Colleagues, I need help with DNS in the OpenWRT + WireGuard combination.

qweqwq23131 · January 6, 2026, 5:44pm

The scheme is as follows:
There are two routers.

The main router has a regular internet connection from the provider.

The second router is running OpenWRT and is connected to the first router via a cable (it receives internet from the first router).

The OpenWRT router is configured with a VPN WireGuard connection using the provider's official instructions:

The VPN is set up correctly:
– The IP changes to a VPN
– The traffic goes through the tunnel
– The WireGuard interface is active

The problem is as follows.
When checking through IP/DNS checkers (ipleak, dnsleaktest and analogues), it is seen that:
– IP – VPN
– DNS – provider of my country
– Geolocation of DNS corresponds to the real region, not VPN

Accordingly, there is a DNS leak: DNS requests do not go through WireGuard, but through the main router/provider.

What is already obvious:
– VPN works at the IP level
– DNS by default continues to resolve through upstream (first router or ISP)
– OpenWRT does not force DNS through the WG tunnel

Questions:

How to properly configure OpenWRT so that all DNS requests go to

psherman · January 6, 2026, 5:45pm

Let's take a look at the config you've got running now -- this should hopefully reveal what is happening.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

AndrewZ · January 6, 2026, 5:59pm

See github link in this post Need help with DNS leaks with Wireguard and DoH - #8 by egc

tweetyericsson · January 10, 2026, 9:54am

Hello

I have exactly the same problem as the OP. The only way not to have a leak is by setting the wan interface up as static with Mullvad’s dns. What am I doing wrong?

board:

{
	"kernel": "6.6.110",
	"hostname": "xxxx",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Cudy WR1300 v3",
	"board_name": "cudy,wr1300-v3",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.4",
		"revision": "r28959-29397011cc",
		"target": "ramips/mt7621",
		"description": "OpenWrt 24.10.4 r28959-29397011cc",
		"builddate": "1760891865"
	}
}

dhcp:


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '10.64.0.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,100.64.0.7'
	list dhcp_option '6,100.64.0.7'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piofolder '/tmp/odhcpd-piofolder'

firewall:


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'WGZONE'

config zone
	option name 'WGZONE'
	option input 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'WGINTERFACE'
	option forward 'REJECT'

network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdea:9e90:2a4c::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'WGINTERFACE'
	option proto 'wireguard'
	option private_key 'xxxx'
	option public_key 'xxxx'
	list addresses 'x.x.x.x/32'
	option force_link '1'

config wireguard_WGINTERFACE
	option public_key 'xxxx'
	option route_allowed_ips '1'
	option endpoint_host 'x.x.x.x'
	option endpoint_port '51820'
	list allowed_ips '0.0.0.0/0'

lleachii · January 10, 2026, 10:27am

Nothing at all.

But I'm sure there's other things to discuss that won't hijack someone else's thread.

Edit:

Unless you were highlighting this as a solution.

tweetyericsson · January 10, 2026, 6:31pm

I’m quite certain this wan setup is not included in Mullvad’s wireguard guide. Also this way when PBR is installed the router stops resolving addresses, so no opkg, no DDNS, etc. (the lan clients are fine though)

Edit:

“hijack”? Did I break forum etiquette or something?

egc · January 10, 2026, 6:53pm

hijacking a thread e.g. breaking into a thread with your own problem is something which is frowned upon.
We are happy to assist you but please make a thread of your own

AndrewZ · January 10, 2026, 6:55pm

... or read an answer or recommendation that is already provided in this thread