I need help Config DNS

You maybe able to recover standard DHCP config in /rom/etc/config/dhcp

1 Like

To fix DNS leak, disable peer DNS and configure upstream DNS provider:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

1 Like

Alot of ppl misunderstood dnsleak. If you don't have PBR aka split tunnel then technically you don't have dnsleak. Your ISP could pin point you via metadata but you don't have dnsleak unless you deploy PBR

The vulnerability allows an ISP, as well as any on-path to see what websites a user may be visiting. This is possible because the browser's DNS requests are sent to the ISP DNS server directly, and not sent through the VPN.

This only occurs with certain types of VPNs, e.g. "split-tunnel" VPNs, where traffic can still be sent over the local network interface even when the VPN is active.

If the default route of the router is your VPN. Your ISP can see the request comes from your VPN.

I‘m using PBR

Then you might need multi Dnsmasq.

Looks fine assuming that your VPN server is somewhere around Netherlands.

is wrong. I have leak. It recognizes me the dns of my main router that now I have put those of google and not of my phone provider

Here's a github of a commercial vpn router config using openwrt. It doesn't mean they are correct but you should be able to config/test based on the config

no me funciona.

I can not reconfigure it as it was before I made the change and now when I go back it does not work, I have a leak and that makes television platforms detect that I use VPN and the applications do not open

What platforms?
Perhaps it relies on your ISP DNS?

Disney+.
I do not have much knowledge with all this. I only know that in its day this helped me, Help config DNS, but not now.

1 Like

Does it work if you disconnect the VPN?

Has something changed?

Does it work if you disconnect the VPN? Yes

Has something changed? Try this today, https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns. The way it was working for me I was not satisfied at all since I cannot use adblocker and I would like to have it

1 Like

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns. This did not work for me or I did not know how to do it and that is when I wanted to go back and do it like this, Help config DNS, but I did not go back to work and now I don't know what to do to make it work well for me, can you help me, I have no idea about the subject.

Can you help me configure this, https: //openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns, on my system?

Post the output while the VPN is connected:

uci show firewall; uci show dhcp; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
ip route get 1::; ip route get 1
1 Like
root@Home:~# uci show firewall; uci show dhcp; \

> head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \

> ip route get 1::; ip route get 1

firewall.@defaults[0]=defaults

firewall.@defaults[0].input='ACCEPT'

firewall.@defaults[0].output='ACCEPT'

firewall.@defaults[0].forward='ACCEPT'

firewall.@defaults[0].synflood_protect='1'

firewall.@zone[0]=zone

firewall.@zone[0].name='lan'

firewall.@zone[0].input='ACCEPT'

firewall.@zone[0].output='ACCEPT'

firewall.@zone[0].forward='ACCEPT'

firewall.@zone[0].network='lan wg0'

firewall.@zone[1]=zone

firewall.@zone[1].name='wan'

firewall.@zone[1].output='ACCEPT'

firewall.@zone[1].network='wan wan6'

firewall.@zone[1].input='ACCEPT'

firewall.@zone[1].forward='ACCEPT'

firewall.@zone[1].masq='1'

firewall.@zone[1].mtu_fix='1'

firewall.@forwarding[0]=forwarding

firewall.@forwarding[0].src='lan'

firewall.@forwarding[0].dest='wan'

firewall.@rule[0]=rule

firewall.@rule[0].name='Allow-ICMPv6-Forward'

firewall.@rule[0].src='wan'

firewall.@rule[0].dest='*'

firewall.@rule[0].proto='icmp'

firewall.@rule[0].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'

firewall.@rule[0].limit='1000/sec'

firewall.@rule[0].family='ipv6'

firewall.@rule[0].target='ACCEPT'

firewall.@rule[1]=rule

firewall.@rule[1].name='Allow-IPSec-ESP'

firewall.@rule[1].src='wan'

firewall.@rule[1].dest='lan'

firewall.@rule[1].proto='esp'

firewall.@rule[1].target='ACCEPT'

