Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Home Networking Megathread - Yes the OP is out of date
 
  • Post
  • Reply
uG
Apr 23, 2003

by Ralp
Are there any gigabit LAN, dual/multi wan, AND dual band routers coming to the market?

* # ¿ Jul 13, 2012 01:28
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 25, 2024 16:11
  • Quote
uG
Apr 23, 2003

by Ralp
I have the following network setup: cable modem > Router > OpenVPN (dd-wrt) Router

My problem is that clients connected to the OpenVPN router are leaking my ISP DNS. However if I remove the first Router so its just 'cable modem > Open VPN Router', then there are no DNS leaks.

What the hell is going on?

* # ¿ Aug 22, 2013 06:39
  • Quote
uG
Apr 23, 2003

by Ralp

evol262 posted:

You're going to have to actually post OpenVPN configs or more details to figure this out.

It seems like the OpenVPN router is using the DNS settings of the first router as well as what its set to use, because if its 'just' the OpenVPN router and the modem it correctly only uses the OpenVPN's DNS (which are set as static DNS servers 1-3 in dd-wrt). Almost figured it has to do with using 2 routers than anything OpenVPN?

My firewall script:
code:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
OpenVPN config:
code:
client
dev tun
proto udp
remote 198.203.28.42 443
resolv-retry infinite
nobind
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
explicit-exit-notify 5
<ca>

* # ¿ Aug 22, 2013 16:03
  • Quote
uG
Apr 23, 2003

by Ralp

evol262 posted:

This appears to have nothing to do with OpenVPN. You're probably not pushing options from the OpenVPN server (and those are the relevant configs). Assigning static DNS resolution to servers which may or may not be reachable without being connected to the VPN is the :wrong: way to do it. If you want it to use those DNS servers, push them from the OpenVPN server and let the client figure out what to do when it's not connected.

Answer this:

Is the OpenVPN router assigned an address from the other router via DHCP?
What does resolv.conf look like with and without the other router in the middle?

For what its worth the OpenVPN router's firewall rules will (should) not allow any traffic if it drops the OpenVPN connection. The router is also an OpenVPN client, not the server.

1. Yes, the OpenVPN router is assigned an address from the first router via DHCP. Their IPs are 192.168.0.1 (regular) and 192.168.1.1 (openvpn)

2. My /etc/resolve.conf is the same for both setups:
code:
search hsd1.fl.comcast.net
nameserver 192.168.1.1
Also, the VPN server appears to push the DNS i'm using (10.4.0.1) but their instructions state to set it manually in dd-wrt https://airvpn.org/ddwrt/
code:
20130822 13:04:32 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 10.4.0.1 comp-lzo no route 10.4.0.1 topology net30 ping 10 ping-restart 60 ifconfig 10.4.34.194 10.4.34.193'

uG fucked around with this message at 18:25 on Aug 22, 2013

* # ¿ Aug 22, 2013 18:06
  • Quote
uG
Apr 23, 2003

by Ralp

evol262 posted:

Your iptables rules do absolutely nothing to stop non-VPN traffic.

Take a step back. How do you figure it's "leaking" local DNS?

This is part of your problem. You're running a caching nameserver on the OpenVPN router. They're pushing DNS, but it's not appearing in resolv.conf (it should). Can you "dig @10.4.0.1 google.com" from the OpenVPN router? How about your clients? Disable DNSMasq for DNS.
I am using https://www.dnsleaktest.com/ to show DNS leaks. I get 1 result (non-ISP) with just the OpenVPN router, and 4-5 results when the other router is before it.

I disabled DNSMasq for DNS with the same results (although airvpn tutorial says to have it enabled https://airvpn.org/ddwrt/ ).

Clients can dig that properly. I will install dig and try it on the OpenVPN router later today. Thanks for the suggestions thus far.
Client dig:
code:
; <<>> DiG 9.3.2 <<>> @10.4.0.1 google.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1933
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             300     IN      A       74.125.140.102
google.com.             300     IN      A       74.125.140.113
google.com.             300     IN      A       74.125.140.138
google.com.             300     IN      A       74.125.140.139
google.com.             300     IN      A       74.125.140.100
google.com.             300     IN      A       74.125.140.101

