Guide: Using OpenVPN + NextDNS together on Mac & iOS
There are many posts of people trying to use VPNs and NextDNS together, but this usually doesn't work well.
Here are my experiences on this for Mac and iOS with several working options.
Tested on macOS 11.6 and iOS 15.1 beta (should be just fine on iOS 14).
Most VPN apps/providers obviously push their own DNS servers to prevent leaks, this is expected.
Sometimes however it works to just enable the VPN connection first and then to enable the NextDNS connection afterwards (via app or activating the profile). This can override the VPN DNS, but if the VPN connection drops and reconnects, the VPN DNS will be used from this point on.
This option can lead to some unexpected behaviors that will have to be tested for the specific VPN service/app in use.
The Viscosity app is an OpenVPN client that can be used with OpenVPN config files that most providers offer for downloading.
- The first option is to just use Viscosity together with the NextDNS app or profile. Here, compared to the provider app option mentioned above, VPN connection drops and reconnects won't result in issues. The active NextDNS app or profile will work without switching it off and on again. If the NextDNS app or profile become inactive, the pushed VPN DNS will be used in Viscosity. If the NextDNS or profile become active again, they will override the pushed VPN DNS. So no matter which side drops the connection, there is no sequence to consider, it just works together.
- The second option is to use Viscosity's custom DNS settings without the NextDNS app or profile active. In the Viscosity networking tab, just enter your IPv6 NextDNS endpoint as shown on your NextDNS setup page. A disadvantage here is that you can't identify your device in the logs, because that's not possible with IPv6. DoH and DoT seemingly aren't supported for Viscosity's DNS settings. Make sure to consider the correct other settings (framed in red in the attached image).
- The third option is to use Viscosity's custom DNS settings with the NextDNS app or profile active. This is the same setting as in option 2, but adds an active NextDNS app or profile connection. The NextDNS / profile connection overrides the custom DNS in Viscosity. If the NextDNS / profile connection drops, you still have the custom DNS in Viscosity active, just like in option 2. If the Viscosity VPN connection drops, the NextDNS app / profile will be the backup. This is the best option overall when using Viscosity.
The Passepartout app is another OpenVPN client that can be used with OpenVPN config files (or some select VPN providers without using config files).
- As with the first Viscosity option, it's possible to use Passepartout together with the NextDNS app or profile without conflict. The same details apply. (Mac only)
- As with the second Viscosity option, it's possible to use Passepartout without the NextDNS app or profile active, by setting custom DNS. In the Passepartout DNS tab, just choose Manual and Cleartext and enter your IPv6 details. The same limitation for device identification applies. (Mac & iOS)
- The third option is a bit different to Viscosity's, since Passepartout supports DoH and DoT. So, using only Passepartout with DoH / DoT is an easy option. Make sure to also enter your NextDNS IPv6 endpoints from your NextDNS setup page and to URL encode your device name in case that is needed (as described at the bottom of your NextDNS setup page). (Mac & iOS)
- Option 4 is a combination of 1 and 3, i.e., using Passepartout with DoH / DoT and the NextDNS app / profile active. In this case (and in contrast to Viscosity's option 3) the VPN DNS settings from Passpartout will override the NextDNS app / profile. The advantage to Passepartout's option 3 is that after a VPN disconnect, the NextDNS app / profile will still be the backup. Another advantage (compared to Viscosity's option 3) is that even when your NextDNS app / profile connection drops, the device identifier will still work, because DoH / DoT is integrated here (whereas Viscosity would fall back to the IPv6 DNS). This is the best option overall when using Passepartout. (Mac only)
Some of the test sites I used:
(Crossposted on Reddit)