Bypass vpn dns leak

It happens to me that when I leave the vpn as default Service Gateways and I do the bypass, the dns of the vpn are filtered, with which there are pages that do not work directly.
If I put the wan as Service Gateways default when putting the vpn the dns of the operator are filtered.
What I can do?

Can you explain a bit in more detail the scenarios you are testing?
What are the configurations that you apply to select the dns?
Which sites are not working in both scenarios?

1 Like

It does not work nor netflix, hbo, amazon prime video, etc.

vpn dns client configuration

connected to vpn

bypass to vpn

If I do bypass and use a vpn client from windows, the dns change.
The problem is that with the bypass done, the dns of my operator do not come out.

I don't have any more configuration made to the dns, it may be something misconfigured but nothing comes to mind.

If you want to see something else tell me exactly what you want to see. (use wireguard)

I don't know if this will help you

config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option enabled '1'

config include
	option path '/usr/share/pbr/'
	option enabled '0'

config include
	option path '/usr/share/pbr/'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr ''
	option enabled '0'

config policy
	option src_addr ''
	option name 'bypass portatil'
	option interface 'wan'
	option enabled '0'

config policy
	option name 'bypass wifi'
	option src_addr ''
	option interface 'wan'
	option enabled '0'

I read the post and I'm clueless. What is it that you want to accomplish exactly ?

1 Like

It is not all clear but what I understand is you are using a WireGuard client to a VPN provider?

You have two local LAN clients (no need to redact the IP addresses as they are private addresses) which you want to use the WAN?

Is the problem that those two clients are using DNS via the tunnel?

1 Like

What I want is to do the bypass without dns leaks from the vpn.
I want the dns of the isp or operator to be shown.
For the bypass to be 100% effective and functional.

If I want to connect to the wan.
The dns do not change with the bypass, they are shown as you will see in the photos, the default Service Gateways dns are maintained.

tried disabling webRTC in your browser ?


You are not exactly answering my question but can you show the output of:
ip ro

So that I can see what the default route of the main table is?

Edit: like @frollic already remarked you should always disable webRTC detection in your webbrowser as that can give away your address but I am assuming you are talking about a real DNS issue if not than @frollic already provided the solution.

1 Like

I have disabled WebRTC in the browser but nothing.

I don't know exactly what information you want me to provide a screenshot as an example or what exactly I have to do:

You are not exactly answering my question but can you show the output of:
ip ro

I have version 22.03.5, could it be solved by updating to 23.05.0-rc2?

Forgive my lack of knowledge but it's my first openwrt router and I have no idea.
Thank you for your attention

You would show the output of the command ip ro.

Then I would advise you disable VPN. But I'm sure there's something particular you haven't explained yet.

So to your particular inquiry: You need to make sure you're using DNS server addresses that route via WAN and not the VPN.

If I understand correctly, I would have to change the default route.
I already know that solution but I want the bypass to work as it should.

There is the ip ro command.

Use PBR to access ISP-specific domains while connected to a VPN:


Do you mean to add each page that does not work or service as a bypass web domain?

It is not the solution because from time to time there is a domain or app that does not work, it would be ant work.

Perhaps you want the opposite, i.e. route to WAN by default and make exceptions for VPN-specific domains.

It is the same but in reverse.
If I do that, the dns of my operator or isp would be filtered.

How DNS works (as far as i know :slight_smile: )

Your router hands out its own address as DNS server to your clients
The router itself (to be precise DNSMasq) queries upstream DNS servers, all the DNS servers you entered on your interfaces (WAN, LAN, WireGuard) are added to a resolv file (usually /tmp/resolv.conf.d/

The router queries these upstream DNS server using the default route of the main table in your case via device madrid which seems to be the WG tunnel interface.

So also your two clients using the WAN interface will use a DNS server via the WG tunnel.

You can make it so that the main table is not having a default route via the WG tunnel by disabling route allowed IPs on the WG interface (peer section) but then you have the opposite all clients, so also all your VPN clients will use DNS via the WAN.

If the above scenario is the problem then there is no easy way out.

What you probably want is a Split DNS: clients using the WG tunnel with DNS via the tunnel and WAN clients with DNS via the WAN.
This would be a useful addition if that would be available with a mouse click in the GUI (it does exist but I have not seen it for OpenWRT)

So what you can do is the following:
Use DNSMasq to hand out a different DNS server to both clients you want to use the WAN (tagging with option 6), Unfortunately I do not have the exact instructions handy to do that.
Make sure that DNS server is not used anywhere else.
The next step is to make a route to route that DNS server via the WAN, you can use the PBR to route that DNS server via the WAN.

I hope that this makes sense it it helps :slight_smile:

Use option 6 to hand out specific DNS server with tagging

This is necessary, if you want to access both WAN and VPN-specific domains from the same client without disconnecting and reconnecting the VPN.
Of course, it requires some work to list the domains, one way or another.
In addition, if your WAN domains depend on ISP-specific DNS, you need to configure selective DNS forwarding.

If only domains can be excluded for now, right?
The other option without a tutorial is very complex for me.
Thanks for the help, I'll manage as I can if no one finds a clear solution of what I should do step by step.

I will try to do what you tell me

How exactly do you do the last thing you told me, maybe it works and it's the solution, but I don't know what you want me to do exactly, something I understand but not very well