1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Filtering and Security via OpenVPN client and OpenDNS

Discussion in 'Tomato Firmware' started by Braveheart7, Oct 14, 2013.

  1. Braveheart7

    Braveheart7 Reformed Router Member

    Hi Experts,

    I know this is an odd request. I have an RT-N16 with Shibby build. I know I can setup OpenVPN client and connect to an OpenVPN provider of choice to route all router traffic through the VPN. And I know I can setup my router's DNS to use OpenDNS's servers for filtering.

    Ideally, I want to do both. I want to protect my kids from content I do not approve of and protect my family from an entity monitoring our every move. In a nutshell, I want to be able to encrypt all the traffic leaving my router and make sure my kids are filtered with OpenDNS.

    1 - Is this even possible?
    2 - If possible, how can I implement this?
    3 - If NOT possible, how can I route all of my client traffic through OpenVPN and make sure any other clients of choice (such as my kids) are forced to go through OpenDNS filtering?
    4 - How can I make sure no client can bypass either or both OpenDNS and OpenVPN?

    Thanks for your time and input!
     
  2. mmosoll

    mmosoll Serious Server Member

    You must configure OpenDNS from the DNS page in Tomato (I am using Tomato RAF 1.28.9011) using OpenDNS Service and check that you want use it as DNS instead of your networks static DNS and AutoRefresh to 1 day for example.

    In your OpenDNS account select the filtering level as you want, and in Advanced Settings check the dynamic IP update option. In the OpenDNS Security page do not check Block Internal IP addresses if you want use Bonjour service in your LAN. Configure others options as you want (malware, phishing, etc...)

    In Tomato DHCP/DNS check Use internal DNS, uncheck the option Use received DNS with user-entered DNS and check Intercept DNS port.
     
    Last edited: Oct 14, 2013
  3. lancethepants

    lancethepants Network Guru Member

    I would go for a shibby or victek build. Those both should have dnscrypt built into the router, which is OpenDNS' program for encrypting all DNS leaving the router.
    Then make sure when you set your OpenVPN client in the router, I think you'll want to leave "Accept DNS Configuration" to "Disabled." This should leave you to use your own DNS (OpenDNS), and not the DNS provided by the VPN, allowing you to use OpenDNS' filtering.
     
    Braveheart7 likes this.
  4. Braveheart7

    Braveheart7 Reformed Router Member

    Thanks lancethepants for the response!

    I actually have a shibby build right now. I'm logged in remotely to my router and saw that setting. I have never seen that before.

    I assume that setting tells the router to ignore the vpn server's dns settings while still encrypting the traffic leaving/exiting the router. Is that correct?

    I have read a little about dsncrypt. However, I don't think I want to use it because it is US based. I'm hoping to use a VPN server from a non-US provider to avoid the US's blatant disregard of privacy for its citizens.

    So based on what you responded with... I am assuming this is possible. All I need to do is subscribe to a vpn provider non-us based who provides open vpn client compatibility. Then enter those settings and make sure the box you mentioned is set for "Disabled" or should I use one of the other settings like "Relaxed, Strict, or Exclusive"? Then put my OpenDNS settings in my router and I'm good to go. Is that correct?
     
  5. lancethepants

    lancethepants Network Guru Member

    I'm confused about one thing you mentioned. You state you do not want to use dnscrypt, because it is US based. But later you mention putting in your OpenDNS setting (ddns I'm guessing?).

    DNScrypt == OpenDNS + encryption.
    DNSCrypt is an OpenDNS provided service.
    There are other DNSCrypt compatible servers available now world wide, but only OpenDNS will give you use of their filtering service. DNSCrypt by default will use OpenDNS though.

    If you are going to use OpenDNS, then use dnscrypt, it will be more secure, since it is encrypted.

    Otherwise use 'exclusive', which will only use the vpn dns, which will be encrypted over the vpn. You won't get OpenDNS filtering, from the US based (though I think reputable and trustworthy) company. It's up to you though if you think OpenDNS/DNScrypt is trustworthy.

    Here are what all the dns options mean, so you can make the call.

    • none = DNS servers sent by server are ignored
    • relaxed = DNS servers sent by server are prepended to the current list of DNS servers, of which any can be used
    • strict = DNS servers sent by the server are prepended to the current list of DNS servers, which are used in order (existing DNS servers are only used if VPN-provided ones don't respond)
    • exclusive = only the VPN-provided DNS servers are used
     
    Bogey and Braveheart7 like this.
  6. Braveheart7

    Braveheart7 Reformed Router Member

    Please ignore. Posted in error.
     
    Last edited: Oct 15, 2013
  7. Braveheart7

    Braveheart7 Reformed Router Member

    I see what you mean. My reply was confusing. Maybe I don't really understand what I am asking. :)

    I want to use a non-US based VPN in case my gov't continues to want to violate my rights.

    And, I want whenever anyone in my homes goes to a website, for it to be checked/filtered if it meets criteria I choose.

