOTE: --mute triggered...
20170328 22:15:47 1 variation(s) on previous 3 message(s) suppressed by --mute
20170328 22:15:47 SENT CONTROL [Server-927-1a]: 'PUSH_REQUEST' (status=1)
20170328 22:15:47 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 10.86.0.1 route 10.86.0.1 topology net30 ping 10 ping-restart 60 ifconfig 10.86.1.202 10.86.1.201'
20170328 22:15:47 OPTIONS IMPORT: timers and/or timeouts modified
20170328 22:15:47 NOTE: --mute triggered...
20170328 22:15:47 3 variation(s) on previous 3 message(s) suppressed by --mute
20170328 22:15:47 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20170328 22:15:47 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
20170328 22:15:47 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20170328 22:15:47 NOTE: --mute triggered...
20170328 22:15:47 1 variation(s) on previous 3 message(s) suppressed by --mute
20170328 22:15:47 I TUN/TAP device tun1 opened
20170328 22:15:47 TUN/TAP TX queue length set to 100
20170328 22:15:47 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20170328 22:15:47 I /sbin/ifconfig tun1 10.86.1.202 pointopoint 10.86.1.201 mtu 1500
20170328 22:15:48 I Initialization Sequence Completed
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170328 22:36:02 D MANAGEMENT: CMD 'state'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170328 22:36:02 D MANAGEMENT: CMD 'state'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170328 22:36:02 D MANAGEMENT: CMD 'state'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170328 22:36:02 D MANAGEMENT: CMD 'status 2'
20170328 22:36:02 MANAGEMENT: Client disconnected
20170328 22:36:02 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170328 22:36:02 D MANAGEMENT: CMD 'log 500'
19691231 18:00:00

ca /tmp/openvpncl/ca.crt cert /tmp/openvpncl/client.crt key /tmp/openvpncl/client.key management 127.0.0.1 16 management-log-cache 100 verb 3 mute 3 syslog writepid /var/run/openvpncl.pid client resolv-retry infinite nobind persist-key persist-tun script-security 2 dev tun1 proto udp4 cipher aes-256-cbc auth sha512 auth-user-pass /tmp/openvpncl/credentials remote usa-losangeles-ca-version-2.expressnetw.com 1195 comp-lzo yes redirect-private def1 route-noexec tun-mtu 1500 fragment 1300 mssfix ns-cert-type server fast-io tls-auth /tmp/openvpncl/ta.key 1

In this case
dhcp-option DNS 10.86.0.1 route 10.86.0.1
I want the clients in PBR to go through the DNS 10.86.0.1
without having to manually edit the client dns everytime the router changes its VPN dns address

Last edited by wildcat2083 on Sat Aug 31, 2019 4:26; edited 1 time in total

Sponsor

wildcat2083
DD-WRT Novice

Joined: 10 Apr 2016
Posts: 24

Posted: Thu Mar 30, 2017 5:26 Post subject: DNS More info/Reply

In reply to that, the reason im thinking the VPN DNS isn't even being used is because as an example the expressvpn dns leak test from their page only shows google ip address, the dns provided by the VPN Push (which dont work due to pbr) doesnt even show up in the list at all, unless I manuall force the client itself to use that DNS, then I get no leaks, of course leak is a loose term as its "leaking" to google as I told the router to do so, but in this instance the router isnt even using the dns from the vpn at all, the only instance ive ever gotten it to work is totally disable use of PBR :/ ill copy and paste some info from the command you gave me and tell you what the DNS should be
I could be wrong but im cofused on how to read this commands output anyhow

DNS needed (at least until reboot)
10.70.0.1

the ipaddress of the client should be 192.168.1.145

Code:

