1

Guide: Using OpenVPN + NextDNS together on Mac & iOS

There are many posts of people trying to use VPNs and NextDNS together, but this usually doesn't work well.

Here are my experiences on this for Mac and iOS with several working options. 

Tested on macOS 11.6 and iOS 15.1 beta (should be just fine on iOS 14).

Most VPN apps/providers obviously push their own DNS servers to prevent leaks, this is expected. 

Sometimes however it works to just enable the VPN connection first and then to enable the NextDNS connection afterwards (via app or activating the profile). This can override the VPN DNS, but if the VPN connection drops and reconnects, the VPN DNS will be used from this point on. 

This option can lead to some unexpected behaviors that will have to be tested for the specific VPN service/app in use.

The Viscosity app is an OpenVPN client that can be used with OpenVPN config files that most providers offer for downloading. 

  1. The first option is to just use Viscosity together with the NextDNS app or profile. Here, compared to the provider app option mentioned above, VPN connection drops and reconnects won't result in issues. The active NextDNS app or profile will work without switching it off and on again. If the NextDNS app or profile become inactive, the pushed VPN DNS will be used in Viscosity. If the NextDNS or profile become active again, they will override the pushed VPN DNS. So no matter which side drops the connection, there is no sequence to consider, it just works together.
  2. The second option is to use Viscosity's custom DNS settings without the NextDNS app or profile active. In the Viscosity networking tab, just enter your IPv6 NextDNS endpoint as shown on your NextDNS setup page. A disadvantage here is that you can't identify your device in the logs, because that's not possible with IPv6. DoH and DoT seemingly aren't supported for Viscosity's DNS settings. Make sure to consider the correct other settings (framed in red in the attached image).  
  3. The third option is to use Viscosity's custom DNS settings with the NextDNS app or profile active. This is the same setting as in option 2, but adds an active NextDNS app or profile connection. The NextDNS / profile connection overrides the custom DNS in Viscosity. If the NextDNS / profile connection drops, you still have the custom DNS in Viscosity active, just like in option 2. If the Viscosity VPN connection drops, the NextDNS app / profile will be the backup. This is the best option overall when using Viscosity. 

The Passepartout app is another OpenVPN client that can be used with OpenVPN config files (or some select VPN providers without using config files).

  1. As with the first Viscosity option, it's possible to use Passepartout together with the NextDNS app or profile without conflict. The same details apply. (Mac only)
  2. As with the second Viscosity option, it's possible to use Passepartout without the NextDNS app or profile active, by setting custom DNS. In the Passepartout DNS tab, just choose Manual and Cleartext and enter your IPv6 details. The same limitation for device identification applies. (Mac & iOS 
  3. The third option is a bit different to Viscosity's, since Passepartout supports DoH and DoT. So, using only Passepartout with DoH / DoT is an easy option. Make sure to also enter your NextDNS IPv6 endpoints from your NextDNS setup page and to URL encode your device name in case that is needed (as described at the bottom of your NextDNS setup page). (Mac & iOS 
  4. Option 4 is a combination of 1 and 3, i.e., using Passepartout with DoH / DoT and the NextDNS app / profile active. In this case (and in contrast to Viscosity's option 3) the VPN DNS settings from Passpartout will override the NextDNS app / profile. The advantage to Passepartout's option 3 is that after a VPN disconnect, the NextDNS app / profile will still be the backup. Another advantage (compared to Viscosity's option 3) is that even when your NextDNS app / profile connection drops, the device identifier will still work, because DoH / DoT is integrated here (whereas Viscosity would fall back to the IPv6 DNS). This is the best option overall when using Passepartout. (Mac only)

Some of the test sites I used:

https://test.nextdns.io

https://ping.nextdns.io

https://browserleaks.com/ip

https://www.dnsleaktest.com

https://www.dns-oarc.net/oarc/services/dnsentropy

 

(Crossposted on Reddit)

7replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • This was very helpful. Thank you

    Like 1
  • Can you explain how to do Option 3 for Viscosity? I've already done option 2 for it but sometimes NextDNS will not connect and I'll have to go and refresh the Linked IP to get it working again

    Like
      • Chris
      • Chris.6
      • 6 days ago
      • 1
      • Reported - view

      Tony Z Option 3 is really just using Viscosity (configured with NextDNS) and the NextDNS app together. If one connection drops, there will be a fallback from the other app. This worked when I tested it, the NextDNS app seems to overrule the VPN DNS from Viscosity. You could try this even without configuring Viscosity, which is option 1.

      Option 2 depends on using the correct settings. You mentioned having to refresh a linked IP and that indicates something in your setup may not be correct because there is no need for a linked IP with this option. Are you maybe using the IPv4 endpoints? This would necessitate linking your IP. If you are using the IPv6 endpoints, as in the screenshot, no linked IP is necessary.

      The IPv6 endpoints you enter in Viscosity should look like this: 

      2a07:a8c0::5b:XXXX, 2a07:a8c1::5b:XXXX

      Use the numbers from your profile instead of XXXX, they are your configuration ID. 

