Tunnel VPN and DNS

[Armshouse]

Hi folks, so here's my issue...

I recently setup Nord VPN using the Tunnel VPN app... (not OpenVPN - thanks sky-knight) and that's up and running fine. I use tags to shunt the devices I care about over the VPN and that all works as expected.

Untangle is my DNS server for all devices. I was using Quad9 as external DNS, but changed those to the DNS servers specified by Nord. Everything seems to be OK until I try and stream something in the browser from BBC iPlayer - it comes up with a "you're not in the UK" kinda message and that's that.

So I got in touch with Nord support and they had me use their local client, connect to a VPN server in the UK and that works on iPlayer fine. Tunnel VPN is already using a UK server, so I was baffled as to what was different about using their client. The next day, they had me go to dnsleaktest.com and do the test there. Some German server address came up and based on that, they said go check your DNS settings.

So... What I've found is that if I manually put the Nord DNS server addresses into my laptop, a different (UK) server shows up in the leak test and iPlayer doesn't have an issue and works fine. When I have Untangle as my client's DNS, it doesn't work - even though I use the same DNS server addresses on my external interface.

What have I misconfigured here? I'm guessing that if the laptop traffic goes over the VPN with DNS server address in hand that it's not the same as Untangle doing resolution (not over the VPN) even with the same server?

Any thoughts?

[Armshouse]

OK, so I managed to get around this by adding a port forward rule which looks for clients tagged to go over the VPN and rewrites their UDP 53 queries to the IP of the VPN providers DNS servers.

I'm really not sure why that makes a difference. I had already set Untangle to use the same servers for resolution. Anyway - I decided against that, as I read somewhere here that if the VPN wasn't up, then DNS would fail for everyone... Obviously not good.

The only downside is that as opposed to having the redundancy of two DNS server addresses configured, I've had to pick just one and forward tagged requests to that and hope it's always up.

[sky-knight]

DNS is always annoying in these cases.

Untangle treats the VPN interface provided by TunnelVPN as a WAN interface. Any DNS IP address on any WAN interface is used by DNSMasq on Untangle. So when you add more, you get more possibilities to resolve. But, there is no way to ensure resolution happens over a specific address.

The selective port forward is a bit hackish, but it's the only way to ensure the DNS queries on tagged clients are forced over the tunnel. The stupid part is even this doesn't work, now that browsers are starting to do DoH themselves...

If you want redundant DNS with control you need a dedicated DNS service that can handle the transition. Untangle will almost certainly never be this device because it needs to service all devices all the time. Which given all the conditions involved, that's a really sticky mess.

[Armshouse]

Thanks for the clarification Rob.

DNS is always annoying in these cases.
Untangle treats the VPN interface provided by TunnelVPN as a WAN interface. Any DNS IP address on any WAN interface is used by DNSMasq on Untangle. So when you add more, you get more possibilities to resolve. But, there is no way to ensure resolution happens over a specific address.

This is why I was puzzled... My initial thought was to change the DNS IPs on the WAN to match those of the VPN. This still didn't solve the issue. It wasn't till I explicitly set a host with the DNS IP of the VPN, or the eggy port-forward that it works. If I disable that port forward and let DNS queries land on Untangle, I have the leak again.