    As I understand it, dnscrypt encrypts which websites you go to. Which is good. But the company is US based which makes them more vulnerable to our gov't trampling on our rights and putting pressure on them to either turn over logs and/or cease business as the us gov't has already done to some other businesses.

    So the scenario is this... If my child gets on his laptop and types in a website I don't want him to have access to, he will be stopped via OpenDNS. But if there is no block on the website he is trying to access, I want him to be be able to go through our vpn provider.

    So this creates a dilemma. If the request first has to go through OpenDNS, then it is possible that the request could be logged within the US first although I've read dnscrypt does not log. Would that be correct?

    And if so, then that effectively prevents me from hiding our activity via OpenVPN client configuration in the router. Is that also correct?

    I guess what I am trying to figure out is how can I keep all the activity hidden using an off-shore vpn provider and filter at the same time. I imagine I could try to convince the off-shore vpn provider to allow me to configure the vpn server for OpenDNS so that it is working on the server that I connect to. But I'm sure that will not happen which is why I am trying to figure it out with the world's best firmware, tomato!

    I hope this does not frustrate you. Thanks for all of you time and replies.
     
  8. lancethepants

    lancethepants Network Guru Member

    I'm not sure what OpenDNS' logging policies are. It would surprise me if they had different logging policies for encrypted and non-encrypted DNS. You'll have to do more research to find what the case actually is. I would ask on the OpenDNS forum.

    OpenDNS/DNScrypt is US based, period. If you don't think that makes them trustworthy, then don't use them. You would have to find some other method of filtering.

    One other quick comment. Just because a service may advertise "no logging", this is just a blind trust. There is no way to know for sure.
     
    Braveheart7 likes this.
  9. lancethepants

    lancethepants Network Guru Member

    Your actual traffic will be encrypted. Your DNS queries however will not be encrypted, unless you use DNScrypt. In either case your queries are processed by a US based service, OpenDNS.

    DNScrypt only encrypts DNS, nothing else. Your vpn provider would encrypt everything else.
     
    Braveheart7 likes this.
  10. JAC70

    JAC70 Networkin' Nut Member

    Dunno about VPN, but you can force an IP range to use OpenDns by adding something similar to Dnsmasq:

    dhcp-range=set:red,192.168.1.7,192.168.1.12
    dhcp-option=tag:red,option:dns-server,208.67.222.222,208.67.220.220
     
    Braveheart7 and koitsu like this.
  11. Braveheart7

    Braveheart7 Reformed Router Member

    I have an update. Looks like I need more guidance. I flashed Tomato Firmware 1.28.0000 MIPSR2-114 K26 USB AIO - Shibby build onto my Asus RT-N16 and started from scratch to make sure I had no nvram issues, etc. that could get in the way.

    Here are the things I did:

    1. I setup OpenDNS attached to my OpenDNS account on the Basic-DDNS page. I enabled "Use as DNS". I set auto refresh to 1 day. I enabled Dynamic IP Update in OpenDNS Advanced settings.
    2. I followed the following article by my vpn provider to setup the Tomato VPN Client: https://www.privateinternetaccess.c...-setup-for-newer-branches-including-tomatousb
    3. In Advanced-DHCP I enabled the following options only: Use internal dns, Prevent DNS-rebind attacks, and intercept dns port (udp 53). I also added the following in the DSNMasq options as instructed to do by my vpn provider (private internet access) :
      • persist-key
      • persist-tun
      • tls-client
      • comp-lzo
      • verb 1
    4. In Basic-Network I enabled dnscrypt-proxy
    5. I refreshed my DDNS and enabled the Force next update option = successful
    6. I tested my DNS to make sure OpenDNS filtering was working = success
    7. In OpenVPN client I tried both
    8. I then started my OpenVPN client and succsefully connected to my VPN provider.
    9. I verified my VPN connection by going to whatismyip = success

    Problem: Once the VPN client is enabled and working, no DNS filtering via OpenDNS will work.

    • I tried removing the VPN provided settings in the DSNMasq options = Failed. Same Result. No filtering.
    • In OpenVPN client I tried every option in the Accept DNS Configuration = None worked. Failed. Same Result. No filtering
    • In OpenVPN client I also tried both TUN and TAP settings with UDP = None worked. Failed. Same Result. No filtering
    I know the best way is to find a VPN server to connect to that has OpenDNS filtering configured. But I do not have that option as I'm sure you can understand.

    Any other ideas/tips? Much appreciated.
     
  12. Braveheart7

    Braveheart7 Reformed Router Member

    Hi Experts,
    Does anyone have a suggestion base don my last reply? Any help is greatly appreciated!
     
  13. PetervdM

    PetervdM Network Guru Member

    .
    sorry, didn't read well ...
     
    Last edited: Nov 12, 2013
  14. Braveheart7

    Braveheart7 Reformed Router Member

    No problem. Thanks for trying to help though. Can anyone else point me in the right direction?
     
