DNS Leak on Wireguard VLAN

Hi,

I have configured 3 VLAN's as mentioned below:

8 - Normal Traffic (lan)
9 - IOT devices
99 - VPN1 (Wireguard VPN enabled)

I have done the routing so that VLAN has access to either WAN or WG0. I have got a issue of DNS leak on the VPN1 VLAN and can't figure out what I have done wrong,

Network

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8a:7f87:5713::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr '94:83:c4:a7:04:a0'

config device
	option name 'lan2'
	option macaddr '94:83:c4:a7:04:a0'

config device
	option name 'lan3'
	option macaddr '94:83:c4:a7:04:a0'

config device
	option name 'lan4'
	option macaddr '94:83:c4:a7:04:a0'

config device
	option name 'lan5'
	option macaddr '94:83:c4:a7:04:a0'

config bridge-vlan
	option device 'br-lan'
	option vlan '8'
	list ports 'lan1'
	list ports 'lan2'

config bridge-vlan
	option device 'br-lan'
	option vlan '9'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan.8'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '1'
	option ip4table 'main'
	option ip6table 'main'

config interface 'IOT'
	option device 'br-lan.9'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '1'
	option type 'bridge'
	option ip4table 'main'
	option ip6table 'main'

config interface 'VPN1'
	option device 'br-lan.99'
	option proto 'static'
	option ipaddr '192.168.99.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '1'
	option ip4table 'main'
	option ip6table 'main'

config device
	option name 'eth1'
	option macaddr '94:83:c4:a7:04:9e'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option force_link '0'
	option ipv6 '0'
	option metric '10'

config interface 'wan6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@wan'

config interface 'tethering6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@tethering'

config interface 'wwan6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@wwan'

config interface 'wwan'
	option proto 'dhcp'
	option metric '20'

config interface 'secondwan'
	option ipv6 '0'
	option proto 'dhcp'
	option metric '15'
	option force_link '0'

config interface 'secondwan6'
	option proto 'dhcpv6'
	option disabled '1'
	option metric '15'
	option device '@secondwan'

config interface 'modem_1_1_2_6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@modem_1_1_2'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config interface 'WG0'
	option proto 'wireguard'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	list addresses '10.14.0.2/16'
	option peerdns '0'
	list dns '162.252.172.57'
	list dns '149.154.159.92'
	option ip4table 'default'
	option ip6table 'default'

config wireguard_WG0
	option description 'VPN_Peer'
	option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'host.vpn.com'
	option endpoint_port '51820'
	option persistent_keepalive '25'

config rule
	option in 'VPN1'
	option out 'WG0'
	option lookup 'default'

config rule 'WG0_rule'
	option in 'VPN1'
	option lookup 'default'
	option priority '30000'

config rule6 'WG0_rule6'
	option in 'VPN1'
	option lookup 'default'
	option priority '30000'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

Firewall

package firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'
	option flow_offloading_hw '1'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config rule 'block_dns'
	option name 'block_dns'
	option src '*'
	option device 'br-*'
	option dest_port '53'
	option target 'REJECT'
	option enabled '0'

config zone
	option name 'IOT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option input 'ACCEPT'
	list network 'IOT'

config zone
	option name 'VPN1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VPN1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'secondwan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'IOT'
	option dest 'wan'

config rule
	option name 'Allow-DHCP'
	option src 'IOT'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-DNS'
	option src 'IOT'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '1'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'glnas_ser'
	option src 'wan'
	option dest_port '6000-6002'
	option dest_proto 'tcp'
	option target 'DROP'

config rule 'webdav_wan'
	option src 'wan'
	option dest_port '6008'
	option dest_proto 'tcp'
	option target 'DROP'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glblock'
	option type 'script'
	option path '/usr/bin/gl_block.sh'
	option reload '1'

config zone
	option name 'WG0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'WG0'
	option masq '1'
	option mtu_fix '1'
	option log '1'

config forwarding
	option src 'VPN1'
	option dest 'WG0'

DHCP

package dhcp

config dnsmasq
	option domainneeded '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'console.gl-inet.com'
	option ip '192.168.8.1'

config domain
	option name 'console.gl-inet.com'
	option ip '::ffff:192.168.8.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'disabled'
	option ra 'disabled'

config dhcp 'secondwan'
	option interface 'secondwan'
	option ignore '1'

config dhcp 'VPN1'
	option interface 'VPN1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'

Output of wg show;ip route show

interface: WG0
  public key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  private key: (hidden)
  listening port: 52000

peer: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  endpoint: 176.227.240.78:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 2 minutes, 3 seconds ago
  transfer: 1.04 GiB received, 283.60 MiB sent
  persistent keepalive: every 25 seconds
default via 149.86.40.1 dev eth1 proto static src 149.86.40.77 metric 10 
149.86.40.0/25 dev eth1 proto static scope link metric 10 
176.227.240.78 via 149.86.40.1 dev eth1 proto static metric 10 
192.168.8.0/24 dev br-lan.8 proto static scope link 
192.168.9.0/24 dev br-lan.9 proto static scope link 
192.168.99.0/24 dev br-lan.99 proto static scope link 

Appreciate any help on this, Thanks

It looks like you are using DNSMasq, this is using the default route of the main table which is via the WAN interface

This is slightly odd as you have specified that the default route should be replaced with the WG interface by:

Is one of your scripts modifying this?

I use a script which could prevent DNS leaks maybe this can be useful in your situation?
see: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak

This is not modified using a script but I used the script below to define the rules (one-off):

uci -q delete network.@rule[0]
for IPV in 4 6
do
uci set network.lan.ip${IPV}table="main"
uci set network.IOT.ip${IPV}table="main"
uci set network.VPN1.ip${IPV}table="main"
uci set network.WG0.ip${IPV}table="default"
uci -q delete network.WG0_rule${IPV%4}
uci set network.WG0_rule${IPV%4}="rule${IPV%4}"
uci set network.WG0_rule${IPV%4}.in="VPN1"
uci set network.WG0_rule${IPV%4}.lookup="default"
uci set network.WG0_rule${IPV%4}.priority="30000"
done
uci commit network
/etc/init.d/network restart

I will go through the script you mentioned above, Thanks

@egc, I tried the script for wg on my router. The DNS leak stopped on VLAN1 but my Amazon echo devices connected to IOT stopped responding to voice commands (lost connection to Internet).

I do not have amazon echo devices but maybe they cannot deal with DNS via the tunnel while regular traffic is going via the wan.

I know amazon and netflix can check dns origin.

If this is the problem than check split dns

Thanks @egc , I will have a look at Split DNS

I went the iptables route as explained in the README here:

Thanks @egc for your help

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.