firewall.@rule[2]=rule

firewall.@rule[2].name='Allow-ISAKMP'

firewall.@rule[2].src='wan'

firewall.@rule[2].dest='lan'

firewall.@rule[2].dest_port='500'

firewall.@rule[2].proto='udp'

firewall.@rule[2].target='ACCEPT'

firewall.@include[0]=include

firewall.@include[0].path='/etc/firewall.user'

firewall.@zone[2]=zone

firewall.@zone[2].name='wifi'

firewall.@zone[2].input='ACCEPT'

firewall.@zone[2].forward='ACCEPT'

firewall.@zone[2].output='ACCEPT'

firewall.@zone[2].network='wifi'

firewall.@forwarding[1]=forwarding

firewall.@forwarding[1].dest='wan'

firewall.@forwarding[1].src='wifi'

firewall.@zone[3]=zone

firewall.@zone[3].output='ACCEPT'

firewall.@zone[3].input='REJECT'

firewall.@zone[3].forward='REJECT'

firewall.@zone[3].name='VpnClient'

firewall.@zone[3].network='vpnclient'

firewall.@zone[3].masq='1'

firewall.@zone[3].mtu_fix='1'

firewall.@forwarding[2]=forwarding

firewall.@forwarding[2].src='lan'

firewall.@forwarding[2].dest='VpnClient'

firewall.miniupnpd=include

firewall.miniupnpd.type='script'

firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'

firewall.miniupnpd.family='any'

firewall.miniupnpd.reload='1'

firewall.@zone[4]=zone

firewall.@zone[4].name='wgclient'

firewall.@zone[4].input='REJECT'

firewall.@zone[4].forward='REJECT'

firewall.@zone[4].output='ACCEPT'

firewall.@zone[4].network='wgclient0'

firewall.@zone[4].masq='1'

firewall.@zone[4].mtu_fix='1'

firewall.@forwarding[3]=forwarding

firewall.@forwarding[3].dest='wgclient'

firewall.@forwarding[3].src='lan'

firewall.@zone[5]=zone

firewall.@zone[5].network='vpnclient1'

firewall.@zone[5].name='vpnclient1'

firewall.@zone[5].input='REJECT'

firewall.@zone[5].forward='REJECT'

firewall.@zone[5].output='ACCEPT'

firewall.@zone[5].masq='1'

firewall.@zone[5].mtu_fix='1'

firewall.@forwarding[4]=forwarding

firewall.@forwarding[4].dest='vpnclient1'

firewall.@forwarding[4].src='lan'

firewall.@zone[6]=zone

firewall.@zone[6].name='vpnclient2'

firewall.@zone[6].input='REJECT'

firewall.@zone[6].forward='REJECT'

firewall.@zone[6].output='ACCEPT'

firewall.@zone[6].network='vpnclient2'

firewall.@zone[6].masq='1'

firewall.@zone[6].mtu_fix='1'

firewall.@forwarding[5]=forwarding

firewall.@forwarding[5].dest='vpnclient2'

firewall.@forwarding[5].src='lan'

firewall.@zone[7]=zone

firewall.@zone[7].name='vpnclient3'

firewall.@zone[7].input='REJECT'

firewall.@zone[7].forward='REJECT'

firewall.@zone[7].output='ACCEPT'

firewall.@zone[7].network='vpnclient3'

firewall.@zone[7].masq='1'

firewall.@zone[7].mtu_fix='1'

firewall.@forwarding[6]=forwarding

firewall.@forwarding[6].dest='vpnclient3'

firewall.@forwarding[6].src='lan'

firewall.dns_int=redirect

firewall.dns_int.name='Intercept-DNS'

firewall.dns_int.src='lan'

firewall.dns_int.src_dport='53'

firewall.dns_int.proto='tcp udp'

firewall.dns_int.target='DNAT'

firewall.nat6=include

firewall.nat6.path='/etc/firewall.nat6'

firewall.nat6.reload='1'

