You maybe able to recover standard DHCP config in /rom/etc/config/dhcp
To fix DNS leak, disable peer DNS and configure upstream DNS provider:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider
Alot of ppl misunderstood dnsleak. If you don't have PBR aka split tunnel then technically you don't have dnsleak. Your ISP could pin point you via metadata but you don't have dnsleak unless you deploy PBR
The vulnerability allows an ISP, as well as any on-path to see what websites a user may be visiting. This is possible because the browser's DNS requests are sent to the ISP DNS server directly, and not sent through the VPN.
This only occurs with certain types of VPNs, e.g. "split-tunnel" VPNs, where traffic can still be sent over the local network interface even when the VPN is active.
If the default route of the router is your VPN. Your ISP can see the request comes from your VPN.
I‘m using PBR
Then you might need multi Dnsmasq.
Looks fine assuming that your VPN server is somewhere around Netherlands.
is wrong. I have leak. It recognizes me the dns of my main router that now I have put those of google and not of my phone provider
Here's a github of a commercial vpn router config using openwrt. It doesn't mean they are correct but you should be able to config/test based on the config
no me funciona.
I can not reconfigure it as it was before I made the change and now when I go back it does not work, I have a leak and that makes television platforms detect that I use VPN and the applications do not open
What platforms?
Perhaps it relies on your ISP DNS?
Disney+.
I do not have much knowledge with all this. I only know that in its day this helped me, Help config DNS, but not now.
Does it work if you disconnect the VPN?
Has something changed?
Does it work if you disconnect the VPN? Yes
Has something changed? Try this today, https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns. The way it was working for me I was not satisfied at all since I cannot use adblocker and I would like to have it
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns. This did not work for me or I did not know how to do it and that is when I wanted to go back and do it like this, Help config DNS, but I did not go back to work and now I don't know what to do to make it work well for me, can you help me, I have no idea about the subject.
Can you help me configure this, https: //openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns, on my system?
Post the output while the VPN is connected:
uci show firewall; uci show dhcp; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
ip route get 1::; ip route get 1
root@Home:~# uci show firewall; uci show dhcp; \
> head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
> ip route get 1::; ip route get 1
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan wg0'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].network='wan wan6'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-ICMPv6-Forward'
firewall.@rule[0].src='wan'
firewall.@rule[0].dest='*'
firewall.@rule[0].proto='icmp'
firewall.@rule[0].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[0].limit='1000/sec'
firewall.@rule[0].family='ipv6'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-IPSec-ESP'
firewall.@rule[1].src='wan'
firewall.@rule[1].dest='lan'
firewall.@rule[1].proto='esp'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-ISAKMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].dest='lan'
firewall.@rule[2].dest_port='500'
firewall.@rule[2].proto='udp'
firewall.@rule[2].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='wifi'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='wifi'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='wifi'
firewall.@zone[3]=zone
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].input='REJECT'
firewall.@zone[3].forward='REJECT'
firewall.@zone[3].name='VpnClient'
firewall.@zone[3].network='vpnclient'
firewall.@zone[3].masq='1'
firewall.@zone[3].mtu_fix='1'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='lan'
firewall.@forwarding[2].dest='VpnClient'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.@zone[4]=zone
firewall.@zone[4].name='wgclient'
firewall.@zone[4].input='REJECT'
firewall.@zone[4].forward='REJECT'
firewall.@zone[4].output='ACCEPT'
firewall.@zone[4].network='wgclient0'
firewall.@zone[4].masq='1'
firewall.@zone[4].mtu_fix='1'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].dest='wgclient'
firewall.@forwarding[3].src='lan'
firewall.@zone[5]=zone
firewall.@zone[5].network='vpnclient1'
