Yes it's definitely a problem. Your clients must use your router's DNS otherwise the domain based routing will not work. But what you could do is to setup router to use pihole for DNS and your clients to use your routers DNS. That way your clients should still be able to get the functionality of pihole with domain based routing working as well.
4 should be /whatismyipaddress.com/wanroute
skip 1 for now, do it later when you have tested rest of the stuff works
2 is not strictly necessary if you are using DHCP on the router, the router will automatically push itself as DNS server.
You might need to restart dnsmasq on the router after you setup 4.
I hate to be such a newb, but in trying to get domain based policy working i tried heaps of stuff, didn't work, so I tried a fresh install. So install latest LEDE, install openvpn-openssl, setup PIA VPN using this guide, (at this point internet traffic is correctly 100% through VPN, but I have to set DNS server in WAN interface > advanced settings > custom DNS to either PIA DNS address, or PIhole, which uses PIA DNS server), i then install your requirements, and then finally OPR. Nothing else changed or installed (except nano installed). Now nothing works in OPR, domain based routing or IP based routing, which did work before...
What am I missing? I've tried several fresh installs at this point, changing as little as possible sticking to default and just changing whats required, to variations on changing anything I think might help... just so you know I've tried, but I'm failing
Update, did another fresh install, sticking only to essential changes, and OPR still doesn't work at all; IP/Port/Domain all do nothing.
For fun I tried your older vpn bypass package... ip and port bypassing now works again! domain still doesn't work, but ip and port do!
for fun, uninstalled vpnbypass, installed opr - nothing works
Edit: Woah: so i disabled IPv6 on my lede LAN interface (my isp doesn't support ipv6 and i have ipv6 disabled on my pc already), and now domain based works on vpnbypass!
I need help with Domain-based policies. Also IPV4/Port policies don't work if I set them to route remote address (Local address works fine). I have got dnsmasq-full installed. I suspect it is something on my side because during building lede image (from build generator) a have removed dsnmasq, installed dnsmasq-full, but also removed IPV6 support (-odhcp6c -dnsmasq_full_dhcpv6 -ip6tables -kmod-ipv6). Also disabled ipv6 and dhcpv6 ( uci set dhcp.lan.dhcpv6=disabled; sysctl -w net.ipv6.conf.all.disable_ipv6=1).
Logs (support, DNS-crypt, dnsmasq) :
openvpn-policy-routing 4.1.5-8 running on LEDE 17.01.2. WAN (IPv4): wan/x.x.x.x.
============================================================
Dnsmasq version 2.77 Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default some_DNS_name 0.0.0.0 UG 0 0 0 eth0
32690: from all fwmark 0x20000 lookup 42
32691: from all fwmark 0x10000 lookup 145
table 200:
table 201:
============================================================
IP Tables
OPR_CHAIN all -- anywhere anywhere [goto] mark match 0x0/0xff0000
-N OPR_CHAIN
-A OPR_CHAIN -s x.x.x.x/32 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OPR_CHAIN -s x.x.x.x/32 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OPR_CHAIN -m set --match-set wanroute dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -m set --match-set tun0route dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
============================================================
IPv6 Tables
============================================================
Domain-based routing settings
dnsmasq.cfg02411c.ipset: /streamuj.tv/tun0route
============================================================
Current ipsets
create bcp38-ipv4 hash:net family inet hashsize 1024 maxelem 65536
add bcp38-ipv4 10.0.0.0/8
add bcp38-ipv4 192.0.2.0/24
add bcp38-ipv4 169.254.0.0/16
add bcp38-ipv4 198.51.100.0/24
add bcp38-ipv4 240.0.0.0/4
add bcp38-ipv4 192.168.0.0/16
add bcp38-ipv4 203.0.113.0/24
add bcp38-ipv4 127.0.0.0/8
add bcp38-ipv4 172.16.0.0/12
add bcp38-ipv4 0.0.0.0/8
create wanroute hash:ip family inet hashsize 1024 maxelem 65536
create tun0route hash:ip family inet hashsize 1024 maxelem 65536
add tun0route 37.59.30.111
create wanlist list:set size 8
add wanlist wanroute
create tun0list list:set size 8
add tun0list tun0route
============================================================
config dnscrypt-proxy ns1
option address '127.0.0.1'
option port '5353'
option resolver 'd0wn-nl-ns2'
option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
# ephemeral keys option requires extra CPU cycles and can cause huge system load
# option ephemeral_keys '0'
# more details at https://github.com/jedisct1/dnscrypt-proxy#public-key-client-authentication
# option client_key '/path/to/client_key'
# option syslog '1'
# option syslog_prefix 'dnscrypt-proxy'
# option query_log_file '/path/to/logfile'
# enable cache may speed up dnscrypt-proxy, see https://github.com/jedisct1/dnscrypt-proxy/wiki/Go-faster
# option local_cache '0'
# disable IPv6 may also speed up dnscrypt-proxy, see https://github.com/jedisct1/dnscrypt-proxy/wiki/Go-faster
option block_ipv6 '1'
