Search the Community

I have a multi-segmented network (10.0.0.x, 10.0.1.x, 10.0.2.x) using all /24 (255.255.255.0) subnets. On the LAN is a router with static routes allowing all devices on the LAN to talk to one another. When I connect to the VPN, I can only talk to my own segment (10.0.1.x) because the client is modifying the routing tables in order to send traffic through the VPN. I reached out to support and their solution was to add a static route for the segment(s) I needed to talk to when connected. I did so via route -n add -net 10.0.0.0/24 10.0.0.252 (where the latter IP is the LAN gateway), and it worked for a few minutes until I lost all LAN/WAN connectivity. Even after disconnecting from the VPN I still could not access anything, LAN or WAN, until I ran netstat -r and let it hang for long enough that for whatever reason, it rebuilt the routing tables properly and I regained connectivity. It seems that the Torguard client is modifying the routing tables and then periodically checking on them to ensure VPN connectivity stays in place. This is why adding a static route will most likely never work, and why I lost all network connectivity when I modified the routing table while connected. There are certain services running on my desktop that clients from the 10.0.0.x segment need to access, no matter if I'm connected to the VPN or not. This is what I'm trying to solve and I would love a working solution to this issue. Thanks!

This tutorial speaks for itself Supplement for Topic: https://forum.openwrt.org/t/from-the-dns-privacy-project-dns-over-tls-on-openwrt-lede-featuring-unbound-getdns-and-stubby/13765 These are the best DNS PRIVACY NAME SERVERS for the detailed reasons listed below. Edit your /etc/stubby/stubby.yml - SSH and enter nano /etc/stubby/stubby.yml - Use these listed below for Stubby configuration. See here for correct format and layout: https://torguard.net/forums/index.php?/topic/1374-from-the-dns-privacy-project-dns-over-tls-on-openwrtlede-featuring-unbound-getdns-and-stubby/ In order to save you some time - here is a list of IPV4 DNS PRIVACY Name Servers which are QNAME minimisation enabled: This list contains in order Hostname for TLS authentication, IP address, TLS Port ( s ) and SPKI pin getdnsapi.net 185.49.141.37 853 foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= iana.tenta.io 99.192.182.200 853 nPzhfahBmQOFKbShlLBymTqPtZY31bPpKFnh0A86ys0= kaitain.restena.lu 158.64.1.29 853 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4= dnsovertls2.sinodun.com 145.100.185.17 853 NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg= dns.cmrg.net 199.58.81.218 853 or 443 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= dot.securedns.eu 146.185.167.43 853 or 443 h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g= ns1.dnsprivacy.at 94.130.110.185 853 vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY= ns2.dnsprivacy.at 94.130.110.178 853 s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg= dns.neutopia.org 89.234.186.112 853 or 443 wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= In order to save you some time - here is a list of IPV6 DNS PRIVACY Name Servers which are QNAME minimisation enabled: This list contains in order Hostname for TLS authentication, IP address, TLS Port ( s ) and SPKI pin getdnsapi.net 2a04:b900:0:100::37 853 foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= cloudflare-dns.com 2606:4700:4700::1111( or 1001 ) 853 yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= kaitain.restena.lu 2001:a18:1::29 853 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4= dnsovertls2.sinodun.com 2001:610:1:40ba:145:100:185:17 853 NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg= dns.cmrg.net 2001:470:1c:76d::53 53053/853/ or 443 5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo= dot.securedns.eu 2a03:b0c0:0:1010::e9a:3001 853/443 h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g= ns1.dnsprivacy.at 2a01:4f8:c0c:3c03::2 853 vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY= ns2.dnsprivacy.at 2a01:4f8:c0c:3bfc::2 853 s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg= dns.neutopia.org 2a00:5884:8209::2 853 /443 wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= All of these name servers listed above DO NOT log ! repeat DO NOT log ! your DNS queries. In full disclosure some name servers claim to log traffic volume only. See here for details : https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers and look under " Logging " column. DNS query name minimisation to improve privacy, along with DNS resolution speed and accuracy - Run Test After Completing Full Setup These name servers listed above help to consistently ensure QNAME Minimisation functions as designed within UNBOUND ( The idea is to minimise the amount of data sent from the DNS resolver to the authoritative name server. ) Use either or both of these two methods to verify QNAME Minimisation A - You need to opkg install drill and - then run command : drill txt qnamemintest.internet.nl and / or B - opkg install bind-dig or opkg install bind-tools with command: dig txt qnamemintest.internet.nl +short and / or dig -t txt qnamemintest.internet.nl ( for more complete readout including DNSSEC results ) AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated) The results in any of these scenarios will show either: "HOORAY - QNAME minimisation is enabled on your resolver :)!” or “NO - QNAME minimisation is NOT enabled on your resolver :(.” Reference https://discourse.pi-hole.net/t/unbound-and-qname-minimisation/10038/4 You will and should get HOORAY ! - if you used the name servers listed in this guide for your Stubby configuration. Note: Starting with Unbound 1.7.2 qname minimisation is enabled by default. However, I still add these settings manually. These settings are entered in " /etc/unbound/unbound_srv.conf " file: qname-minimisation: yes qname-minimisation-strict: yes harden-below-nxdomain: yes For better DNS resolution follow the /etc/config/unbound file in this tutorial below ( where Lan and Wan are Unbound Triggers ) then add DNS resolvers as follows: Under Network > Interfaces > Edit Wan > Advanced Settings > Remove Check From Box Next To " Use DNS servers advertised by peer " and enter DNS Servers in order 127.0.0.1, along with Tenta ICANN nameservers 99.192.182.200 and 66.244.159.200 - Your DNS will still resolve using the upstream name servers you selected in stubby.yml - Things Will Work Fine and as Intended. I have found that it is best to use Tenta ICANN DNS name servers as " custom DNS servers " on the Wan interface. I chose Tenta ICANN DNS because their name servers support both emerging DNS privacy standards - DNS-over-TLS, and DNS-over-HTTPS, which both provide last mile encryption to keep your DNS queries private and free from tampering. Tenta DNS also is the only AnyCast DOT service which includes built-in BGP integration, offering single engine convenience for DNS Anycasting with QNAME minimisation enabled on its' name servers by default. Main benefits of Tenta ICANN DNS as the backbone name servers on OpenWrt: A - Stop ISPs from spying on your browser history. DNS-over-TLS adds a layer of encryption over your DNS requests, keeping your ISP from seeing which websites you visit. B - Stay private online. Tenta DNS logs a counter instead of queries so your data stays private. No one, not even Tenta, has access to your browsing data. https://tenta.com/dns-setup-guides Working /etc/config/unbound file nano /etc/config/unbound - edit as shown below config unbound option dns64 '0' option edns_size '4096' option extended_luci '1' option extended_stats '0' option hide_binddata '1' option domain 'yourdomain.com' option domain_type 'static' option enabled '1' option listen_port '53' option localservice '1' option luci_expanded '1' option manual_conf '0' option query_min_strict '1' option rebind_localhost '0' option rebind_protection '1' option recursion 'passive' option resource 'medium' option root_age '9' option ttl_min '120' option unbound_control '2' option validator '1' option validator_ntp '1' option query_minimize '1' option dhcp_link 'dnsmasq' option enabled '1' option protocol 'ip4_only' option prefetch_root '0' list trigger_interface 'lan' list trigger_interface 'wan' PS - Tenta DNS OVER TLS does not support IPV6 as of yet - but keep checking the DNS PRIVACY Monitoring Page as these things change frequently and all the time. This whole process is relatively new after all. In this case, under Network > Interfaces > Edit Wan > Advanced Settings > Remove Check From Box Next To " Use DNS servers advertised by peer " and enter DNS Servers in order Local host 127.0.0.1 and Cloudflare DNS 1.1.1.1 and 1.0.0.1 - Cloudflare supports DNS OVER TLS as well. I am not quite sure if you should enter Cloudflare DNS IPV6 Name Servers ( 2606:4700:4700::1111 and 2606:4700:4700::1001 ) here in the case you are using IPV6 blended with IPV4 or IPV6 exclusively.