;; AUTHORITY SECTION:
google.com.             101682  IN      NS      ns1.google.com.
google.com.             101682  IN      NS      ns2.google.com.
google.com.             101682  IN      NS      ns3.google.com.
google.com.             101682  IN      NS      ns4.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.         101681  IN      A       216.239.32.10
ns2.google.com.         101681  IN      A       216.239.34.10
ns3.google.com.         101681  IN      A       216.239.36.10
ns4.google.com.         101681  IN      A       216.239.38.10

;; Query time: 79 msec
;; SERVER: 10.4.0.1#53(10.4.0.1)
;; WHEN: Thu Aug 22 14:07:28 2013
;; MSG SIZE  rcvd: 260
ipconfig /all from client shows its still getting 192.168.0.1 as a DNS server (which is the non-vpn router).
code:
   DNS Servers . . . . . . . . . . . : 192.168.1.1
                                       10.4.0.1
                                       192.168.0.1

uG fucked around with this message at 19:33 on Aug 22, 2013

* # ¿ Aug 22, 2013 19:15
  • Quote
uG
Apr 23, 2003

by Ralp

evol262 posted:

99% odds your router is using 192.168.0.1 as the primary resolver.

The AirVPN tutorial is irrelevant for these problems.

Edit:

To clarify:

Your clients are using 192.168.1.1 first. Its DNS resolution is bad. The OpenVPN router is the problem. You need to know what it's resolving upstream. Where is it getting DNS resolution from. Turning off DNSmasq on the OpenVPN router should fail out 192.168.1.1 and have the clients resolve to 10.4.0.1 first. DNS falls through to the next server in order. Is 192.168.1.1 still resolving DNS records with DNSmasq off? If not, are you still leaking DNS entries?
I still leak entries with DNSmasq off. Even when its on its resolving using 10.4.0.1 (tracert google.com always uses 10.4.0.1), so the dnsleaktest is doing something tricky to ignore order or force you to try the entire list. It would appear I have to get 192.168.0.1 to not show up for DNS at all with ipconfig /all

* # ¿ Aug 23, 2013 16:35
  • Quote
uG
Apr 23, 2003

by Ralp

wolrah posted:

Didn't realize the next level up was so close, yeah I see no reason to bother with the GS108E when the T is only a few bucks more.


DD-WRT is for routers, I'm asking about switches. I know some routers contain basic managed switches, but anything larger than five ports is rare. A Tomato-powered Netgear is actually one of my roommates' desktop switch right now so he probably won't bother to get anything new.

http://www.amazon.com/gp/aw/d/B00BTKPRYO/ref=mp_s_a_1_10?qid=1390081746&amp;sr=8-10&amp;pi=AC_SX110_SY165_QL70

Mikrotik rb260gs is a nice managed switch for the money

* # ¿ Jan 18, 2014 22:52
  • Quote
uG
Apr 23, 2003

by Ralp
I've got an edgerouter lite that I recently upgraded and used the latest wizard to setup. I tried redoing this entire thing manually using the same tutorial I used to get this working before but with the same DNS problems.

eth1 is WAN, eth0 goes to tun0, and eth2 is for non-tunneled internet access. My problem is that eth2 DNS will fail unless I manually set the DNS on whatever hardware (in this case a ps3) to the router IP. The router has DHCP set up for each interface's subnet and DNS forwarding on the interfaces. DNS on the tunneled connection, eth0, works fine but DNS1 and DNS2 on DHCP are set to external DNS servers. eth2 has DNS1 set to the router IP address, so I don't know what gives.

* # ¿ Mar 21, 2014 04:50
  • Quote
uG
Apr 23, 2003

by Ralp
I need a router that can maintain a 50Mb/s openvpn tunnel. I have an ERL3 but it maxes at 15Mb/s while maxing a single core (openvpn is single threaded). Do I have any options besides building a pfsense box?

* # ¿ Apr 7, 2014 22:07
  • Quote
uG
Apr 23, 2003

by Ralp
I know IPSec will be faster but I need to use openvpn, so I don't think the edge routers are going to cut it.

* # ¿ Apr 8, 2014 02:52
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 25, 2024 16:11
  • Quote
uG
Apr 23, 2003

by Ralp
The hardware acceleration only works for IPSec apparently, but it does use AES. I could load balance between 2 openvpn tunnels to use the other CPU core but that still won't get me to 50Mb/s

* # ¿ Apr 8, 2014 03:03
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Home Networking Megathread - Yes the OP is out of date