I followed this video to setup wireguard and it works great.
However i am still getting DNS leak. Its driving me crazy. all my google searches are telling to try split DNS or selectively forward DNS . I try to follow and make these changes. and still i get a DNS leak.
I even installed ad guard on openwrt but i can tell the issue is coming from the openwrt router and dnsmasq.
What is the recommended path for cleaning up DNS leaks reliably in openwrt? I do want to use adguard. Should i make ad guard my dhcp server?
So all my research and video watching etc. has told me to turn off peering and set DNS ip address. Which is basically what the video shows me and what other forum post and documentation tell me. So of course i made those changes but i still DNS leak.
So i don't know how to trace the leak. I feel like i keep getting the same information over and over and nothing is changing.
I have tried my VPN DNS servers and tried quad9 DNS servers. peering is off. I have turned on DNS forwarding and pointed to my adguard server.
All of it leaks.
What configs can i look at to determine the leak?
This is what its at right now.
I should note that i am using vpn policy routing and set everything on mt network to default route of WAN. however i specified the ip address of my host and do get a wireguard vpn address. so i can confirm its working. i am on vpn. it just still DNS leaks.
First, Woody, Quad9 is not horrible. Do a Query at GetDNS Pop in the DNS ip check some boxes dnssec return etc. Run the report looking for the section...
[
GETDNS_BAD_DNS_ALL_NUMERIC_LABEL
],
"canonical_name": <bindata for 149.112.112.10.>,
"dnssec_status": GETDNS_DNSSEC_SECURE,
The key thing to note is the flags: qr rd ra ad part - the ad flag signifies that DNSSEC
dig dnssectest.sidn.nl +dnssec +multi @192.168.xxx.xx1
; <<>> DiG 9.16.26 <<>> dnssectest.sidn.nl +dnssec +multi @192.168.xxx.xx1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48062
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 14, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssectest.sidn.nl. IN A
;; ANSWER SECTION:
dnssectest.sidn.nl. 3600 IN A 212.114.120.64
dnssectest.sidn.nl. 3600 IN RRSIG A 13 3 3600 (
202204200xxx7 2022040xxx7 40259 sidn.nl.
nwDcuQSZG+fO+cAt/wzt1xxxxxFEJU/5g7Q/kSUyFaDu
9LZxcMPYFoa64934ag9Lemuy5xxxxxnrtth4Dfy9kag== )
dnssectest.sidn.nl. 3600 IN RRSIG A 13 3 3600 (
20220420xxx7 20220405xxx7 43647 sidn.nl.
cZc3cZPd/LhFq2wwxxxxxbogusmgxc3a0bs
Ynx7TcW5yNCUnV5iVHXXXXXXXXSKWID5OpLk/Zg== )
;; AUTHORITY SECTION:
. 638 IN NS e.root-servers.net.
. 638 IN NS i.root-servers.net.
. 638 IN NS a.root-servers.net.
. 638 IN NS b.root-servers.net.
. 638 IN NS g.root-servers.net.
. 638 IN NS f.root-servers.net.
. 638 IN NS d.root-servers.net.
. 638 IN NS j.root-servers.net.
. 638 IN NS m.root-servers.net.
. 638 IN NS h.root-servers.net.
. 638 IN NS k.root-servers.net.
. 638 IN NS l.root-servers.net.
. 638 IN NS c.root-servers.net.
. 3600 IN RRSIG NS 8 0 518400 (
20220420000000 20220406230000 47671 .
fYFxxSO+6TNmwyi5vpbDfm5j+htDzVUsa37SouUZblNE
iQJUDyYh1iiyvA+6XG5XXXXXXUQvpoctqgbZu/Y
3OAaKnt5sAycdMAjr0Btf3XbOQbGBkDnhSB4cSq08O7B
YLYXpJl9JYf1QSqNc1cbIwG/w72eq+h/6EacFhaSJZ6w
ppmg7ZJu+IE3m8/Vm0PAOlPzyrzMLwgrkVO5pNmqalof
OvRKGonscIUN7oeFpxxxcdsrgwrgrfNju0tc1JAiGhHOMa3h
leEaSWQ/U9Lf/dsaDtLD4TT/t8AVa2SgRTSKhO/BkWzR
wopmNqJ8ETcbhfnq6+97OiKqJcnOcw12kg== )
;; Query time: 804 msec
;; SERVER: 192.168.33.1#53(192.168.xxx.xx1)
;; WHEN: Thu Apr 07 07:53:26 TimeZone Mystery Time 2022
;; MSG SIZE rcvd: 766
Run this ~ The top line is important ~ If you see your ISP first VPR is not working correctly or you don't have option route_allowed_ips '1' set at [1]
ip route show default
/wg$ ip route show default
default dev sswg proto static scope link
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option quietdhcp '1'
list server 'vpnprovidedns1'
list server 'vpnprovideddns2'
list server '127.0.0.1#5453'
option noresolv '1'
option dnssec '1'
option dnsseccheckunsigned '1'
Lastly with the WireGuard app from the install page.
