0

NextDNS on OpenWRT Router - Blocks Work & School VPNs

I set up NextDNS on my router using OpenWRT and was able to apply profiles by MAC address using the instructions for Conditional Configuration on the wiki - this was working great until I noticed that my work laptop wasn't able to connect to its VPN... (a custom setup) and my kids' school laptop was also unable to connect using a Cisco AnyConnect VPN. As much as I like the features that NextVPN provides it's not going to work for me unless there is a way to be able to access work & school networks. Any suggestions?

10 replies

null
    • charcoal_car
    • 1 yr ago
    • Reported - view

    Have you checked your NextDNS profile to see what's being blocked and/or if you selected a ruleset that is blocking VPNs?  You should be able to initiate a connection and then see the block on the NextDNS logs page and from there whitelist the domain that's being blocked and preventing your VPN from making the connection.  Also remember, that most Enterprise VPNs (like Cisco AnyConnect) force the computer to use the VPN DNS providers once connected so at that point NextDNS wouldn't be blocking anything.  

    Hope that helps.

      • Matt.5
      • 1 yr ago
      • Reported - view

      CC I've checked... but the logs are very helpful. I've guessed at all of the domains that I expect the VPNs to be trying to reach, and put them in the allow list - now I don't see anything in the logs that looks relevant. Is there a way to get a better log file - perhaps from the router application itself?

      I've tried setting the "forwarder" in the router config to an alternative DNS (1.1.1.1) for the top-level domains that I think the VPNs are using... but the documentation on GitHub is very brief.

    • Matt.5
    • 1 yr ago
    • Reported - view

    When I use the "forwarder" option in the config file in an effort to allow the VPN to bypass NextDNS entirely a "." is appearing between the address and the DNS server that I'm recommending. For instance, I try to indicate that foo.bar.com is to be pointed to 1.1.1.1 by saying "config set -forwarder foo.bar.com=1.1.1.1" however when I look at the config it says "forwarder foo.bar.com.=1.1.1.1" I'm not sure if this is significant.

    • Matt.5
    • 1 yr ago
    • Reported - view

    I'm using the CLI on an OpnenWRT router - checking the logs using:

    nextdns log

    doesn't even show records that I can identify as coming from the laptop that's trying to run the VPN... (which is a Cisco umbrella) I've tried adding the IP's associated with Umbrella (as listed on the Cisco site as "Prerequisite" ) to the Allowlist... and / or to the rewrites. Doesn't seem to matter... until I run

    nextdns stop

    on the router the laptop just says "the VPN connection failed due to unsuccessful domain name resolution"

    Am I the only person who is trying to use NextDNS with one of these devices on my network??

     

    @nextdns

      • charcoal_car
      • 1 yr ago
      • Reported - view

      Matt 

      So I have seen exact same issue and it was related to an option having to do with DNS Rebind Protection enabled on the router and the Parental Control on the NextDNS profile to block bypass methods.

      I was never able to get the CLI version running on my Merlin Asus router, but if OpenWRT has similar settings you could check this Reddit post for guidance.

      Hope that helps.

      • Matt.5
      • 1 yr ago
      • Reported - view

      CC Thanks @charcoal_car - I'll read up on your solution on Reddit. In the meantime, I've found that if I take  NextDNS offline for a few minutes and let the VPN connect it will maintain its connection even if I bring NextDNS back online... so I've written an SSH script for OpenWRT that does just that.

    • Vinicius_Ribeiro
    • 1 yr ago
    • Reported - view

    Try this!

    Go
    Network > Interfaces > (GO YOUR INTERFACE VPN OR SCHOOL) click edit > DHCP Server > Advanced Settings > DHCP-Options > use 6-option (e.g. 6,192.168.1.1 or 6,10.10.10.1

    • Vinicius_Ribeiro
    • 1 yr ago
    • Reported - view

    Use the same ip address as your interface, because it will loopback to nextdns

    e.g.
    6,192,168.1.1
    6,10.10.10.1

      • Matt.5
      • 1 yr ago
      • Reported - view

      Vinicius Ribeiro That didn't solve the problem.

    • Matt.5
    • 1 yr ago
    • Reported - view

    Thanks - I'm trying and I'll let you know what happens.

Content aside

  • 1 yr agoLast active
  • 10Replies
  • 1103Views
  • 3 Following