Hi,
I have changed my ISP router for something more customisable, then flashed openwrt on it and set up pi-hole on a raspberry pi. So far so good and it does block a good share of connections from local devices such as smart TV and radio and Bae’s devices. Mine are using a VPN so they’re not really affected.
But, if I get things right, my ISP still sees traffic from our home (outside of my devices). With the view of generally minimising the amount of data we give out, would you recommend setting up a VPN on the router, perhaps for devices not already using one locally? Would this run alongside pi-hole or negate any point of pi-hole?
Thanks!
1 Like
I’m looking for a Wireguard VPN router for my home which does the following:
#1. 900mbps or higher speed on Wireguard.
#2. Able to connect to multiple VPN locations at once (so that i can assign different IP/location to my different devices like phone, tv, laptop, etc.) [by using ProtonVPN on the router itself]
#3. Able to use internet without VPN (incase i feel VPN is slow OR to access VPN restricted sites)
#4. Killswitch
I’m not a network pro, so can’t do complex mod. on my own. [need complete tutorials].
Gl inet flint2 does #1 but apparently it doesn’t do #2 without flashing etc.
I’m looking to get 1gbps or higher speed on Wireguard.
Q1. Asus RT-AXE7800 seems to have higher specs than flint 2, do you think it will give more Wireguard speed than flint 2?
Q2. Can RT-AXE7800 do #2,3 and 4? If yes, what i need to do for that? (Step by step tutorial please)
Q3. Any other router recommendations?
Thisis very much possible with opnsense which we recommend using policy based routing and it has been on my to-do list to write a guide for that OPNSense split tunnel guide with VLANs · Issue #1863 · privacyguides/privacyguides.org · GitHub
I don’t know about those Asus devices or the Gl device, but the OPNSense offerings are very much capable.
There is a youtube here for doing it with pfsense https://www.youtube.com/watch?v=ulRgecz0UsQ
@dngray Please recommend me a router to buy
This might be useful: Making sure you're not a bot!
I did search different forums, but could not find sufficient answers to my questions below.
I live in an eyes country in Europe.
I have a privacy respecting ISP (actually true), as far as the law lets them.
Today I have Mullvad together with a private DNS via nextdns.
-
On Protons website, they claim that a separate DNS provider when you use a VPN is redundant. But I see alot of people here who use it. There should be a clear winner here, but I can’t seem to find an answer to it. Is a separate private DNS redundant when using a VPN ? Or does it just make you stand out more?
-
I trust my ISP, that they are not snooping, and that they hand out data, when there is legal ground for it. Would you use a VPN anyway, or would you just use a private DNS? The main reason for using a VPN is to hide from your ISP right?
1 Like
My main reason to use third party DNS is blockists and custom rules to block or allow sites. I am using Control D for that. VPN‘s own DNS server are not good enough to do that.
2 Likes
If both the VPN and the DNS are on the same machine, there’s a fair about of redundancy, depending on the setup.
If the DNS is only on the browser, then what’s happening in the browser goes through the DNS, but what’s happening outside the browser goes through the VPN. For example, you’re using a desktop email app instead of using email through your browser. In that case, the email is going through the VPN.
The way to have both layers at the same time is to have one set up on your router, and the other on your machine. But for the majority of people that’s overkill, unless you want to take advantage of the custom blocking with DNS, which can be very good.
I’ve experimented with that before. I keep permanent ‘kill-switch’ VPN in my router, and when I added DNS to my desktop machine it helped to block ads that I otherwise had trouble blocking. These days I only use the router VPN, in order to keep my setup a bit simpler. It’s easy to make things more complicated than they need to be.
Normally, one or the other is enough for most people. But if certain ads (which your browser ad blocker isn’t stopping) are driving you nuts, DNS is good.
1 - The most common reason it is typically not recommended to use a separate DNS provider with your VPN is that you risk exposing your browsing activity through DNS leaks. This can occur when DNS queries are not routed through the VPN’s encrypted tunnel, potentially revealing the websites you visit to your ISP or other third parties.
2 - See the VPN Overview.
2 Likes
Wait so, if I have DNS configured on my router and I use a VPN, I might have a DNS leak?
Should I remove the DNS setup altogether from my router and just always use the VPN then?
Even if you fully trust your ISP, you can’t control when your IP address changes. You’ll also still be vulnerable to DDoS attacks against your home router. Plus they’re useful as well for connecting to a website from different regions if you want to bypass certain restrictions. Plenty of uses for a VPN outside of hiding your traffic from your ISP.
1 Like
Yes its possible. I am not knowledgeable enough to say one way or another whether it is probable but it is the typical reason its not recommended. For example Proton and Mullvad both say not to.
EDIT: @win11.shading291 re-reading this and I think if you have a DNS configured on your router and you use a VPN on a specific device, the VPNs DNS is going to override the one your router is using unless the VPN is specifically configured to use that DNS. You could always do something like a nslookup to check which DNS is being used.
This might be a good subject for @jordan to consider doing a brief video on. As I see lots of VPNs say this but they don’t go into detail about the risks.
I can’t say one way or another, I personally do not use a private DNS with my VPN as I rather just have one party to trust instead of two (the vpn provider and the dns provider). Others such as Techlore choose to use a private DNS with their VPN.
Hopefully one of the other more knowledgeable users (some of whom work on VPNs or are devs of DNS) could answer this question.
2 Likes
Thanks!
Pinging @ignoramous 
Most of the suggestions (including yours) on this thread are on point.
If your VPN tunnels are setup as instructed by the public providers themselves (ex: setting up their apps as laid out by them), especially the ones that are privacy focused (like the ones oft recommended here, Proton, iVPN, Windscribe etc), it is unlikely (not an impossibility) you’d end up with “leaks”.
You can always check for “DNS leaks” (in the steady state) using web-based services like which.nameserve.rs, dnscheck.tools, browserleaks.com/dns etc. Easy to use, but these tools are prone to false positives. And most importantly, these tools won’t proactively help detect “leaks” due to edge cases (not steady) and/or misconfiguration as they happen.
On some platforms (like Android), OS-enforced “kill switches” exist to prevent leaks (of not just DNS but all network traffic) in both steady and non-steady states. On other platforms (like iOS), the OS reserves special treatment for privileged apps (like that of Apple’s).
2 Likes
Great, that’s what I was thinking!
Thanks! I checked all 3 and they seem to give the expected result.
I’ll assume everything is OK.
I like to keep the DNS configured for the other people in my home that don’t necessarily use VPNs.
1 Like