# Blacklists allow you to block domains, ip, ... see https://github.com/jedisct1/dnscrypt-proxy/wiki/Filtering
# list blacklist 'domains:/path/to/domains-blacklist-file.txt'
# list blacklist 'domains:/path/to/domains-blacklist2-file.txt'
config dnscrypt-proxy ns2
option address '127.0.0.1'
option port '5454'
option resolver 'd0wn-cz-ns1'
option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
option block_ipv6 '1'
# # option ephemeral_keys '0'
# # option client_key ''
config dnscrypt-proxy ns3
option address '127.0.0.1'
option port '5656'
option resolver 'fvz-anytwo'
option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
option block_ipv6 '1'
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option rebind_protection '1'
option rebind_localhost '1'
option authoritative '1'
option leasefile '/tmp/dhcp.leases'
option noresolv '1'
option localservice '1'
option domain 'doma'
option local '/srsen/'
option nonwildcard '1'
list server '127.0.0.1#5353'
list server '127.0.0.1#5454'
list server '127.0.0.1#5656'
list interface 'br-lan'
list notinterface 'eth0'
list notinterface 'tun0'
option nohosts '1'
option filterwin2k '1'
list ipset '/streamuj.tv/tun0route'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option start '170'
option limit '29'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
iGz, try the OPR predecessor VPN bypass, also by stangri
I think the main difference is vpn bypass is IPv4 only, and OPR was made to support v6. If you read up you'll see I had major problems getting OPR to work, whereas vpn bypass works great for me (just make sure you disabled v6 in interfaces config)
Hi DropbearNinja,
thanks for your suggestion, but if I understand this correctly it wouldn't work for me, because I need opposite routing : Everything goes though wan, but only some traffic goes though tun0 (VPN).
I have set up OpenVPN with 2 VPNs (UK & NLD) using PIA VPNs with the OpenVPN Client in LEDE. I also set up OPR to use static IPs to route through WAN or the VPNs as needed. Most go through WAN as per normal but I need a few static IPs to go through the VPNs.
I had to set “route_nopull” (Don't pull routes automatically) for both VPNs since I want normal traffic to go through WAN (not VPN) and certain static IPs through one of the VPNs as set in OPR. All is working as it should, except DNS.
When “route_nopull” was not set, it gave me a lot of routing problems and would stop working at all. When “route_nopull” is set it ignores the routes pushed by the server including DNS settings.
I set the “Network – DHCP & DNS - DNS forwardings” via LUCI to the PIA DNS servers 209.222.18.222 & 209.222.18.218. I deleted all other DNS sever entries for interfaces etc.. and in WAN interface I unchecked the use DNS advertised by peer so the ISP DNS is not used.
When I check for DNS Leak with https://www.dnsleaktest.com/ it shows the PIA servers but from USA not one of the VPN countries. When I do a “tracert” on a Win10 PC assigned to one of the VPNs it seems that all is going the VPN as would be expected.
How do I confirm that the DNS requests are going through the VPN and not through the WAN for those static IPs assigned to a VPN?
How do I setup the DNS/VPN/Interfaces combinations to make sure that if a static IP set in OPR for a VPN has its DNS request go through the VPN and not the WAN?
in my openvpn config file and a similar one for 8.8.8.8 in another VPN config file (different one).
This ensures DNS requests go via the appropriate VPN interface. The way you can check which interface is used is simple via ping. You can route ping via specific interface via
ping -Itun0 8.8.8.8
If you change tun0 to say eth0.2 if will route the ping via eth0.2 interface (which is my wan port). You'll see different numbers, my ping via tun0 is approximately 28ms while wan (eth0.2) is faster around 20ms. Then just try ping 8.8.8.8 (without specifying the interface) and it should go out via the default route. The response should basically tell you which interface was used, if I see numbers around 20ms it must have been wan if around 28ms it was tun0 (vpn).
I concur that some of the OPR problems might be due to the faulty IPv6 support, so in 4.1.5-9 I've tried to implement changes that IPv6-related code is only executed if the ipv6_enabled option is set to 1 in config. This is a temporary measure to get OPR working in dual-stack configuration until I work out IPv6 kinks.
UPDATE: Mullvad folks have provided me with a 6-months account. I've tested out wireguard and it doesn't seem trivial to support it in OPR. Wireguard interface doesn't seem to have tun_flags or anything else which would ID it as a wireguard interface in /sys/devices/virtual/net/$ifname/. If anyone can shed some light on how to ID the wireguard interface, please let me know. Either way, IPv6 support has to come first before I look into wg again.