1

Guide: Using OpenVPN + NextDNS together on Mac & iOS

There are many posts of people trying to use VPNs and NextDNS together, but this usually doesn't work well.

Here are my experiences on this for Mac and iOS with several working options. 

Tested on macOS 11.6 and iOS 15.1 beta (should be just fine on iOS 14).

Most VPN apps/providers obviously push their own DNS servers to prevent leaks, this is expected. 

Sometimes however it works to just enable the VPN connection first and then to enable the NextDNS connection afterwards (via app or activating the profile). This can override the VPN DNS, but if the VPN connection drops and reconnects, the VPN DNS will be used from this point on. 

This option can lead to some unexpected behaviors that will have to be tested for the specific VPN service/app in use.

The Viscosity app is an OpenVPN client that can be used with OpenVPN config files that most providers offer for downloading. 

  1. The first option is to just use Viscosity together with the NextDNS app or profile. Here, compared to the provider app option mentioned above, VPN connection drops and reconnects won't result in issues. The active NextDNS app or profile will work without switching it off and on again. If the NextDNS app or profile become inactive, the pushed VPN DNS will be used in Viscosity. If the NextDNS or profile become active again, they will override the pushed VPN DNS. So no matter which side drops the connection, there is no sequence to consider, it just works together.
  2. The second option is to use Viscosity's custom DNS settings without the NextDNS app or profile active. In the Viscosity networking tab, just enter your IPv6 NextDNS endpoint as shown on your NextDNS setup page. A disadvantage here is that you can't identify your device in the logs, because that's not possible with IPv6. DoH and DoT seemingly aren't supported for Viscosity's DNS settings. Make sure to consider the correct other settings (framed in red in the attached image).  
  3. The third option is to use Viscosity's custom DNS settings with the NextDNS app or profile active. This is the same setting as in option 2, but adds an active NextDNS app or profile connection. The NextDNS / profile connection overrides the custom DNS in Viscosity. If the NextDNS / profile connection drops, you still have the custom DNS in Viscosity active, just like in option 2. If the Viscosity VPN connection drops, the NextDNS app / profile will be the backup. This is the best option overall when using Viscosity. 

The Passepartout app is another OpenVPN client that can be used with OpenVPN config files (or some select VPN providers without using config files).

  1. As with the first Viscosity option, it's possible to use Passepartout together with the NextDNS app or profile without conflict. The same details apply. (Mac only)
  2. As with the second Viscosity option, it's possible to use Passepartout without the NextDNS app or profile active, by setting custom DNS. In the Passepartout DNS tab, just choose Manual and Cleartext and enter your IPv6 details. The same limitation for device identification applies. (Mac & iOS 
  3. The third option is a bit different to Viscosity's, since Passepartout supports DoH and DoT. So, using only Passepartout with DoH / DoT is an easy option. Make sure to also enter your NextDNS IPv6 endpoints from your NextDNS setup page and to URL encode your device name in case that is needed (as described at the bottom of your NextDNS setup page). (Mac & iOS 
  4. Option 4 is a combination of 1 and 3, i.e., using Passepartout with DoH / DoT and the NextDNS app / profile active. In this case (and in contrast to Viscosity's option 3) the VPN DNS settings from Passpartout will override the NextDNS app / profile. The advantage to Passepartout's option 3 is that after a VPN disconnect, the NextDNS app / profile will still be the backup. Another advantage (compared to Viscosity's option 3) is that even when your NextDNS app / profile connection drops, the device identifier will still work, because DoH / DoT is integrated here (whereas Viscosity would fall back to the IPv6 DNS). This is the best option overall when using Passepartout. (Mac only)

Some of the test sites I used:

https://test.nextdns.io

https://ping.nextdns.io

https://browserleaks.com/ip

https://www.dnsleaktest.com

https://www.dns-oarc.net/oarc/services/dnsentropy

 

(Crossposted on Reddit)

18 replies

null
    • Tony_Z
    • 1 yr ago
    • Reported - view

    This was very helpful. Thank you

    • Tony_Z
    • 1 yr ago
    • Reported - view

    Can you explain how to do Option 3 for Viscosity? I've already done option 2 for it but sometimes NextDNS will not connect and I'll have to go and refresh the Linked IP to get it working again

      • Chris.6
      • 1 yr ago
      • Reported - view

      Tony Z Option 3 is really just using Viscosity (configured with NextDNS) and the NextDNS app together. If one connection drops, there will be a fallback from the other app. This worked when I tested it, the NextDNS app seems to overrule the VPN DNS from Viscosity. You could try this even without configuring Viscosity, which is option 1.

      Option 2 depends on using the correct settings. You mentioned having to refresh a linked IP and that indicates something in your setup may not be correct because there is no need for a linked IP with this option. Are you maybe using the IPv4 endpoints? This would necessitate linking your IP. If you are using the IPv6 endpoints, as in the screenshot, no linked IP is necessary.