I have been testing the new Seamless reconnect feature of TorGuard Windows client v0.3.78 and I am having a weird issue. I usually connect to the internet in my Windows 10 laptop via USB tethering my cellular network. Most of the times the network is stable. In the previous version, TorGuard v0.3.77, sometimes I randomly got disconnected and reconnected(most probably due to poor network reception?). The reconnect was automatic, I didn't have to do anything. But With the new Seamless reconnect feature in v0.3.78 the reconnect doesn't happen when the network comes back and a popup appears saying reconnect failed. I tested the theory by switching mobile data on/off. On the Standard Seamless reconnect, the network will automatically reconnect. But with the New Seamless reconnect, I get the popup as seen in the attached image when I switch back the network ON.

Hi, excuse me for not knowing this because I am new but someone can explain what this addition means: 10Gbit Premium Network - $19.99USD Monthly Upgrade to our premium 10Gbit network (USA, Netherlands, UK and Canada available)

Requirements openwrt (or any openwrt based firmware like LEDE openwrt) tor libevent2-openssl libevent2 libminiupnpc libnatpmp tor-geoip (optional) tor-fw-helper (optional) Description In this guide I will install and create tor on my openwrt router. My Wireless is isolated. You can change these setting as you wish, take only care that nobody from outside can reach your LAN's. At the end of this post is a script doing everything for you. You need only to adapt the script for your settings. For this guide, my router's lan ip is 192.168.1.3 This setup works for those who do use only proxy/socks product, vpn products or mix of them. It is very high grade of anonimity if all this works in some VPN, like TorGuard's which does work perfectly! What will we have at the end of this setup tor socks5 server on router's lan IP:9050 (in this example 192.168.1.3:9050) (you can set your system, browser or anything else to use socks5 which goes always over tor) Simple usage by joining WLAN (no need to setup anything on any device) set specific LAN port to go always through Tor, (especially usefull for those who use C-Lines for Card Sharing) Isolated Wireless Network (which is secured and can't communicate with LAN devices) Traffic is sent through TorGuard's proxy/socks5 (all tor's traffic sent through socks ot https proxy, Torguard Proxy port: 6060, TorGuard socks5 ports: 1080/1085/1090) (in this guide, we set only .onion and .exit urls to go over tor, all other pages will go over TorGuard's socks/proxy used by tor) (We also restrict usage on port 80 and 443 for the case that you need to hide from your ISP/VPN provder, TorGuard does not block) (if you are not using VPN, then you do hide the traffic from your ISP in using socks and from your socks provider by using only ports 80/443) (even if this setup is higly secure, consider using as addition obfsproxy which I will not cover in this guide) (socks5/proxy acts also as a fallback if your VPN stops working) This setup works if you are connected to a VPN (like TorGuard and openvpn, my router is currently in TorGuard's VPN) Installation of required packages: opkg update opkg install libevent2-openssl libevent2 libminiupnpc libnatpmp tor tor-fw-helper tor-geoip Create Tor interface with static IP 172.x.x.x Create DHCP server for tor interface Create 5Ghz and 2,4Ghz isolated wireless interfaces Add firewall zone and configure firewall for tor Configure tor with TorGuard services Download geoip and geoipv6 Reboot your router Script installing tor requirements, creating interface, configuring firewall If you are connected with TorGuards VPN and everything runs over VPN, then your tor might be inactive if it starts before openvpn during the boot because openvpn changes routes and tor needs to be restarted. In this case you can edit openvpn's start scripts, or tor's startscripts or simply adding this command under System->Startup section "Local Startup" # Put your custom commands here that should be executed once # the system init finished. By default this file does nothing. sleep 10 /etc/init.d/tor reload /etc/init.d/tor restart exit 0 How to get geoip and geoipv6 files TorGuard works blazing fast with Tor Network (!!!TORGUARD TEAM IS AMAZING, THANKS FOR GREAT SERVICES!!!) Thats it, enjoy tor network.

A noob question- can we enable file sharing and network discovery, along with Torguard? This is for streaming media over at home, and printer sharing? Or does it have any risk with VPN?

Hello all. I am stuck trying to setup a vm + vpn, while also having the host on vpn as well. When i connect my vpn on the vm i am unable to browse the internet on the vm, until i disconnect the vm vpn then i am able to browse through the host's vpn. I have the vm adapter set to NAT. Has anybody ran into this already or is this even possible? I am using virtualbox. Thanks