Force DNS through wireguard VPN tunnel

I have setup policy based routing to direct all my local traffic through my mulvad wireguard connection.

I set up adguard home as per the openwrt wiki instructions; DNSmasq DNS server port is 54, Adguard on port 53. I followed the following instructions:

As far as I'm concerned, all my device traffic goes through the VPN. However, I set NextDNS as the DNS server for adguard home (DNSQuic). When I logged into my NextDNS profile, I saw my actual IP, not VPN ip address, making the requests.

Is there a way using policy based routing to tunnel the DNS requests through the wireguard tunnel?

Use DHCP option 6 is easier

Open the interface > go to DHCP Options > 6, or other DNS 6,

It should work if you route to VPN by default.

I have that option in the interface settings. I don't have a DNS leak - my DNS requests are in fact going to NextDNS. They are just not passing through the wireguard VPN.

Any way you can route router traffic itself (as that is what ultimately transmits the DNS data to the servers) via the VPN using policy based routing?

1 Like

Thanks for that. When I set the default route to the VPN, it worked! I hadn't tried this before because in the past, PBR wouldn't allow me to route a device to the WAN when the VPN was set as the default route. It seems that issue is fixed now, as I am able to route one device to the WAN if I want to, whilst the VPN is the default route. Thanks again!

1 Like

I have encountered another problem; Apart from my mulvad VPN, I have another wireguard VPN so that I can log-in to my local network from outside. When trying to connect , I am getting a handshake timeout. Is this because the reply to my handshake is going through the mulvad VPN? Is there anyway to fix this?

1 Like

Then routing to VPN by default is not an option for you as these tasks are mutually exclusive.
You can create a policy with dest_port matching DoT or DoH traffic, but I'm not sure this will work for the DoH3 protocol.

1 Like

I knew it was too good to be true hah. Is there no way to tell the router to send traffic over a particular port through WAN instead of the MULVAD VPN?

In my network I use a personal dns basically like this


wg0 > vpn (I use dhcp-option 6 and I get the DNS addresses)

I have wireguard running on a bridge in an isolated network, for cables and wifi

If you need I can show you my settings

1 Like

I have 2 simple rules on routes for wireguard not to flood my network

Yes please that would be helpful. Do the DNS requests go through your wireguard tunnel?

DNS addresses go through my interface I use called "vpn"


config rule
	option in 'vpn'
	option lookup 'wireguard'
	option priority '32765'
	option dest ''

config route
	option interface 'wg0'
	option target ''
	option table 'wireguard'

config interface 'vpn'
	option proto 'static'
	option netmask ''
	option type 'bridge'
	option device 'br-vlan.30'
	option ipaddr ''

config interface 'wg0'
	option proto 'wireguard'
	list addresses ''
	option private_key '2DzXXXXXXXXXX'

config wireguard_wg0
	option description 'US#840005'
	list allowed_ips ''
	option endpoint_host ''
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option public_key 'sO0hbNXXXXXXXZ'


config dhcp 'vpn'
	option interface 'vpn'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,,'


config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vpn'

config zone
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option name 'wg'
	list network 'wg0'

These two options are the same table I created, you can put in in the default table "main

option lookup 'wireguard'
option table 'wireguard'

1 Like

Thank you, that's very helpful!

I came up with my own workaround: I set the default route as the VPN. Then I forwarded a port using the VPN provider's website (had to switch VPN as mullvad are disabling port forwarding. e.g. port 1000). I portforwarded that port in OpenWRT (port 1000 from commercialvpninterface to port 1000 on device), and now I can connect to my local hosted wireguard VPN!

1 Like