You can use your SurfShark conf to set up a connection on your desktop, etc.... To achieve Leak Proof tunnel, I added DNS=8.8.8.8 to the edited field and saved.
Highlights VPN DNS IP is a must for now because Wiregurard is running as a Protocol ~ a virtual interface ~ if you love the color Green; do the must!
DNSSEC is helpful, DoT and DoH are helpful.
Things will evolve.
I hope this helps.
I can’t help you with Adguard, I have no idea how it handles DNS, but might I suggest you get WG and vpn-policy-routing working first and then tackle Adguard.
As I understand, all devices go through your default route wan pointing at upstream Quad9 public dns.
You can route client devices via vpn-policy-routing to your WG interface.
Your DNS queries go to your quad9 dns instead of the WG providers dns.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button: Remember to redact passwords, MAC addresses and any public IP addresses you may have:
The tutorial is good, but it does not have a killswitch should the wireguard interface goes down. I've used 2 dnsmasq (look up guest network). Check my previous post on the topic. YMMV
bridged each 2.5gbe interface to there own virtual interface and running openwrt in a VM.
peerDNS is set to 0. I have entered in the private DNS server for my wireguard on all interfaces.
using vpn policy routing and currently have my computers ip address 192.168.xx.100 routed to wireguard while default route is WAN for rest of network. This is working fine. Whatismyuip is showing correct ip outside ip addresses on each host. whether WAN or wireguard. depending on my vpn routing policy.
adguard has been turned off. and i am not doing any DNS fowarding. So i am not sure how I am still failing DNS leaks or why my WAN routed DNS can still get DNS if i changed everything to the VPN DNS.
i can tell you my WAN does have an assigned ipv4 73.x.x.x.and ipv6 address so its not like i am running a double nat situation or anything.
uci export network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd52:0c0d:f3fb::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.xx.1'
list dns '193.138.218.74'
config interface 'wan'
option proto 'dhcp'
option device 'eth4'
option peerdns '0'
option metric '20'
list dns '193.138.218.74'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth4'
option reqaddress 'try'
option reqprefix 'auto'
option metric '20'
option peerdns '0'
list dns '193.138.218.74'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxxxxxxxx'
list addresses 'xxxxxxxxxxxxx/32'
list addresses 'xxxxxxxxxxxxxxxxxxxxx/128'
option peerdns '0'
list dns '193.138.218.74'
option metric '10'
config wireguard_wg0
option description 'xxxxxxx'
option public_key 'xxxxxxxxxxxxxxxxxxxxx'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host 'xxx.xxx.xxx.xxx'
option endpoint_port '51820'
Assuming 193.138.218.74 is the VPN dns. Then it need be in only one place. Not in the wan/w6/lan
The VPN dns is running via dnsmasq and set on the Luci General Tab DNS forwardings field.
/luci/admin/network/dhcp
I'm not familiar with your VPN provided configs.. But from Surfsharks side we do not enter 'option peerdns '0' or list dns 'someip' and Luci does not support such fields on my version 19.07.9. Did you manually add these via uci?
Ok i restarted and even rebooted the router. Same issue.
still failing DNS leak test. Keeps saying the following server.
Your DNS requests originate from:
IP Address 172.69.133.63
|IP Address|193.138.218.74|
|Server Name|public-dns|
If this is the ip your VPN provider gave you to use for coverage, then I don't know what else to do. Because you've got a base line hold by dnsmasq. No stray dns bullets flying around in the config. Fresher eyes may see differently.
Support from VPN provider in manual setup of OpenWRT?
Thank you for allowing me to learn with you. I'll be watching for your win.
Bill
I appreciate the fast responses and and yes its from my wireguard config file that i generated on the website.
And the VPN is working just don't understand why DNSmasq leaks. with wireguard and vpn routing policy packages on opewrt.
I am surprised openwrt is still defaulting to dnsmasq. If it doesn't support features that unbound does. and unbound is the default resolver in other firewall products like pfsense and opnsense. even my old turris omnia used knot resolver instead of dnsmasq in openwrt.
I assumed they all had the same feature sets. it was like choosing between pi-hole and adguard home. Just different flavors of the same thing.
So sounds like i need to switch to unbound. As i want secure DNS over WAN as well. not just vpn.
A VPN is never going to provide you with a safe DNS system, these are two different things. Use the guide I shared above to install unbound in OpenWrt and use it with Cloudflare (1.1.1.1) or Google (8.8.8.8) for IPv4 or IPv6 will provide you with what you want.
The default packages for OpenWrt are the minimal set. They are aimed at small routers while the rest of the packages are available for more capable devices. This is why by default there is no secure access to the web interface router, it is using dnsmasq, it is using wolfssl and even in snapshots the web interface is not included.
I seriously believe that given the storage and memory capacity of most of new routers supported by OpenWrt, there should be another baseline for these more capable routers, including openssl, a more capable trim of busybox, or even bash or zsh, unbound instead of dnsmasq, and secure access.
In any case, you can always install those features. There are more than 9500 packages to choose from in the official OpenWrt database, plus a huge amount of third party packages available in the internet.
