My VPN Adventure
If you are an avid computer user, and have multiple devices in your home or office, you probably are using a router.  It will provide an internet  connection to all your devices.  Phones, tablets, computers, anything that has a Wi-Fi connection, can be accommodated and have data sharing.

Using today's internet is a real adventure, and it can become very challenging to keep out the many pop up ads, virus, attacks from external sources, and of course Malware programs.
In the past few years, Virtual Private Networks have become available at affordable prices.  What used to be high priced and mainly available to Businesses and College Campuses, is now available to the home user.  For some time I have wanted to explore VPN's but just never got around to it.  It is not that I probably really need it, but yet another challenge to tackle, in my retirement! 

So the adventure starts, doing a lot of exploring and reading on the internet.  It did not take long to find out that there are hundreds of VPN Providers,  priced from free up to $10.00 a month.  After days of research, I decided to start with  one of the absolutely highest ranked programs!  I signed up for a subscription, and downloaded the necessary files to get it working.

 For some time I have been running an ASUS RT-AC5300 router.  A while back, I upgraded the software to asuswrt-Merlin 380.69 Beta 1.  This upgrade now provides for VPN service, from up to 5 locations being selectable at will.   My router configuration is what is called openVPN, it's software all directly installed in the router.  The initial installation went very well, as the provider had a lot of on line examples to follow, page by page. 

Just a side note, you do not have to install it only on your router.  Individual programs are provided so you can install it directly on your devices, phones, tablets, and PC's.  But there are limitations for the number of connection you can have.  This provider had a limit is 3 devices on line at the same time.  The neat thing about using a router is that no matter how many devices you have connected to the VPN thru the router, it only counts as one device!

I started my testing by downloading some VPN tools.  There are a lot of available tools you can download.  It seems that all the VPN providers, have or recommend four major tools. 
                                                         Address Checker, DNS Leak Test, WebRTC Leak Test, and Speed Test.
I found another tool that I really like, and does checks that the above tools don't. 
It is called Browser Privacy Test by Tenta VPN Browser    (USED FOR ALL DNS TESTS BELOW)

You can download it here:   Tenta Test Program


Above, an example of the kind of confusing information I started seeing when I ran the DNS test.  I know that something was wrong, but had no idea where to start looking.  Below is another look at a different view of the information above.

Above, you can see that TLS Enabled is always "false" but DNSSEC Enabled can be either "true, or false"
I knew it was somewhat related to the chosen DNS addresses provided to the router.  And to even confuse my confusion further, different DNS Address Pairs gave different results in their tables as above.  I tried all the popular pairs, OpenDNS, CloudFlare, CCANET, and Google.  Some gave the same results, some slightly different results, but never a perfect chart with all true!
 Below is the discussion page from Tenta that explains, in great detail, what kind of problems (leaks & encryption errors) can be expected with false indications in the above shown tables.  My next step was to get better  educated on what exactly what part TLS and DNSSEC played in the overall scheme of communications between the router and the remote Virtural Private Network system.

In the above discussion,  there is a lot of very good information on the future of overall VPN privacy, and the ways it can be allowing either observation of your web activities by others, or even sending data over the VPN "pipe" without being encrypted and private.  As neither of this actions are acceptable, and allow types of leaking and observation, it became obvious to me that there is a lot of work that needs to be done by the hundreds of VPN operations to really make their data streams truly "Private".

In my limited knowledge of how all these things work together, I believe there could be two different approaches to once and for all solve these two "problem" situations.  One would be to modify the software in the VPN servers to correctly handle both DNS over TLS, as well as enable DNSSEC, to properly keeps visited sites completely private.  The other way would be to build these operations directly into all the DNS Servers in the world, a pretty big undertaking by any means.

During the past several weeks, I have subscribed to four different VPN providers.  I chose only those that had "On Line" chat to make it easier to ask questions and get answers.  When working with the first three, their conclusion was always that the problems that I was seeing are being caused because they did not specifically support my particular model of ASUS Router, with the flashed Merlin Software package.  Even though two of the three stated on their web site that  their service would work properly with the latest Merlin Software versions.  A couple of them even specifically listed the AC5300 with Merlin as operational with their client software.  In total I have over 20 hours of on line chat time, with these three VPN providers.  Two of them had no idea of what DNS over TLS was, and the third stated that I was trying to make something work with my system that was not possible.  It is interesting that none of the three would admit that  having a "DNS over TLS" failure, and DNSSEC "false" had anything to do with any kind of leaking.

