Results 1 to 4 of 4
  1. #1
    Master Untangler
    Join Date
    Apr 2020
    Location
    United Kingdom
    Posts
    101

    Question Tunnel VPN and DNS

    Hi folks, so here's my issue...

    I recently setup Nord VPN using the Tunnel VPN app... (not OpenVPN - thanks sky-knight) and that's up and running fine. I use tags to shunt the devices I care about over the VPN and that all works as expected.

    Untangle is my DNS server for all devices. I was using Quad9 as external DNS, but changed those to the DNS servers specified by Nord. Everything seems to be OK until I try and stream something in the browser from BBC iPlayer - it comes up with a "you're not in the UK" kinda message and that's that.

    So I got in touch with Nord support and they had me use their local client, connect to a VPN server in the UK and that works on iPlayer fine. Tunnel VPN is already using a UK server, so I was baffled as to what was different about using their client. The next day, they had me go to dnsleaktest.com and do the test there. Some German server address came up and based on that, they said go check your DNS settings.

    So... What I've found is that if I manually put the Nord DNS server addresses into my laptop, a different (UK) server shows up in the leak test and iPlayer doesn't have an issue and works fine. When I have Untangle as my client's DNS, it doesn't work - even though I use the same DNS server addresses on my external interface.

    What have I misconfigured here? I'm guessing that if the laptop traffic goes over the VPN with DNS server address in hand that it's not the same as Untangle doing resolution (not over the VPN) even with the same server?

    Any thoughts?

  2. #2
    Master Untangler
    Join Date
    Apr 2020
    Location
    United Kingdom
    Posts
    101

    Default

    OK, so I managed to get around this by adding a port forward rule which looks for clients tagged to go over the VPN and rewrites their UDP 53 queries to the IP of the VPN providers DNS servers.

    I'm really not sure why that makes a difference. I had already set Untangle to use the same servers for resolution. Anyway - I decided against that, as I read somewhere here that if the VPN wasn't up, then DNS would fail for everyone... Obviously not good.

    The only downside is that as opposed to having the redundancy of two DNS server addresses configured, I've had to pick just one and forward tagged requests to that and hope it's always up.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,464

    Default

    DNS is always annoying in these cases.

    Untangle treats the VPN interface provided by TunnelVPN as a WAN interface. Any DNS IP address on any WAN interface is used by DNSMasq on Untangle. So when you add more, you get more possibilities to resolve. But, there is no way to ensure resolution happens over a specific address.

    The selective port forward is a bit hackish, but it's the only way to ensure the DNS queries on tagged clients are forced over the tunnel. The stupid part is even this doesn't work, now that browsers are starting to do DoH themselves...

    If you want redundant DNS with control you need a dedicated DNS service that can handle the transition. Untangle will almost certainly never be this device because it needs to service all devices all the time. Which given all the conditions involved, that's a really sticky mess.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Master Untangler
    Join Date
    Apr 2020
    Location
    United Kingdom
    Posts
    101

    Default

    Thanks for the clarification Rob.

    Quote Originally Posted by sky-knight View Post
    DNS is always annoying in these cases.
    Untangle treats the VPN interface provided by TunnelVPN as a WAN interface. Any DNS IP address on any WAN interface is used by DNSMasq on Untangle. So when you add more, you get more possibilities to resolve. But, there is no way to ensure resolution happens over a specific address.
    This is why I was puzzled... My initial thought was to change the DNS IPs on the WAN to match those of the VPN. This still didn't solve the issue. It wasn't till I explicitly set a host with the DNS IP of the VPN, or the eggy port-forward that it works. If I disable that port forward and let DNS queries land on Untangle, I have the leak again.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2