firewall.@zone[5].name='vpnclient1'
firewall.@zone[5].input='REJECT'
firewall.@zone[5].forward='REJECT'
firewall.@zone[5].output='ACCEPT'
firewall.@zone[5].masq='1'
firewall.@zone[5].mtu_fix='1'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].dest='vpnclient1'
firewall.@forwarding[4].src='lan'
firewall.@zone[6]=zone
firewall.@zone[6].name='vpnclient2'
firewall.@zone[6].input='REJECT'
firewall.@zone[6].forward='REJECT'
firewall.@zone[6].output='ACCEPT'
firewall.@zone[6].network='vpnclient2'
firewall.@zone[6].masq='1'
firewall.@zone[6].mtu_fix='1'
firewall.@forwarding[5]=forwarding
firewall.@forwarding[5].dest='vpnclient2'
firewall.@forwarding[5].src='lan'
firewall.@zone[7]=zone
firewall.@zone[7].name='vpnclient3'
firewall.@zone[7].input='REJECT'
firewall.@zone[7].forward='REJECT'
firewall.@zone[7].output='ACCEPT'
firewall.@zone[7].network='vpnclient3'
firewall.@zone[7].masq='1'
firewall.@zone[7].mtu_fix='1'
firewall.@forwarding[6]=forwarding
firewall.@forwarding[6].dest='vpnclient3'
firewall.@forwarding[6].src='lan'
firewall.dns_int=redirect
firewall.dns_int.name='Intercept-DNS'
firewall.dns_int.src='lan'
firewall.dns_int.src_dport='53'
firewall.dns_int.proto='tcp udp'
firewall.dns_int.target='DNAT'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].confdir='/tmp/dnsmasq.d'
dhcp.@dnsmasq[0].server='8.8.8.8' '8.8.4.4'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.ra='server'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra_management='1'
dhcp.lan.start='100'
dhcp.lan.leasetime='12h'
dhcp.lan.limit='150'
dhcp.lan.dhcp_option='6,8.8.8.8,8.8.4.4'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.wifi=dhcp
dhcp.wifi.leasetime='12h'
dhcp.wifi.interface='wifi'
dhcp.wifi.start='150'
dhcp.wifi.limit='100'
dhcp.@host[0]=host
dhcp.@host[0].mac=''
dhcp.@host[0].name='B
dhcp.@host[0].dns='1'
dhcp.@host[0].ip='192.1
dhcp.@host[1]=host
dhcp.@host[1].mac=''
dhcp.@host[1].name=''
dhcp.@host[1].dns='1'
dhcp.@host[1].ip=''
dhcp.@host[2]=host
dhcp.@host[2].mac=''
dhcp.@host[2].name=''
dhcp.@host[2].dns='1'
dhcp.@host[2].ip=''
dhcp.@host[3]=host
dhcp.@host[3].mac=''
dhcp.@host[3].name=''
dhcp.@host[3].dns='1'
dhcp.@host[3].ip=''
dhcp.@host[4]=host
dhcp.@host[4].mac=''
dhcp.@host[4].name=''
dhcp.@host[4].dns='1'
dhcp.@host[4].ip='
dhcp.@host[5]=host
dhcp.@host[5].name=''
dhcp.@host[5].dns='1'
dhcp.@host[5].ip=''
dhcp.@host[5].mac=''
dhcp.@host[6]=host
dhcp.@host[6].mac=''
dhcp.@host[6].name=''
dhcp.@host[6].dns='1'
dhcp.@host[6].ip=''
dhcp.@host[7]=host
dhcp.@host[7].mac=''
dhcp.@host[7].name='r'
dhcp.@host[7].dns='1'
dhcp.@host[7].ip=''
dhcp.@host[8]=host
dhcp.@host[8].mac=''
dhcp.@host[8].dns='1'
dhcp.@host[8].name=''
dhcp.@host[8].ip=''
dhcp.@host[9]=host
dhcp.@host[9].name=''
dhcp.@host[9].dns='1'
dhcp.@host[9].ip=''
dhcp.@host[9].mac=''
dhcp.@host[10]=host
dhcp.@host[10].dns='1'
dhcp.@host[10].ip=''
dhcp.@host[10].mac=''
dhcp.@host[10].name=''
dhcp.@host[11]=host
dhcp.@host[11].name=''
dhcp.@host[11].dns='1'
dhcp.@host[11].ip=''
dhcp.@host[11].mac=''
dhcp.@host[12]=host
dhcp.@host[12].mac=''
dhcp.@host[12].name='
dhcp.@host[12].dns='1'
dhcp.@host[12].ip=''
dhcp.@host[13]=host
dhcp.@host[13].mac=''
dhcp.@host[13].name=''
dhcp.@host[13].dns='1'
dhcp.@host[13].ip=''
dhcp.@host[14]=host
dhcp.@host[14].mac=''
dhcp.@host[14].name=''
dhcp.@host[14].dns='1'
dhcp.@host[14].ip=''
dhcp.@host[15]=host
dhcp.@host[15].mac='
dhcp.@host[15].name=''
dhcp.@host[15].dns='1'
dhcp.@host[15].ip=''
dhcp.@host[16]=host
dhcp.@host[16].mac=''
dhcp.@host[16].name=''
dhcp.@host[16].dns='1'
dhcp.@host[16].ip=''
dhcp.@host[17]=host
dhcp.@host[17].mac=''
dhcp.@host[17].name=''
dhcp.@host[17].dns='1'
dhcp.@host[17].ip=''
dhcp.@host[18]=host
dhcp.@host[18].mac=''
dhcp.@host[18].name=''
dhcp.@host[18].dns='1'
dhcp.@host[18].ip=''
dhcp.@host[19]=host
dhcp.@host[19].mac=''
dhcp.@host[19].name=''
dhcp.@host[19].dns='1'
dhcp.@host[19].ip=''
dhcp.@host[20]=host
dhcp.@host[20].mac=''
dhcp.@host[20].name='Ps3'
dhcp.@host[20].dns='1'
dhcp.@host[20].ip=''
dhcp.@host[21]=host
dhcp.@host[21].mac=''
dhcp.@host[21].name=''
dhcp.@host[21].dns='1'
dhcp.@host[21].ip=''
dhcp.@host[22]=host
dhcp.@host[22].mac=''
dhcp.@host[22].name='Tonibox'
dhcp.@host[22].dns='1'
dhcp.@host[22].ip=''
==> /etc/resolv.conf <==
==> /tmp/resolv.conf <==
==> /tmp/resolv.conf.auto <==
head: /tmp/resolv.*/*: No such file or directory
RTNETLINK answers: Permission denied
1.0.0.0 via 192.168.10.1 dev eth1 src 192.168.10.10 uid 0
cache
root@Home:~#
The problem is that OpenWrt sends traffic to the WAN interface instead of VPN.