      The IPv6 endpoints you enter in Viscosity should look like this: 

      2a07:a8c0::5b:XXXX, 2a07:a8c1::5b:XXXX

      Use the numbers from your profile instead of XXXX, they are your configuration ID. 

      Also make sure the settings framed in red are correct:

       

      • Tony_Z
      • 1 yr ago
      • Reported - view

      Chris Hi Chris, thanks for the clarification and explanation. I really appreciate it. I've enabled all the settings you have and have inputted my IPV6 servers. For reference, I have the NextDNS MacOS application active while having Viscosity active and sometimes it simply won't use NextDNS unless I disable and reenable it via the desktop application. Althought its a bit annoying, and I'm happy that it finally works, I'm wondering if you've ever had this happen to you as well and if there is a remedy for it. Thank you! 

      Also, do you have any ideas on how we would be able to use Wireguard + NextDNS together? I've been trying to look for solutions for so long and haven't found anything. 

      Cheers, 

      Tony

      • Chris.6
      • 1 yr ago
      • Reported - view

      Tony Z You're welcome. 

      If your Viscosity setup has the IPv6 endpoints as in the screenshot, Viscosity should work on its own with NextDNS (option 2), I would make sure this is the case before using both apps. Feel free to let me know if this works. If not, Viscosity might have changed something or there is some hidden issue with the setup. I don't have Viscosity installed at the moment, so can't check again. 

      "For reference, I have the NextDNS MacOS application active while having Viscosity active and sometimes it simply won't use NextDNS unless I disable and reenable it via the desktop application. Althought its a bit annoying, and I'm happy that it finally works, I'm wondering if you've ever had this happen to you as well and if there is a remedy for it"

      So you are using option 3. There, if the connection drops, it shouldn't matter because option 2 has the NextDNS IPv6 DNS settings. So I would make sure again that option 2 is actually working, this would be all you need really.

      It seems likely that a reconnect of the VPN would get stuck with its own DNS settings and if they are not the NextDNS IPv6 endpoints in your case (for a currently unknown reason), this would necessitate the NextDNS app disable/reenable you describe. I have seen this when using third party VPN apps with the NextDNS app, they would either not work together, or NextDNS would have to be the last one to be activated in the chain. In my tests, this didn't apply to Viscosity or Passepartout however, only the official clients, probably due to them using firewall rules to prevent DNS leaks.

      "Also, do you have any ideas on how we would be able to use Wireguard + NextDNS together? I've been trying to look for solutions for so long and haven't found anything."

      There are some ways to change config files, but they all seemed like too much hassle. I didn't bother with this.

      Some VPN providers can use custom DNS though. I know 1 provider that works, Mullvad. You can put your IPv6 endpoints in the custom DNS setting and it will use NextDNS with an active VPN Wireguard connection. Tested on macOS and iOS. Their multi-hop feature won't work with custom DNS though. 

      Other providers I've tested:

      - OVPN has a custom DNS setting, but the NextDNS IPv6 endpoints weren't working, only IPv4 (which sucks because of the need to link the IP constantly.

      - Private Internet Access, same issue as with OVPN. 

      - Proton VPN, not sure about why it didn't work any more.

      I'd use Mullvad if I wanted to use NextDNS with a Wireguard VPN connection, they were the fastest of the tested ones as well (600 Mbps instead of 100–150 Mbps download).

      • Tony_Z
      • 1 yr ago
      • Reported - view

      Chris Again, Chris, thanks for the detailed reply. I coincidentally do have Mullvad VPN and have noticed that it does allow me to set custom DNS servers as long as I only allow for Mullvad to connect via Wireguard. 

      I've followed your instructions and have added the IPv6 servers from nextdns to the app, however it repeatedly attempts to reconnect (See the video attatched.) 

      In the video, I did not have the NextDNS app enabled on my desktop and this was what was happening. I tried it again with it enabled and the same result occurs. 

      I've also tested adding in both IPv6 and the two DNS servers under "Linked IP" in the profile page. The vpn connects this time, however, it says it isn't using NextDNS with a configuration (see attatched photo).

      Oddly enough, when I remove the remove the IPv6 servers, and I manually refresh the Linked IP and reconnect Mullvad, it finally uses NextDNS. 

      Do you still remember what settings you enabled for it to work for you using IPv6?

      Thanks

      • Chris.6
      • 1 yr ago
      • Reported - view

      Tony Z No problem.

      I can see no issues with the Mullvad config, but I'll post some screenshots of mine, which works. I only ever used the IPv6 endpoints. I have set the Wireguard settings to automatic and am on the beta program (which you could try), but it always worked for me, even when I wasn't using the betas.

