Force clients to use a specific DNS with IKEv2

[fkoemep]

Checklist

• I read the README
• I read the Important notes
• I followed instructions to configure VPN clients
• I checked IKEv1 troubleshooting, IKEv2 troubleshooting and VPN status
• I searched existing Issues
• This bug is about the VPN setup scripts, and not IPsec VPN itself

Describe the issue
I am having issues trying to force my client to go through the dnscrypt-proxy server I'm running in the same server as the VPN. The idea is to forcefully redirect all DNS queries to 127.0.0.1:53 which is the address where dnscrypt-proxy is running but I can't seem to figure it out.

I tried appying these rules but the DNS queries are still sent through the configured DNS addresses specified during the setup scripts:

sudo iptables -t nat -D PREROUTING -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
sudo iptables -t nat -D PREROUTING -p udp --dport 5353 -j DNAT --to-destination 127.0.0.1:53
sudo iptables -t nat -D PREROUTING -p udp --dport 853 -j DNAT --to-destination 127.0.0.1:53
sudo iptables -t nat -D PREROUTING -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
sudo iptables -t nat -D PREROUTING -p tcp --dport 5353 -j DNAT --to-destination 127.0.0.1:53
sudo iptables -t nat -D PREROUTING -p tcp --dport 853 -j DNAT --to-destination 127.0.0.1:53

Server

• OS: Ubuntu 24.04 LTS x86_64
• Hosting provider (if applicable): GCP (e2-micro Compute Engine instance)

Client

• Device: Windows Laptop and Android phone
• OS: Windows 11 and Android 14
• VPN mode: IKEv2

[fkoemep]

Doing some more tests I found out that I can forward queries to a specific external DNS server, for example this works:

sudo iptables -t nat -D PREROUTING -p udp --dport 53 -j DNAT --to-destination 1.1.1.1:53

When I add that rule and browse to https://1.1.1.1/help from my VPN client, it says connected to 1.1.11, but I still don't know how to redirect it to 127.0.0.1:53 and make it work. My knowledge of networking is very basic so any advice would be really helpful.

[hwdsl2]

@fkoemep Hello! For your use case, instead of redirecting DNS traffic using IPTables rules, you can try setting the DNS server directly in the VPN config files. Please refer to Use alternative DNS servers. For example, you can try modecfgdns="127.0.0.1". For IKEv2, the relevant config file is /etc/ipsec.d/ikev2.conf. Restart the IPsec service when finished. If you need to set different DNS server(s) for different IKEv2 client(s), refer to #1562.

On the other hand, for using IPTables to redirect traffic to localhost (not needed if you use the method above), there is a security setting which may be related. Also, in your example, -D PREROUTING is for deleting rules, you may want to use -A PREROUTING instead.

[fkoemep]

Well, ended up solving it! Turns out nothing was working because of a bad modecfgdns config in /etc/ipsec.d/ikev2.conf and ``/etc/ipsec.conf```. I don't know what I was trying before but ended up putting the VPN external IP there:

modecfgdns="external_ip_address"

So I switched to modecfgdns="8.8.8.8" and now everything works as it should, every DNS and NTP query is redirected as intented. My dnscrypt-proxy and my chrony instances listen on all interfaces so instead of trying possibly insecure tricks redirecting to localhost directly I ended up specifying the internal ip address of my server (in this case it was 10.128.0.13 running on the interface ens4 on GCP Compute Engine).

These are the rules that I'm using to redirect the traffic. I think it would be very useful to add them to the wiki since lots of people have similar use cases if that's ok with you :)

ipaddress=$(ip -4 route list 0/0 | grep -m 1 -Po '(?<=src )(\S+)') #10.128.0.13 in my case

# NTP redirect to local server
sudo iptables -t nat -I PREROUTING -p udp --dport 53 -j DNAT --to-destination "$ipaddress":53
sudo iptables -t nat -I PREROUTING -p udp --dport 5353 -j DNAT --to-destination "$ipaddress":53
#sudo iptables -t nat -I PREROUTING -p udp --dport 853 -j DNAT --to-destination "$ipaddress":53
sudo iptables -t nat -I PREROUTING -p tcp --dport 53 -j DNAT --to-destination "$ipaddress":53
sudo iptables -t nat -I PREROUTING -p tcp --dport 5353 -j DNAT --to-destination "$ipaddress":53
#sudo iptables -t nat -I PREROUTING -p tcp --dport 853 -j DNAT --to-destination "$ipaddress":53

# NTP redirect to local server
sudo iptables -t nat -I PREROUTING -p udp --dport 123 -j DNAT --to-destination "$ipaddress":123