Have you configured policy-based routing?
uci show vpn-policy-routing; ip -4 route show table all; ip -4 rule show
Yes.
root@Home:~# uci show vpn-policy-routing; ip -4 route show table all; ip -4 rule
show
vpn-policy-routing.@policy[0]=policy
vpn-policy-routing.@policy[0].name='HomeControl'
vpn-policy-routing.@policy[0].src_addr='192.168.15.4'
vpn-policy-routing.@policy[0].interface='wgclient0'
vpn-policy-routing.@policy[1]=policy
vpn-policy-routing.@policy[1].name='iMac'
vpn-policy-routing.@policy[1].src_addr='192.168.15.5'
vpn-policy-routing.@policy[1].interface='wgclient0'
vpn-policy-routing.@policy[2]=policy
vpn-policy-routing.@policy[2].name='MobileFlorian'
vpn-policy-routing.@policy[2].src_addr='192.168.15.8'
vpn-policy-routing.@policy[2].interface='wgclient0'
vpn-policy-routing.@policy[3]=policy
vpn-policy-routing.@policy[3].name='MobileFlo'
vpn-policy-routing.@policy[3].src_addr='10.0.0.2'
vpn-policy-routing.@policy[3].interface='wgclient0'
vpn-policy-routing.@policy[4]=policy
vpn-policy-routing.@policy[4].name='MobilePati'
vpn-policy-routing.@policy[4].interface='wgclient0'
vpn-policy-routing.@policy[4].src_addr='192.168.15.7'
vpn-policy-routing.@policy[5]=policy
vpn-policy-routing.@policy[5].name='MobilePati'
vpn-policy-routing.@policy[5].src_addr='10.0.0.3'
vpn-policy-routing.@policy[5].interface='wgclient0'
vpn-policy-routing.@policy[6]=policy
vpn-policy-routing.@policy[6].name='AppleTv-Wohn'
vpn-policy-routing.@policy[6].src_addr='192.168.15.9'
vpn-policy-routing.@policy[6].interface='vpnclient'
vpn-policy-routing.@policy[6].enabled='0'
vpn-policy-routing.@policy[7]=policy
vpn-policy-routing.@policy[7].name='Wohnzimmer-Fernsehen '
vpn-policy-routing.@policy[7].src_addr='192.168.15.12'
vpn-policy-routing.@policy[7].interface='vpnclient1'
vpn-policy-routing.@policy[8]=policy
vpn-policy-routing.@policy[8].name='AppleTv-Schlaf'
vpn-policy-routing.@policy[8].src_addr='192.168.15.10'
vpn-policy-routing.@policy[8].interface='vpnclient1'
vpn-policy-routing.@policy[8].enabled='0'
vpn-policy-routing.@policy[9]=policy
vpn-policy-routing.@policy[9].name='Eltern-Fernsehen '
vpn-policy-routing.@policy[9].src_addr='192.168.15.11'
vpn-policy-routing.@policy[9].interface='vpnclient1'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[1].enabled='0'
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.dest_ipset='dnsmasq.ipset'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.config.src_ipset='0'
vpn-policy-routing.config.webui_enable_column='1'
vpn-policy-routing.config.webui_protocol_column='1'
vpn-policy-routing.config.webui_chain_column='1'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.ignored_interface='vpnserver wgserver' 'wg0'
vpn-policy-routing.config.supported_interface='vpnclient'
vpn-policy-routing.config.append_src_rules='! -d 10.0.0.0/24'
vpn-policy-routing.config.iprule_enabled='0'
vpn-policy-routing.config.enabled='1'
default via 192.168.10.1 dev eth1 table 201
10.0.0.0/24 dev wg0 table 201 proto kernel scope link src 10.0.0.1
10.0.0.2 dev wg0 table 201 proto static scope link
10.0.0.3 dev wg0 table 201 proto static scope link
default via 10.66.126.50 dev wgclient0 table 202
10.0.0.0/24 dev wg0 table 202 proto kernel scope link src 10.0.0.1
10.0.0.2 dev wg0 table 202 proto static scope link
10.0.0.3 dev wg0 table 202 proto static scope link
default via 10.8.2.11 dev tun0 table 203
10.0.0.0/24 dev wg0 table 203 proto kernel scope link src 10.0.0.1