dhcp.@dnsmasq[0]=dnsmasq

dhcp.@dnsmasq[0].domainneeded='1'

dhcp.@dnsmasq[0].localise_queries='1'

dhcp.@dnsmasq[0].rebind_protection='1'

dhcp.@dnsmasq[0].rebind_localhost='1'

dhcp.@dnsmasq[0].local='/lan/'

dhcp.@dnsmasq[0].domain='lan'

dhcp.@dnsmasq[0].expandhosts='1'

dhcp.@dnsmasq[0].authoritative='1'

dhcp.@dnsmasq[0].readethers='1'

dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'

dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'

dhcp.@dnsmasq[0].localservice='1'

dhcp.@dnsmasq[0].confdir='/tmp/dnsmasq.d'

dhcp.@dnsmasq[0].server='8.8.8.8' '8.8.4.4'

dhcp.@dnsmasq[0].noresolv='1'

dhcp.lan=dhcp

dhcp.lan.interface='lan'

dhcp.lan.ra='server'

dhcp.lan.dhcpv6='server'

dhcp.lan.ra_management='1'

dhcp.lan.start='100'

dhcp.lan.leasetime='12h'

dhcp.lan.limit='150'

dhcp.lan.dhcp_option='6,8.8.8.8,8.8.4.4'

dhcp.wan=dhcp

dhcp.wan.interface='wan'

dhcp.wan.ignore='1'

dhcp.odhcpd=odhcpd

dhcp.odhcpd.maindhcp='0'

dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'

dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'

dhcp.odhcpd.loglevel='4'

dhcp.wifi=dhcp

dhcp.wifi.leasetime='12h'

dhcp.wifi.interface='wifi'

dhcp.wifi.start='150'

dhcp.wifi.limit='100'

dhcp.@host[0]=host

dhcp.@host[0].mac=''

dhcp.@host[0].name='B

dhcp.@host[0].dns='1'

dhcp.@host[0].ip='192.1

dhcp.@host[1]=host

dhcp.@host[1].mac=''

dhcp.@host[1].name=''

dhcp.@host[1].dns='1'

dhcp.@host[1].ip=''

dhcp.@host[2]=host

dhcp.@host[2].mac=''

dhcp.@host[2].name=''

dhcp.@host[2].dns='1'

dhcp.@host[2].ip=''

dhcp.@host[3]=host

dhcp.@host[3].mac=''

dhcp.@host[3].name=''

dhcp.@host[3].dns='1'

dhcp.@host[3].ip=''

dhcp.@host[4]=host

dhcp.@host[4].mac=''

dhcp.@host[4].name=''

dhcp.@host[4].dns='1'

dhcp.@host[4].ip='

dhcp.@host[5]=host

dhcp.@host[5].name=''

dhcp.@host[5].dns='1'

dhcp.@host[5].ip=''

dhcp.@host[5].mac=''

dhcp.@host[6]=host

dhcp.@host[6].mac=''

dhcp.@host[6].name=''

dhcp.@host[6].dns='1'

dhcp.@host[6].ip=''

dhcp.@host[7]=host

dhcp.@host[7].mac=''

dhcp.@host[7].name='r'

dhcp.@host[7].dns='1'

dhcp.@host[7].ip=''

dhcp.@host[8]=host

dhcp.@host[8].mac=''

dhcp.@host[8].dns='1'

dhcp.@host[8].name=''

dhcp.@host[8].ip=''

dhcp.@host[9]=host

dhcp.@host[9].name=''

dhcp.@host[9].dns='1'

dhcp.@host[9].ip=''

dhcp.@host[9].mac=''

dhcp.@host[10]=host

dhcp.@host[10].dns='1'

dhcp.@host[10].ip=''

dhcp.@host[10].mac=''

dhcp.@host[10].name=''

dhcp.@host[11]=host

dhcp.@host[11].name=''

dhcp.@host[11].dns='1'

dhcp.@host[11].ip=''

dhcp.@host[11].mac=''

