I have set up my OpenWrt to use Mullvad VPN via WireGuard. Using pbr to selectively route some LAN computers to VPN and some to WAN.
Most guides suggest advertise custom DNS servers to LAN computers. I didn't do that, because I like having dnsmasq resolving my device names. So my LAN computers (10.8.x.x) are using 10.8.1.1 for DNS. My OpenWrt's WAN interface uses 1.1.1.1 as DNS.
A few questions:
- I am surprised to find that traceroute to 1.1.1.1 from the router goes through the VPN tunnel (which is good). My assumption was that only (some) LAN computers route to VPN. Does that mean DNS resolution via dnsmasq actually goes VPN tunnel?
- If dnsmasq routes through the tunnel, aren't my DNS queries privacy protected? Why do I need to advertise custom DNS servers for LAN computers?
- Any reason I should use Mullvad DNS servers instead of 1.1.1.1 as my upstream DNS?
I understand that if my VPN tunnel goes down, I would experience DNS leak, which I do not mind. Here are some of my configurations:
network (partial):
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
option netmask '255.255.0.0'
option ipaddr '10.8.1.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'WGVPN1'
option proto 'wireguard'
option private_key '...'
list addresses '10.66.113.240/32'
option force_link '1'
config wireguard_WGVPN1
option description 'US247 Virginia'
option public_key '...'
option endpoint_host '198.54.135.66'
option endpoint_port '51820'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option persistent_keepalive '25'
dhcp (partial):
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
option start '2560'
option limit '200'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'