udp 17 1 src=75.111.158.52 dst=8.8.8.8 sport=33106 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=33106 packets=1 bytes=232 mark=0 use=2
udp 17 1 src=75.111.158.52 dst=8.8.8.8 sport=39572 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=39572 packets=1 bytes=232 mark=0 use=2
udp 17 1 src=75.111.158.52 dst=8.8.8.8 sport=5609 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=5609 packets=1 bytes=232 mark=0 use=2
udp 17 1 src=75.111.158.52 dst=8.8.8.8 sport=56762 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=56762 packets=1 bytes=232 mark=0 use=2
udp 17 1 src=75.111.158.52 dst=8.8.8.8 sport=59635 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=59635 packets=1 bytes=232 mark=0 use=2
udp 17 1 src=75.111.158.52 dst=8.8.8.8 sport=60787 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=60787 packets=1 bytes=232 mark=0 use=2
udp 17 1 src=75.111.158.52 dst=8.8.8.8 sport=60967 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=60967 packets=1 bytes=232 mark=0 use=2
udp 17 1 src=75.111.158.52 dst=8.8.8.8 sport=8118 dport=53 packets=1 bytes=127 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=8118 packets=1 bytes=232 mark=0 use=2
udp 17 0 src=75.111.158.52 dst=10.70.0.1 sport=14167 dport=53 packets=1 bytes=63 [UNREPLIED] src=10.70.0.1 dst=75.111.158.52 sport=53 dport=14167 packets=0 bytes=0 mark=0 use=2
udp 17 0 src=75.111.158.52 dst=10.70.0.1 sport=41504 dport=53 packets=1 bytes=65 [UNREPLIED] src=10.70.0.1 dst=75.111.158.52 sport=53 dport=41504 packets=0 bytes=0 mark=0 use=2
udp 17 0 src=75.111.158.52 dst=10.70.0.1 sport=65214 dport=53 packets=1 bytes=62 [UNREPLIED] src=10.70.0.1 dst=75.111.158.52 sport=53 dport=65214 packets=0 bytes=0 mark=0 use=2
udp 17 0 src=75.111.158.52 dst=8.8.8.8 sport=14167 dport=53 packets=1 bytes=63 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=14167 packets=1 bytes=128 mark=0 use=2
udp 17 0 src=75.111.158.52 dst=8.8.8.8 sport=41504 dport=53 packets=1 bytes=65 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=41504 packets=1 bytes=217 mark=0 use=2
udp 17 0 src=75.111.158.52 dst=8.8.8.8 sport=65214 dport=53 packets=1 bytes=62 src=8.8.8.8 dst=75.111.158.52 sport=53 dport=65214 packets=1 bytes=107 mark=0 use=2

every instance where the DNSS I need shows unreplied, only 8.8.8.8 and 8.8.4.4 seem to work

logfile from VPN "Client"
Clientlog:
20170329 22:29:56 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20170329 22:29:56 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
20170329 22:29:56 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20170329 22:29:56 I OpenVPN 2.4.0 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 8 2017
20170329 22:29:56 I library versions: OpenSSL 1.0.2h 3 May 2016 LZO 2.09
20170329 22:29:56 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20170329 22:29:56 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20170329 22:29:56 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20170329 22:29:56 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20170329 22:29:56 I TCP/UDP: Preserving recently used remote address: [AF_INET]104.238.32.99:1195
20170329 22:29:56 Socket Buffers: R=[180224->180224] S=[180224->180224]
20170329 22:29:56 I UDPv4 link local: (not bound)
20170329 22:29:56 I UDPv4 link remote: [AF_INET]104.238.32.99:1195
20170329 22:29:56 TLS: Initial packet from [AF_INET]104.238.32.99:1195 sid=2f76cc7e 4d6f4c15
20170329 22:29:56 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20170329 22:29:56 VERIFY OK: depth=1 C=VG ST=BVI O=ExpressVPN OU=ExpressVPN CN=ExpressVPN CA emailAddress=support@expressvpn.com
20170329 22:29:56 VERIFY OK: nsCertType=SERVER
20170329 22:29:56 VERIFY OK: depth=0 C=VG ST=BVI O=ExpressVPN OU=ExpressVPN CN=Server-926-1a emailAddress=support@expressvpn.com
20170329 22:29:56 NOTE: --mute triggered...
20170329 22:29:56 1 variation(s) on previous 3 message(s) suppressed by --mute
20170329 22:29:56 I [Server-926-1a] Peer Connection Initiated with [AF_INET]104.238.32.99:1195
20170329 22:29:57 SENT CONTROL [Server-926-1a]: 'PUSH_REQUEST' (status=1)
20170329 22:29:58 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 10.70.0.1 route 10.70.0.1 topology net30 ping 10 ping-restart 60 ifconfig 10.70.1.130 10.70.1.129'
20170329 22:29:58 OPTIONS IMPORT: timers and/or timeouts modified
20170329 22:29:58 NOTE: --mute triggered...
20170329 22:29:58 3 variation(s) on previous 3 message(s) suppressed by --mute
20170329 22:29:58 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20170329 22:29:58 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
20170329 22:29:58 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20170329 22:29:58 NOTE: --mute triggered...
20170329 22:29:58 1 variation(s) on previous 3 message(s) suppressed by --mute
20170329 22:29:58 I TUN/TAP device tun1 opened
20170329 22:29:58 TUN/TAP TX queue length set to 100
20170329 22:29:58 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20170329 22:29:58 I /sbin/ifconfig tun1 10.70.1.130 pointopoint 10.70.1.129 mtu 1500
20170329 22:29:59 I Initialization Sequence Completed
20170329 23:29:56 TLS: soft reset sec=0 bytes=130832989/-1 pkts=146701/0
20170329 23:29:56 VERIFY OK: depth=1 C=VG ST=BVI O=ExpressVPN OU=ExpressVPN CN=ExpressVPN CA emailAddress=support@expressvpn.com
20170329 23:29:56 VERIFY OK: nsCertType=SERVER
20170329 23:29:56 NOTE: --mute triggered...
20170330 00:05:00 6 variation(s) on previous 3 message(s) suppressed by --mute
20170330 00:05:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:05:00 D MANAGEMENT: CMD 'state'
20170330 00:05:00 MANAGEMENT: Client disconnected
20170330 00:05:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:05:00 D MANAGEMENT: CMD 'state'
20170330 00:05:00 MANAGEMENT: Client disconnected
20170330 00:05:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:05:00 D MANAGEMENT: CMD 'state'
20170330 00:05:00 MANAGEMENT: Client disconnected
20170330 00:05:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:05:00 D MANAGEMENT: CMD 'status 2'
20170330 00:05:00 MANAGEMENT: Client disconnected
20170330 00:05:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:05:00 D MANAGEMENT: CMD 'log 500'
20170330 00:05:00 MANAGEMENT: Client disconnected
20170330 00:20:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:20:35 D MANAGEMENT: CMD 'state'
20170330 00:20:35 MANAGEMENT: Client disconnected
20170330 00:20:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:20:35 D MANAGEMENT: CMD 'state'
20170330 00:20:35 MANAGEMENT: Client disconnected
20170330 00:20:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:20:35 D MANAGEMENT: CMD 'state'
20170330 00:20:35 MANAGEMENT: Client disconnected
20170330 00:20:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:20:35 D MANAGEMENT: CMD 'status 2'
20170330 00:20:35 MANAGEMENT: Client disconnected
20170330 00:20:35 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170330 00:20:35 D MANAGEMENT: CMD 'log 500'
19691231 18:00:00