dhcp.@host[12]=host

dhcp.@host[12].mac=''

dhcp.@host[12].name='

dhcp.@host[12].dns='1'

dhcp.@host[12].ip=''

dhcp.@host[13]=host

dhcp.@host[13].mac=''

dhcp.@host[13].name=''

dhcp.@host[13].dns='1'

dhcp.@host[13].ip=''

dhcp.@host[14]=host

dhcp.@host[14].mac=''

dhcp.@host[14].name=''

dhcp.@host[14].dns='1'

dhcp.@host[14].ip=''

dhcp.@host[15]=host

dhcp.@host[15].mac='

dhcp.@host[15].name=''

dhcp.@host[15].dns='1'

dhcp.@host[15].ip=''

dhcp.@host[16]=host

dhcp.@host[16].mac=''

dhcp.@host[16].name=''

dhcp.@host[16].dns='1'

dhcp.@host[16].ip=''

dhcp.@host[17]=host

dhcp.@host[17].mac=''

dhcp.@host[17].name=''

dhcp.@host[17].dns='1'

dhcp.@host[17].ip=''

dhcp.@host[18]=host

dhcp.@host[18].mac=''

dhcp.@host[18].name=''

dhcp.@host[18].dns='1'

dhcp.@host[18].ip=''

dhcp.@host[19]=host

dhcp.@host[19].mac=''

dhcp.@host[19].name=''

dhcp.@host[19].dns='1'

dhcp.@host[19].ip=''

dhcp.@host[20]=host

dhcp.@host[20].mac=''

dhcp.@host[20].name='Ps3'

dhcp.@host[20].dns='1'

dhcp.@host[20].ip=''

dhcp.@host[21]=host

dhcp.@host[21].mac=''

dhcp.@host[21].name=''

dhcp.@host[21].dns='1'

dhcp.@host[21].ip=''

dhcp.@host[22]=host

dhcp.@host[22].mac=''

dhcp.@host[22].name='Tonibox'

dhcp.@host[22].dns='1'

dhcp.@host[22].ip=''

==> /etc/resolv.conf <==

==> /tmp/resolv.conf <==

==> /tmp/resolv.conf.auto <==

head: /tmp/resolv.*/*: No such file or directory

RTNETLINK answers: Permission denied

1.0.0.0 via 192.168.10.1 dev eth1 src 192.168.10.10 uid 0

cache

root@Home:~#
1 Like

The problem is that OpenWrt sends traffic to the WAN interface instead of VPN.
Have you configured policy-based routing?

uci show vpn-policy-routing; ip -4 route show table all; ip -4 rule show
1 Like

Yes.

root@Home:~# uci show vpn-policy-routing; ip -4 route show table all; ip -4 rule

show

vpn-policy-routing.@policy[0]=policy

vpn-policy-routing.@policy[0].name='HomeControl'

vpn-policy-routing.@policy[0].src_addr='192.168.15.4'

vpn-policy-routing.@policy[0].interface='wgclient0'

vpn-policy-routing.@policy[1]=policy

vpn-policy-routing.@policy[1].name='iMac'

vpn-policy-routing.@policy[1].src_addr='192.168.15.5'

vpn-policy-routing.@policy[1].interface='wgclient0'

vpn-policy-routing.@policy[2]=policy

vpn-policy-routing.@policy[2].name='MobileFlorian'

vpn-policy-routing.@policy[2].src_addr='192.168.15.8'

vpn-policy-routing.@policy[2].interface='wgclient0'

vpn-policy-routing.@policy[3]=policy

vpn-policy-routing.@policy[3].name='MobileFlo'

vpn-policy-routing.@policy[3].src_addr='10.0.0.2'

vpn-policy-routing.@policy[3].interface='wgclient0'

vpn-policy-routing.@policy[4]=policy

vpn-policy-routing.@policy[4].name='MobilePati'

vpn-policy-routing.@policy[4].interface='wgclient0'

vpn-policy-routing.@policy[4].src_addr='192.168.15.7'