      Maybe it's not an issue with the apps (Viscosity or Mullvad). Maybe something is blocking IPv6 connections for you, like your router? 

      You could try on your phone with a mobile data connection and the IPv6 custom DNS configured in the Mullvad app, which would exclude the router as a factor.

    • Tony_Z
    • 1 yr ago
    • Reported - view

    Hey Chris, 

    I assumed you were correct in your most recent reply to me about it being my router having the problems and not necessarily the actual VPN/DNS itself. However, after a couple of days, I was looking through NextDNS and found a "configuration profile generator" for NDNS and it said it was recommended. I downloaded it, and installed it and to my surprise, after I enabled Mullvad without any custom settings or the custom DNS options enabled, everything worked, for both openvpn and wireguard. 

      • Chris.6
      • 1 yr ago
      • Reported - view

      Tony Z Hey Tony,

      Given that the NextDNS profile and the NextDNS app use practically the same underlying technology, it's very similar to the setup of using the NextDNS app and VPN app together. You also might get some unexpected behavior like this, just was when you had to disable and reenable the NextDNS app. 

      VPN apps usually take precedence and this might be fixed by the provider since it's technically a DNS leak. Some provider apps with integrated DNS leak checks (like OVPN's app) will also put a huge strain on the CPU because they freak out about the "wrong" DNS. 

      This is also just a band-aid that gets around the IPv6 issue you have. In any case, the fact that multiple apps (Viscosity, Mullvad) don't work with the IPv6 endpoints, points to an IPv6 issue with your local network / router, client devices or even ISP. 

      You could try other IPv6 endpoints in Mullvad, like Cloudlfare's (2606:4700:4700::1111, 2606:4700:4700::1001).

      I'm glad you found an option that works and I'd say go for it as long as it does, but it's not an ideal setup and I myself would look into the IPv6 issue further

      • Tony_Z
      • 1 yr ago
      • Reported - view

      Chris Hi Chris, 

      I did not think of these problems you've mentioned and I'll be sure to check and go through my router over the weekend. I've done the test using Mullvad Wireguard with the NDNS like you have mentioned and I was wondering if these results were good or not. I'll still be looking at my router settings regardless. 

      • Chris.6
      • 1 yr ago
      • Reported - view

      Tony Z That's fine. As expected, the ISP DNS is running on IPv4. 

      When using Mullvad with the NextDNS IPv6 endpoints, it says IPv6 for me, so this page can be used as a quick way to check this. 

      Things you could try to see if IPv6 works at all:

      - Mullvad with custom DNS on your phone (I can only speak for iOS working) on your home network

      - Mullvad with custom DNS on your phone with a data connection (not on your home network), to see if the router is a factor

      - Changing the Mac DNS locally without running the Mullvad app, Private Relay, NextDNS app or NextDNS profile (inactivate it temporarily)*

      *You can do this in System Preferences > Network > Wi-Fi > Advanced > DNS, as seen in the screenshot attached. Don't forget to hit apply in the end. 

      • Tony_Z
      • 1 yr ago
      • Reported - view

      Chris 

      Chris said:
      Given that the NextDNS profile and the NextDNS app use practically the same underlying technology, it's very similar to the setup of using the NextDNS app and VPN app together. You also might get some unexpected behavior like this, just was when you had to disable and reenable the NextDNS app. 

       Again, its just very odd that when I put the IPv6 servers onto the Mullvad app on my mac, it doesn't connect but when I use my phone, it works perfectly fine... 

      I'm starting to think it might be because of the fact that I'm on the Developer Beta on Ventura 13.0 

      • Chris.6
      • 1 yr ago
      • Reported - view

      Tony Z I see. Your Mac seems to be the issue then. Running the beta might explain it. It works on Monterey.

      • Tony_Z
      • 1 yr ago
      • Reported - view

      Chris Yeah it definitely seems like the culprit is my Mac rather than the actual router now. I appreciate you taking the time to diagnose and to help me sort this all out Chris. Thank you!

      • Chris.6
      • 1 yr ago
      • Reported - view

      Tony Z No problem, hopefully this will be resolved soon. You could mention it on Mullvad's Github, but since the IPv6 endpoints in macOS network settings didn't work either, it looks like sending Apple feedback might be the best option.

      • Tony_Z
      • 1 yr ago
      • Reported - view

      Chris I'll be sure to report it to Apple now, now that I know that its definitely due to something off in MacOS

      • Chris.6
      • 1 yr ago
      • Reported - view

      Tony Z Ok, this really seems like an issue with your Mac in that case. Router / network should be fine, since it works on your phone on Wi-Fi.

Content aside

  • 1 Likes
  • 1 yr agoLast active
  • 18Replies
  • 3838Views
  • 2 Following