ca /tmp/openvpncl/ca.crt cert /tmp/openvpncl/client.crt key /tmp/openvpncl/client.key management 127.0.0.1 16 management-log-cache 100 verb 3 mute 3 syslog writepid /var/run/openvpncl.pid client resolv-retry infinite nobind persist-key persist-tun script-security 2 dev tun1 proto udp4 cipher aes-256-cbc auth sha512 auth-user-pass /tmp/openvpncl/credentials remote usa-losangeles-ca-version-2.expressnetw.com 1195 comp-lzo yes redirect-private def1 route-noexec tun-mtu 1500 fragment 1300 mssfix ns-cert-type server fast-io tls-auth /tmp/openvpncl/ta.key 1

wildcat2083
DD-WRT Novice

Joined: 10 Apr 2016
Posts: 24

Posted: Thu Mar 30, 2017 5:31 Post subject:
Ideally Id like to route ONLY the DNS provided by the VPN to the address in the PBR, the rest of the router I dont really care

neerav
DD-WRT Novice

Joined: 08 Jul 2010
Posts: 44

Posted: Fri Jun 16, 2017 19:27 Post subject:

wildcat2083, this is 3 months later, but if you haven't found a solution, I think I have a suggestion, despite the VPN DNS bug.

I recently wrote a script to remove the VPN DNS servers. What if instead you forced the removal of the Static DNS addresses? My script searches the logs to find the VPN DNS addresses and remove them. Instead, yours could save those addresses as a new resolv.dnsmasq file. If those are the only DNS servers in resolv.dnsmasq, you'll force all DNS lookups through them.
_________________
LinkSys E1000 ...... DD-WRT
LinkSys E2000 ...... DD-WRT
Netgear R8000 ...... Finally DD-WRT
TP-Link WR710N ..... Stock (considering DD-WRT)

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12882
Location: Netherlands

Posted: Sun Jun 18, 2017 8:02 Post subject:

The DNS bug is resolved, at least in the latest Kong builds. So probably also in the latest BS builds but I have not tested that
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

wildcat2083
DD-WRT Novice

Joined: 10 Apr 2016
Posts: 24

Posted: Sat Aug 31, 2019 3:55 Post subject:

neerav wrote:

I know this is old but I reopened the same issue being I still can't find a suitable solution, the script might work

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12882
Location: Netherlands

Posted: Sat Aug 31, 2019 8:46 Post subject:

In the second posting of this thread is a file which details some things you can do about DNS leaks
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

(OLD) DD-WRT (Openvpn client) DNS Leak help

Quick Links

Log in