- OpenWRT 23.05.2
- Router: Linksys WRT3200ACM
- OpenVPN configured (NordVPN)
- NordVPN has a static IP I am paying for (to help things like streaming services not complain about being on a VPN)
- I have 2 subnets - one that goes straight to WAN, the other goes through the tun device for the VPN.
- I am using AdGuardHome (AGH) on my router to handle DNS requests from both subnets.
- AGH upstream is set to NordVPN's DNS servers.
Problem: When I contact NordVPN's DNS servers outside the VPN tunnel, it resolves using a different set of servers than if I do it inside the VPN tunnel. This means that if I do something like try to use Amazon Prime Video from a device on the VPN, it won't let me because I'm on a VPN. If I manually configure the DNS server onto my client directly to the NordVPN DNS servers, it does work.
My working theory is that the DNS servers are being accessed from outside the VPN tunnel with AGH, but inside the VPN tunnel if manually configuring my client to do so while using the VPN.
When I use a site like ipleak.net, I can clearly see the DNS server resolution is different between using AGH and manual configuration for the client, despite both being set to using the same upstream DNS servers.
I believe that if I can get AGH to send DNS requests through the VPN tunnel in some way, I can both secure my DNS requests from prying eyes (like my ISP), as well as get this to work correctly.
I just don't know how to set a rule to do this. I do have Policy-Based Routing (PBR) set up (which it handles separating the VPN and non-VPN traffic from each other. I tried setting a rule to trigger from external port 53, however I think this is going the wrong direction - I believe it is looking for external requests hitting the router for port 53, rather than from the router out to port 53.
I believe there's a firewall rule that can be configured, but I just am not familiar enough with the fw4 rules to even attempt it - as I've learned repeatedly that messing with FW rules haphazardly results in occasional bricking.
I am hoping someone can help me track down exactly what I need to do to accomplish this. I can't be the only person ever who has wanted to have DNS traffic from the router be passed through the VPN. I don't want ALL traffic to be redirected to the VPN, as I have need for ports to be open/available to be forwarded into my LAN's systems, which is how I got to this point in the first place.
Any help would be most appreciated. Thank-you.