vpn-policy-routing.@policy[5]=policy

vpn-policy-routing.@policy[5].name='MobilePati'

vpn-policy-routing.@policy[5].src_addr='10.0.0.3'

vpn-policy-routing.@policy[5].interface='wgclient0'

vpn-policy-routing.@policy[6]=policy

vpn-policy-routing.@policy[6].name='AppleTv-Wohn'

vpn-policy-routing.@policy[6].src_addr='192.168.15.9'

vpn-policy-routing.@policy[6].interface='vpnclient'

vpn-policy-routing.@policy[6].enabled='0'

vpn-policy-routing.@policy[7]=policy

vpn-policy-routing.@policy[7].name='Wohnzimmer-Fernsehen '

vpn-policy-routing.@policy[7].src_addr='192.168.15.12'

vpn-policy-routing.@policy[7].interface='vpnclient1'

vpn-policy-routing.@policy[8]=policy

vpn-policy-routing.@policy[8].name='AppleTv-Schlaf'

vpn-policy-routing.@policy[8].src_addr='192.168.15.10'

vpn-policy-routing.@policy[8].interface='vpnclient1'

vpn-policy-routing.@policy[8].enabled='0'

vpn-policy-routing.@policy[9]=policy

vpn-policy-routing.@policy[9].name='Eltern-Fernsehen '

vpn-policy-routing.@policy[9].src_addr='192.168.15.11'

vpn-policy-routing.@policy[9].interface='vpnclient1'

vpn-policy-routing.@include[0]=include

vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.aws.user'

vpn-policy-routing.@include[0].enabled='0'

vpn-policy-routing.@include[1]=include

vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.netflix.user'

vpn-policy-routing.@include[1].enabled='0'

vpn-policy-routing.config=vpn-policy-routing

vpn-policy-routing.config.verbosity='2'

vpn-policy-routing.config.strict_enforcement='1'

vpn-policy-routing.config.dest_ipset='dnsmasq.ipset'

vpn-policy-routing.config.boot_timeout='30'

vpn-policy-routing.config.iptables_rule_option='append'

vpn-policy-routing.config.webui_sorting='1'

vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'

vpn-policy-routing.config.src_ipset='0'

vpn-policy-routing.config.webui_enable_column='1'

vpn-policy-routing.config.webui_protocol_column='1'

vpn-policy-routing.config.webui_chain_column='1'

vpn-policy-routing.config.ipv6_enabled='0'

vpn-policy-routing.config.ignored_interface='vpnserver wgserver' 'wg0'

vpn-policy-routing.config.supported_interface='vpnclient'

vpn-policy-routing.config.append_src_rules='! -d 10.0.0.0/24'

vpn-policy-routing.config.iprule_enabled='0'

vpn-policy-routing.config.enabled='1'

