Exempt VPN from using local DNS (pihole)

I have 2 VLANS - 192.168.1.x for my trusted devices and 192.168.2.x for IOT devices.

I have my router configured so VLAN1 access the internet directly and VLAN2 goes via my Wireguard VPN interface. I've done this using PBR.

This works but I get a DNS leak on VLAN2 traffic that I'm trying to plug.

I'm confused by all the different options for changing DNS settings in Openwrt. How do I force all VPN traffic to use the VPN's DNS config rather than the local pihole?

configs
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdee:e1a2:9fc4::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	list dns_search 'lan'
	list dns '192.168.1.100'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:t'
	list ports 'lan1:u*'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'eth0:t'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config interface 'vlan2'
	option proto 'static'
	option device 'br-lan.2'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wgmvad'
	option proto 'wireguard'
	option private_key 'xxx='
	option defaultroute '0'
	list addresses 'xxx/32'
	list dns 'xxx'

config wireguard_wgmvad
	option description 'xxx.conf'
	option public_key 'xxx='
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_host 'xxx'
	option endpoint_port '51820'
	option private_key 'xxx'

config device
	option name 'br-lan.1'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option ipv6 '0'
	option acceptlocal '1'

config device
	option name 'br-lan.2'
	option type '8021q'
	option ifname 'br-lan'
	option vid '2'
	option ipv6 '0'

config device
	option name 'lan1'
	option acceptlocal '1'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option disabled '0'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'vlan2'
	option mode 'ap'
	option ssid 'OpenWrt2'
	option encryption 'sae-mixed'
	option key 'owrt2023'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '0'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'sae-mixed'
	option key 'owrt2023'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	list server '192.168.1.100'

config dhcp 'lan'
	option interface 'lan'
	option start '11'
	option limit '150'
	option leasetime '2m'
	option dhcpv4 'server'
	option master '1'
	list dhcp_option '6,192.168.1.100'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vlan2'
	option interface 'vlan2'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'
pbr config
config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '1'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option name 'VLAN 2 over wireguard'
	option dest_addr '!192.168.0.0/16'
	option interface 'wgmvad'
	option src_addr '192.168.2.0/24

Try the following

Under config dhcp 'vlan2'

add: list dhcp_option '6,<ip-address-of-dns-server>'

This should send the IP address of the DNS server you want to all clients of your VLAN2

1 Like

Ah that's great, the leak has stopped.

However I can't access local devices from VLAN2 anymore. I would like VLAN2 to access a few servers on my network that are on VLAN1 and be able to log in to my Pihole config.

The simplest option is to use an upstream DNS provider on the pihole that provides a sufficient level of privacy, leave vlan2 using the pihole, and just ignore the dns leak.

1 Like

I might fallback to that. My concern was from a fingerprinting perspective. I imagine that my fingerprint is far more unique doing it this way than using my VPN's DNS servers to 'blend in'.

What 'fingerprint' are you referring to? Sites that you visit aren't generally going to know which DNS server you used to look up their IP, that is all done prior to the connection being made.

1 Like