1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VOIP with OpenVPN in shibby tomato

Discussion in 'Tomato Firmware' started by neftv, Dec 11, 2017.

  1. neftv

    neftv Networkin' Nut Member

    when I setup all the traffic to go though openvpn on the router My obi 200 loses registration with my voip providers the rest of the network is routing though. If I do the routing option in openvpn in tomato firmware and only put select devices on VPN and leave the Obi200 alone then I have DNS leaks with the VPN connected devices. Any one experience with this have suggestions? I would like to run everything though vpn though router if I can.
     
  2. eibgrad

    eibgrad Network Guru Member

  3. neftv

    neftv Networkin' Nut Member

    Yikes thought it be a simple change but it more than I can handle for a weekday night. But if I under stand it correctly adding the two scripts from post 21 and the route-noexec command fixes this issue?
     
  4. eibgrad

    eibgrad Network Guru Member

  5. neftv

    neftv Networkin' Nut Member

    Thanks for helping me. so..


    SO I tried this method but I use ExpressVPN so I could not change some settings or the VPN would not connect I had to leave
    Extra HMAC authorization (tls-auth) set to outgoing 1 if I didn't the VPN would not connect I think everything else is as shown in that link. I used Google DNS and all dns requests go though tunnel. for Devices in Routing policy and Devices not in policy. The Devices not in policy have the US IP address from my isp the Devices inRouting policy have IP address from my VPN. FOr example I connect to Switzerland and Google DNS servers are in Netherlands regardless of Device in Routing policy or not. I use link https://www.expressvpn.com/dns-leak-test to test and that's how I know also if my VPN is connected or not. FYI.. I normally use Comodo DNS but those would show connected in USA location according to the DNS leak test. Please advise....
     
  6. eibgrad

    eibgrad Network Guru Member

    Sounds to me like it's working. By design, the fix forces *all* DNS queries to use the VPN tunnel, whether the client is using the WAN or VPN for other operations. It has to be that way because DNSMasq is global in scope. You can't configure DNSMasq to use one set of public DNS servers for clients bound to the WAN, and another set of public DNS servers for clients bound to the VPN. Everyone is always served by the same public DNS server. We prevent the DNS leaks by making sure all those public DNS servers are bound to the VPN, regardless which client makes the request.

    The only other way you could have your clients using the WAN use the ISP's DNS server, and the VPN using the VPN's (or some other non-ISP DNS servers) is to assign public IPs directly to those clients. IOW, tell DNSMasq to send those public IPs to the clients rather than it's own local IP. IOW, bypassing DNSMasq completely for DNS queries. I personally don't think it's worth the effort.
     
    Last edited: Dec 28, 2017

Share This Page