DNS Leak when using WireGuard VPN

Hello everyone

I have been having this issue for quite some time now and tried everything that I can find on here to resolve it.

I only use LuCi to edit my OpenWrt config so please bare with me.

I have a WireGuard VPN interface set that routes traffic through to a self-hosted VPN (WarpSpeed).

I then have Policy Based Routing set up to route specific devices through the VPN. This all works lovely but I get a DNS leak when testing dnsleaktest.com.

I have set up via Network -> DHCP and DNS -> DNS Forwardings and my WireGuard VPN is set up to use so I can clearly see if the dnsleadtest.com is returning either Google or CloudFlare.

I expect to see CloudFlare on any device that is set up in the Policy Base Routing but I see Google.

As a test, I set up the WireGuard client on my laptop and when using this I do in fact see CloudFlare's DNS so I know the self-hosted VPN server is set up correctly.

I have unchecked 'Use DNS servers advertised by peer' on both the WAN and LAN

I have set a custom DNS server on the WireGaurd interface

I have checked Network -> DHCP and DNS -> Ingore resolve file as suggested by some users

But none of this has helped resolve this DNS leak.

Any help would be much appreciated and especially if I can resolve this via LuCi.

Many thanks

Your lan hosts are querying OpenWrt DNS server for name resolving. You should use dhcp option 6 to advertise them another nameserver. The way you have configured your router doesn't guarantee which upstream DNS will be used.

I had read about this but did not fully understand it.

If I set the DHCP options to 6,{ip of my wireguard server}

would this not direct all my network's DNS through my wiregaurd server, which is something I would have to avoid?

After playing with various arrangements I settled on NOT passing DNS requests over WireGuard since it lead to weird issues. Instead I set up DNS hijacking and stubby and rely on encrypted requests sent out that way. All of that can be set in LuCi.

By default traffic is hijacked by router and sent out via DNS over TLS to CleanBrowsing Family Filter and otherwise televisions/iPad are sent to Clourflare to access otherwise restricted content.

So in my case I put up with television content related traffic going over plain text. The alternative for me would be two stubby instances or forwarding cloudflare over WireGuard, but again I think that gives weird effects.

If the wireguard server is also running nameserver, then you could. And it would direct all the queries from clients to that nameserver. Isn't it what you are trying to achieve and you say that there is DNS leak?

Caveat: I do not use PBR, I have WG as default route.

Try setting the WAN interface metric seen in this post for reference.

Re enable this. Save and apply .. Test .. takes 4 mins.

The issue is I don't think the VPN server that I am using allows port 53 unless you are connected via the VPN. I have tried to unblock it without success. It could be the VPS provider blocking it possibly.

Why not use DNS over TLS?