DNS leaks via OpenVPN client config on ASUS Router

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)
emizzle
Posts: 1
Joined: Sun Jun 26, 2022 4:51 pm

DNS leaks via OpenVPN client config on ASUS Router

Post by emizzle » Sun Jun 26, 2022 5:09 pm

Using the OpenVPN client of the latest Asus RT-AX88U firmware (NOT Merlin, OpenVPN v2.4.11, OpenSSL 1.1.1n), and testing for DNS leaks on https://ipleak.net, it seems there are leaks (shows WoodyNet IPs).

When I use the Tunnelblick OpenVPN client (OpenVPN v2.5.4, OpenSSL 1.1.1l), and repeat the same test on https://ipleak.net, I do not see any leaks.

I could be completely wrong, but it seems like DNS traffic is not getting tunnelled through the VPN when using only the router client. I'd ideally like to have any clients connecting to the router to have their DNS traffic tunnelled and use the TrackerSmacker. Does anyone know how to do this?

I then tried configuring WAN > DNS to 10.31.33.7, 10.31.33.8, and got the same result.

Configuring my local machine's DNS to 10.31.33.7 didn't work, so I can't imagine assigning that in LAN - DHCP Server > DNS would help.

EDIT: Configured my local machine's DNS to 37.120.234.251 (taken from https://cryptostorm.is/dns.txt) and it prevents leaks, but does this enable TrackerSmacker?

EDIT 2: I then set that server in LAN - DHCP Server > DNS, and it assigns my local machine's DNS to 37.120.234.251, 192.168.50.1 (IP of my router). That eliminated some leaks but definitely not all. Maybe overriding the second DNS server is an option in Merlin? Happy to install that if it will help here.

User avatar
parityboy
Site Admin
Posts: 1275
Joined: Wed Feb 05, 2014 3:47 am

Re: DNS leaks via OpenVPN client config on ASUS Router

Post by parityboy » Fri Aug 26, 2022 7:02 am

@OP

I use pfSense on custom hardware as opposed to an ASUS router but I imagine the principles are the same. I configure my WAN DNS to 10.31.33.8 but I also tell it which gateway to use, i.e. the gateway for the VPN, since the 10.x.x.x addresses are only available via the VPN link. If I remember rightly TrackerSmacker is only available on 10.31.33.7 - I'm not sure that it is available on the DNS instances sitting on public IPs.

Once the VPN is up, you should be able to ping 10.31.33.7 and 10.31.33.8 from your laptop/PC. If you can't, those pings are NOT going over the VPN link. You can check that you are protected by Cryptostorm by going here.

Post Reply