So what have I done in the mean time to try and resolve this issue?
Well first, I unsubscribed from the three VPN providers that I had been talking to about my findings.  Even though a couple of them had gone well beyond my free trial, they issued me a full refund.  I simply unsubscribed from the third one, in my free trial period. 

Being both stubborn and inquisitive, I decided not to give up on a VPN service and started looking for a low cost service that provided a lot of good features that I may be able to work with.  I discovered a rather new operation that listed all the features and more that were being provided by the top rated VPN Providers.  What really jumped off their page at me were several things that were not provided by the other providers I had been working with.  Some of them are "Guaranteed High Speed",  "An Unlimited Number Of Connections At The Same Time", "Detailed On Line Installation Instructions," Real on-line Technical Support People",  and the price was right as well.  I found a coupon deal on line for $1.99 a month with 24 month subscription.  A total cost of $47.76!  Don't know how you could go wrong with that price.

I called their chat line and discovered that I was talking with someone that really understand how their system worked, as well as being very up to date on my router and software system.  I explained how I had discovered the DNS and DNSSEC problems that I was seeing from other providers.  They had not heard of that problem and suggested that I purchase and install their clients on my router and do the same tests to see if they had the same problems.

I installed and configured 5 of their openVPN clients on my router.  When I ran the Tenta test program it showed that DNS over TLS was failing on the 5 client locations that I installed and tested.   Next I brought up the providers chat line.  I was very pleased to find that I was chatting with someone that actually knew their product and how it work and was setup on various routers .  We went through a lot of configuration checks for my router.  The DNS over TLS being false problem, persisted in all my tests.  He then had me switch between their installed clients at different locations.  After chatting back and forth, on a couple of evenings, I was told that this appeared to be a real problem, and it was being referred up to their software engineers for further investigation. 

Below is information about this provider.  I am really impressed with their VPN software.  And a disclaimer, I am not connected in any way to their company, or compensated for recommending that you give their package a try!

Here is a link to their web site:     The SurfShark Website
 Over the next few days, I continued to surf the web, trying to learn more about enabling DNS over TLS.  Then I made a very revealing find, that had been right in front of me for some time, and I never even realized it! 
 Could this information be the answer I have been looking for?
Here is where you can download this information:   The Tenta DNS
Next step, insert the ICANN DNS address in both my WAN and LAN DNS address of my ASUS Router.
Below are the results from my first test of the Tenta DNS Name Servers.
And below is the chart showing that the TLS and DNSSEC are both now TRUE!
First a bit of background.  I am retired now, and  have been for several years.  I spent most of my professional work life, dealing with small compute systems, of one form or another.   I had a limited amount of experience, working with networking and data transport over CAT5 and Fiber Optic systems, in a small College environment.  Over a span of 39 years, I served at various times as the  Director of Audio Visual Services, Telecommunications Manager, and  Facilities Operations Technical Services Supervisor.  Now retired, I continue to  work with  Windows10 computer systems and do a lot of electronic test equipment repair and service.

What got me started on privacy issues ,with my home network, was the large amount of incoming "stuff" that you are open to when you are connected to the internet.  I have watched the development of "Internet Enabled" Virtural Private Networks since they started, some years ago.   Please keep in mind that my current experience and the reported findings discussed above, is limited to OpenVPN,  running on an ASUS RT-AC5300 Router, with asuswrt-Merlin software.

Now after experiencing and working with my own ASUS Router based OpenVPN, I am left with some really unanswered questions.  Every VPN provider, and there seem to be hundreds, tout the value of using their VPN to protect your data and guaranteed 100% privacy when surfing the Internet. 

Choosing a different "VPN Client" for your Router,  on any VPN providers server list, can result in different "Tenta Test" results! Based on the information, provided by "Tenta's Advanced DNS Text Explained" information page, here are the possibilities that can result, depending on what DNS address pair you select for your WAN and LAN.
This is as far as I need to go, I think, to get my point across on all the above information that I have provided.

My guess is that if you do not use the "Tenta DNS Servers", your internet communications may be subject to the "NEUTRAL" or "WARNING" results, being applied to your communications.

If I am seeing this correctly, then many of the VPN Providers are giving us "Clients" to use that are not 100% protective.
If I have gone  to a very misguided interpretation, based on my findings, hopefully someone will set me straight!

Either way, I have had fun exploring this subject, and hope it helps others to think about their internet data privacy.

Your comments are always welcome.    My Email:



View My Stats