  15. Almaz

    Almaz Serious Server Member

    I can give you a tip and you can try to make it work. Your OpenVPN using tun1 or tun2 interface. You can disable dhcp and enter all static information. In DNSmasq custom you can try
    interface=tun1
    no-dhcp-interface=tun1

    then set IP, gateway of your VPN provider and set DNS to OpenDNS.

    You can easily tell which DNS server is used just by SSH to your Router and type ifconfig. If you don't see OpenDNS ip then it won't work.

    Easy and simple fix.
     
    Last edited: Nov 14, 2013
    Braveheart7 likes this.
  16. i1135t

    i1135t Network Guru Member

    Braveheart7, I think your problem is that once you connect to your VPN service, your DNS requests are going through that service and hence why your OpenDNS settings don't work. Have you tried putting in your OpenVPN client custom config of:

    push "dhcp-option DNS 208.67.222.222"
    push "dhcp-option DNS 208.67.222.220"
     
    Braveheart7 likes this.
  17. Almaz

    Almaz Serious Server Member


    It will not work because the above command pushes DNS from server to clients. He is a client and don't have access to server.
     
    Braveheart7 likes this.
  18. i1135t

    i1135t Network Guru Member

    I thought that was for the client side not the server side. If so, then you are correct. You could try registering your VPN WAN ip under your OpenDNS account so you can manage that IP. If it's dynamic then unfortunately you'll have to update your OpenDNS account every time it changes, else request a static IP from your VPN provider and you should be good after that.

    Side note, this does not protect you against the US gov't from snooping on your traffic unless you have end to end encryption to somewhere outside the reach of the US gov't. Plus, they could just send a request to OpenDNS for your logs to see what lookups you have made. The whole point of DNSSEC is to secure endpoints for the DNS protocol so that DNS cannot be spoofed by a mitm attack, a weak link in this interweb we all rely on.
     
    Braveheart7 likes this.
  19. Braveheart7

    Braveheart7 Reformed Router Member


    Are you referring to the OpenVPN client or server? Here the details of my setup:

    My "Client 1-Basic" page is configured as follows:
    Interface Type = TUN
    Protocol = UDP
    Server Address/Port = us-east.privateinternetaccess.com 1194
    Firewall = Automatic
    Authorization Mode = TLS
    Username/Password Authentication = Enabled
    Username = (Entered on page)
    Password = (Entered on page)
    Username Authen. Only = unchecked
    Extra HMAC authorization = Disabled
    Create NAT on tunnel = checked

    My "Client 1-Advanced" page is configured as follows:
    Poll Interval = 0
    Redirect Internet Traffic = unchecked
    Accept DNS configuration = Disabled
    Encryption cipher = Use Default
    Compression = adaptive
    TLS Renegotiation Time = -1
    Connection Retry = 30
    Verify Server Certificate = unchecked

    Custom Configuration = blank (I have tried multiple options in this box to no avail). Is this where you want me to enter the commands you referenced?
    interface=tun1
    no-dhcp-interface=tun1

    If so, please forgive my ignorance. I don't understand how those relate. I'm using the OpenVPN Client to connect to my vpn provider. I am not serving OpenVPN to any clients.


    My "Basic-DDNS" page is configured as follows:
    IP Address= Use External IP Address Checker
    Service = OpenDNS
    Username = xxx
    Password = xxx
    Network = (blank)
    Use as DNS = checked

    My "Basic-Network" page is configured as follows:
    LAN = 192.168.7.7/255.255.255.0
    IP Range = 192.168.7.100-200
    Static DNS (Provided by the DDNS checker) = 208.67.222.222, 208.67.220.220
    Use dnscrypt-proxy = unchecked (I enabled and disabled this and there appeared to be no difference in my tests.)
    Local Port = (Blank)
    Startup Parameters = (Blank)
    WINS for DHCP = 0.0.0.0
     
  20. Braveheart7

    Braveheart7 Reformed Router Member

    The External IP Address Checker on the "Basic-DDNS" page is checking for the updates. I have verified this is working by logging into my OpenDNS account and confirming that my account sees the changing ip.

    Gotcha. So basically what you are saying is... Even if I use a VPN based in a foreign country and somehow get the OpenDNS to filter the traffic going through the VPN, using OpenDNS for filtering will leave a trail for the US Gov't. That said, the solution would be to find an overseas vpn provider that also ties in some sort of DNS filtering to the VPN server that my router connects to and does not log any of the vpn traffic coming from my router. Is that correct? If so, then that brings up some follow-up questions:

    Are you aware of any non-US vpn providers that would agree to setup a special config like that for my Tomato router to take advantage of? (I'm going to guess no for obvious reasons.)

    Do you know of any non-US based DNS filtering providers I could try?

    Of course those questions assume I am trying to protect my family from us govt prying eyes. If I am not concerned about that and more concerned about neighborhood hackers and/or content filtering then getting this scenario to work will suffice correct?

    Once again, any help is very appreciated.
     
  21. Braveheart7

    Braveheart7 Reformed Router Member

    Any other ideas on this Gentlemen? Thanks for everything you have thrown at me so far.
     

Share This Page