      Also make sure the settings framed in red are correct:

       

      Like 1
      • Tony Z
      • Tony_Z
      • 3 days ago
      • Reported - view

      Chris Hi Chris, thanks for the clarification and explanation. I really appreciate it. I've enabled all the settings you have and have inputted my IPV6 servers. For reference, I have the NextDNS MacOS application active while having Viscosity active and sometimes it simply won't use NextDNS unless I disable and reenable it via the desktop application. Althought its a bit annoying, and I'm happy that it finally works, I'm wondering if you've ever had this happen to you as well and if there is a remedy for it. Thank you! 

      Also, do you have any ideas on how we would be able to use Wireguard + NextDNS together? I've been trying to look for solutions for so long and haven't found anything. 

      Cheers, 

      Tony

      Like
      • Chris
      • Chris.6
      • 3 days ago
      • 1
      • Reported - view

      Tony Z You're welcome. 

      If your Viscosity setup has the IPv6 endpoints as in the screenshot, Viscosity should work on its own with NextDNS (option 2), I would make sure this is the case before using both apps. Feel free to let me know if this works. If not, Viscosity might have changed something or there is some hidden issue with the setup. I don't have Viscosity installed at the moment, so can't check again. 

      "For reference, I have the NextDNS MacOS application active while having Viscosity active and sometimes it simply won't use NextDNS unless I disable and reenable it via the desktop application. Althought its a bit annoying, and I'm happy that it finally works, I'm wondering if you've ever had this happen to you as well and if there is a remedy for it"

      So you are using option 3. There, if the connection drops, it shouldn't matter because option 2 has the NextDNS IPv6 DNS settings. So I would make sure again that option 2 is actually working, this would be all you need really.

      It seems likely that a reconnect of the VPN would get stuck with its own DNS settings and if they are not the NextDNS IPv6 endpoints in your case (for a currently unknown reason), this would necessitate the NextDNS app disable/reenable you describe. I have seen this when using third party VPN apps with the NextDNS app, they would either not work together, or NextDNS would have to be the last one to be activated in the chain. In my tests, this didn't apply to Viscosity or Passepartout however, only the official clients, probably due to them using firewall rules to prevent DNS leaks.

      "Also, do you have any ideas on how we would be able to use Wireguard + NextDNS together? I've been trying to look for solutions for so long and haven't found anything."

      There are some ways to change config files, but they all seemed like too much hassle. I didn't bother with this.

      Some VPN providers can use custom DNS though. I know 1 provider that works, Mullvad. You can put your IPv6 endpoints in the custom DNS setting and it will use NextDNS with an active VPN Wireguard connection. Tested on macOS and iOS. Their multi-hop feature won't work with custom DNS though. 

      Other providers I've tested:

      - OVPN has a custom DNS setting, but the NextDNS IPv6 endpoints weren't working, only IPv4 (which sucks because of the need to link the IP constantly.

      - Private Internet Access, same issue as with OVPN. 

      - Proton VPN, not sure about why it didn't work any more.

      I'd use Mullvad if I wanted to use NextDNS with a Wireguard VPN connection, they were the fastest of the tested ones as well (600 Mbps instead of 100–150 Mbps download).

      Like 1
      • Tony Z
      • Tony_Z
      • 3 days ago
      • 1
      • Reported - view

      Chris Again, Chris, thanks for the detailed reply. I coincidentally do have Mullvad VPN and have noticed that it does allow me to set custom DNS servers as long as I only allow for Mullvad to connect via Wireguard. 

      I've followed your instructions and have added the IPv6 servers from nextdns to the app, however it repeatedly attempts to reconnect (See the video attatched.) 

      In the video, I did not have the NextDNS app enabled on my desktop and this was what was happening. I tried it again with it enabled and the same result occurs. 

      I've also tested adding in both IPv6 and the two DNS servers under "Linked IP" in the profile page. The vpn connects this time, however, it says it isn't using NextDNS with a configuration (see attatched photo).

      Oddly enough, when I remove the remove the IPv6 servers, and I manually refresh the Linked IP and reconnect Mullvad, it finally uses NextDNS. 

      Do you still remember what settings you enabled for it to work for you using IPv6?

      Thanks

      Like 1
      • Chris
      • Chris.6
      • 3 days ago
      • 1
      • Reported - view

      Tony Z No problem.

      I can see no issues with the Mullvad config, but I'll post some screenshots of mine, which works. I only ever used the IPv6 endpoints. I have set the Wireguard settings to automatic and am on the beta program (which you could try), but it always worked for me, even when I wasn't using the betas.

      Maybe it's not an issue with the apps (Viscosity or Mullvad). Maybe something is blocking IPv6 connections for you, like your router? 

      You could try on your phone with a mobile data connection and the IPv6 custom DNS configured in the Mullvad app, which would exclude the router as a factor.

      Like 1
Like1 Follow
  • 1 Likes
  • 3 days agoLast active
  • 7Replies
  • 1041Views
  • 2 Following