default via 192.168.10.1 dev eth1 table 201

10.0.0.0/24 dev wg0 table 201 proto kernel scope link src 10.0.0.1

10.0.0.2 dev wg0 table 201 proto static scope link

10.0.0.3 dev wg0 table 201 proto static scope link

default via 10.66.126.50 dev wgclient0 table 202

10.0.0.0/24 dev wg0 table 202 proto kernel scope link src 10.0.0.1

10.0.0.2 dev wg0 table 202 proto static scope link

10.0.0.3 dev wg0 table 202 proto static scope link

default via 10.8.2.11 dev tun0 table 203

10.0.0.0/24 dev wg0 table 203 proto kernel scope link src 10.0.0.1

10.0.0.2 dev wg0 table 203 proto static scope link

10.0.0.3 dev wg0 table 203 proto static scope link

default via 10.7.2.3 dev tun1 table 204

10.0.0.0/24 dev wg0 table 204 proto kernel scope link src 10.0.0.1

10.0.0.2 dev wg0 table 204 proto static scope link

10.0.0.3 dev wg0 table 204 proto static scope link

default via 10.7.1.5 dev tun2 table 205

10.0.0.0/24 dev wg0 table 205 proto kernel scope link src 10.0.0.1

10.0.0.2 dev wg0 table 205 proto static scope link

10.0.0.3 dev wg0 table 205 proto static scope link

default via 10.7.7.2 dev tun3 table 206

10.0.0.0/24 dev wg0 table 206 proto kernel scope link src 10.0.0.1

10.0.0.2 dev wg0 table 206 proto static scope link

10.0.0.3 dev wg0 table 206 proto static scope link

default via 192.168.10.1 dev eth1 proto static

10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1

10.0.0.2 dev wg0 proto static scope link

10.0.0.3 dev wg0 proto static scope link

10.7.1.0/24 dev tun2 proto kernel scope link src 10.7.1.5

10.7.2.0/24 dev tun1 proto kernel scope link src 10.7.2.3

10.7.7.0/24 dev tun3 proto kernel scope link src 10.7.7.2

10.8.2.0/24 dev tun0 proto kernel scope link src 10.8.2.11

31.16.44.119 via 192.168.10.1 dev eth1 proto static

192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.10

192.168.15.0/24 dev br-lan proto kernel scope link src 192.168.15.1

193.27.14.146 via 192.168.10.1 dev eth1 proto static

broadcast 10.0.0.0 dev wg0 table local proto kernel scope link src 10.0.0.1

local 10.0.0.1 dev wg0 table local proto kernel scope host src 10.0.0.1

broadcast 10.0.0.255 dev wg0 table local proto kernel scope link src 10.0.0.1

broadcast 10.7.1.0 dev tun2 table local proto kernel scope link src 10.7.1.5

local 10.7.1.5 dev tun2 table local proto kernel scope host src 10.7.1.5

broadcast 10.7.1.255 dev tun2 table local proto kernel scope link src 10.7.1.5

broadcast 10.7.2.0 dev tun1 table local proto kernel scope link src 10.7.2.3

local 10.7.2.3 dev tun1 table local proto kernel scope host src 10.7.2.3

broadcast 10.7.2.255 dev tun1 table local proto kernel scope link src 10.7.2.3

broadcast 10.7.7.0 dev tun3 table local proto kernel scope link src 10.7.7.2

local 10.7.7.2 dev tun3 table local proto kernel scope host src 10.7.7.2

broadcast 10.7.7.255 dev tun3 table local proto kernel scope link src 10.7.7.2

broadcast 10.8.2.0 dev tun0 table local proto kernel scope link src 10.8.2.11

local 10.8.2.11 dev tun0 table local proto kernel scope host src 10.8.2.11

broadcast 10.8.2.255 dev tun0 table local proto kernel scope link src 10.8.2.11

local 10.66.126.50 dev wgclient0 table local proto kernel scope host src 10.66.126.50

broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1

local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1

local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1

broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1

broadcast 192.168.10.0 dev eth1 table local proto kernel scope link src 192.168.10.10

local 192.168.10.10 dev eth1 table local proto kernel scope host src 192.168.10.10

broadcast 192.168.10.255 dev eth1 table local proto kernel scope link src 192.168.10.10

broadcast 192.168.15.0 dev br-lan table local proto kernel scope link src 192.168.15.1

local 192.168.15.1 dev br-lan table local proto kernel scope host src 192.168.15.1

broadcast 192.168.15.255 dev br-lan table local proto kernel scope link src 192.168.15.1

0: from all lookup local

32712: from all fwmark 0x60000/0xff0000 lookup 206

32713: from all fwmark 0x50000/0xff0000 lookup 205

32714: from all fwmark 0x40000/0xff0000 lookup 204

32715: from all fwmark 0x30000/0xff0000 lookup 203

32716: from all fwmark 0x20000/0xff0000 lookup 202

32717: from all fwmark 0x10000/0xff0000 lookup 201

32766: from all lookup main

32767: from all lookup default

root@Home:~#
1 Like

Create a policy to route Google DNS over the VPN.

1 Like