I just got the OpenVPN license for my Balance305, to connect to a private server hosted in another router of mine in another country.
I installed it according to instruction, and the new WAN called openVPN WAN 1 appeared in the Dashboard
Via Outbound policy, I routed the traffic of one PC enforced through the new openVPN WAN (via MAC).
No other fancy settings. I am pasting the present configuration.
What I can see, is that the PC does get the public IP of the remote router, but a dnsleaktest.com shows several DNS’s in other countries in between. I therefore think it’s leaking!
What should I do to prevent this issue? I know the server if good, because when I Connect to it via OpenVPN Connect client app (Android or PC), it does not leak.
Please help if you can, thanks!
Is your PC getting a DHCP IP from the Balance? What DNS servers is the PC using? Your Balance 305 has a DNS proxy built in, I suspect your PC is sending it DNS requests which it is forwarding to the default WAN DNS forwarders. You could create an enforced outbound policy for source ANY destination ANY, port USP 53 and another for TCP 53 and set the OpenVPN as the path.
Hi,
Yes it is DHCP, with an IP MAC reservation on the PC:
About your suggestion to enforce port 53 through the OpenVPN WAN, will this affect all the other computers in the LAN? I need only one computer to go through the OpenVPN. The others should not and should not have increased delays or anything like that.
so set the source ip/mac address on the rule to be that of the pc in question.
I did not work, still leaking. I was already enforcing everything for that MAC through the OpenVPN WAN. Adding two more rules just for port 53 udp/tcp did not change anything, it’s still leaking.
It seems the Balance is giving to the PC the closer dns’s from two of the local WAN’s, and not channeling everything through the VPN assinging the DNS’s seen from the VPN server.
I assume your PC has its DNS servers set to the LAN IP of the Peplink right via DHCP?
If so I suspect you have DNS proxy enabled in Network > LAN | Network Settings, try disabling that.
Or manually set the PC IP and DNS settings so you are using public DNS servers - the requests for which should then get sent out over OpenVPN…
Yes I have proxy enabled:
But if I uncheck it, I cannot go to any website anymore…
About your second suggestion to modifying the network settings of the PC, it’s not an option, I don’t have admin rights.
Ideally I need the OpenVPN Connection to use dns inside the tunnel. All the other connection can use whatever is closer/faster.
Something to change in this page?
Thanks for your help!
Not until your devices reboot or refresh their IP from DHCP because their DNS server entries will still be pointing to the peplink LAN interface.
With DNS Proxy disabled, devices that get new DHCP IPs will get assigned the preferred public DNS servers (normally those from WAN1) but you can change it.
Once they are using public DNS the PC you want to go via OpenVPN will send its DNS queries that way also.
wow, this fixed it:
- disable proxy settings
- in each wan, disable automatic DNS and set the recommended one for each provider.
- for the OpenVPN WAN, set US DNS’s 1.1.1.1 and 8.8.8.8
- reboot
and voila’, the PC enforced through the VPN WAN does not appear to leak anymore. All the other PC’s get the closer/faster DNS.
This fixed the VPN leaks, thank you so much!
2 Likes
Ouch, I sang victory to soon. While the VPN leaks no more, I still see a weird glitch in the LAN: some of the LAN devices, apparently randomly, are getting the US public IP of the tunnel, even if per outbound policy they should not!
The testing situation is now:
-
OpenVPN WAN enabled and set to independent priority
-
No device in the LAN is set to use it per Outbound Policies, not enforced and not in any other way
-
Default outbound policy is also set not to use it:
What I see, some, random LAN devices are getting the Public US IP of the tunnel. Others are getting one of those of the WAN’s
In same cases, whatismyip.com shows the european WAN IP, but dnsleaktest.com shows the american one, even after reboot, cleaning the browser cache and in incognito settings.
It seems now that the tunnel is not leaking, proxy DNS disabled, every WAN set to their own recommended DNS’s, the US public IP of the tunnel is making its way to some random devices in the LAN. How can this even be possible?