10.0.0.2 dev wg0 table 203 proto static scope link
10.0.0.3 dev wg0 table 203 proto static scope link
default via 10.7.2.3 dev tun1 table 204
10.0.0.0/24 dev wg0 table 204 proto kernel scope link src 10.0.0.1
10.0.0.2 dev wg0 table 204 proto static scope link
10.0.0.3 dev wg0 table 204 proto static scope link
default via 10.7.1.5 dev tun2 table 205
10.0.0.0/24 dev wg0 table 205 proto kernel scope link src 10.0.0.1
10.0.0.2 dev wg0 table 205 proto static scope link
10.0.0.3 dev wg0 table 205 proto static scope link
default via 10.7.7.2 dev tun3 table 206
10.0.0.0/24 dev wg0 table 206 proto kernel scope link src 10.0.0.1
10.0.0.2 dev wg0 table 206 proto static scope link
10.0.0.3 dev wg0 table 206 proto static scope link
default via 192.168.10.1 dev eth1 proto static
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1
10.0.0.2 dev wg0 proto static scope link
10.0.0.3 dev wg0 proto static scope link
10.7.1.0/24 dev tun2 proto kernel scope link src 10.7.1.5
10.7.2.0/24 dev tun1 proto kernel scope link src 10.7.2.3
10.7.7.0/24 dev tun3 proto kernel scope link src 10.7.7.2
10.8.2.0/24 dev tun0 proto kernel scope link src 10.8.2.11
31.16.44.119 via 192.168.10.1 dev eth1 proto static
192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.10
192.168.15.0/24 dev br-lan proto kernel scope link src 192.168.15.1
193.27.14.146 via 192.168.10.1 dev eth1 proto static
broadcast 10.0.0.0 dev wg0 table local proto kernel scope link src 10.0.0.1
local 10.0.0.1 dev wg0 table local proto kernel scope host src 10.0.0.1
broadcast 10.0.0.255 dev wg0 table local proto kernel scope link src 10.0.0.1
broadcast 10.7.1.0 dev tun2 table local proto kernel scope link src 10.7.1.5
local 10.7.1.5 dev tun2 table local proto kernel scope host src 10.7.1.5
broadcast 10.7.1.255 dev tun2 table local proto kernel scope link src 10.7.1.5
broadcast 10.7.2.0 dev tun1 table local proto kernel scope link src 10.7.2.3
local 10.7.2.3 dev tun1 table local proto kernel scope host src 10.7.2.3
broadcast 10.7.2.255 dev tun1 table local proto kernel scope link src 10.7.2.3
broadcast 10.7.7.0 dev tun3 table local proto kernel scope link src 10.7.7.2
local 10.7.7.2 dev tun3 table local proto kernel scope host src 10.7.7.2
broadcast 10.7.7.255 dev tun3 table local proto kernel scope link src 10.7.7.2
broadcast 10.8.2.0 dev tun0 table local proto kernel scope link src 10.8.2.11
local 10.8.2.11 dev tun0 table local proto kernel scope host src 10.8.2.11
broadcast 10.8.2.255 dev tun0 table local proto kernel scope link src 10.8.2.11
local 10.66.126.50 dev wgclient0 table local proto kernel scope host src 10.66.126.50
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.10.0 dev eth1 table local proto kernel scope link src 192.168.10.10
local 192.168.10.10 dev eth1 table local proto kernel scope host src 192.168.10.10
broadcast 192.168.10.255 dev eth1 table local proto kernel scope link src 192.168.10.10
broadcast 192.168.15.0 dev br-lan table local proto kernel scope link src 192.168.15.1
local 192.168.15.1 dev br-lan table local proto kernel scope host src 192.168.15.1
broadcast 192.168.15.255 dev br-lan table local proto kernel scope link src 192.168.15.1
0: from all lookup local
32712: from all fwmark 0x60000/0xff0000 lookup 206
32713: from all fwmark 0x50000/0xff0000 lookup 205
32714: from all fwmark 0x40000/0xff0000 lookup 204
32715: from all fwmark 0x30000/0xff0000 lookup 203
32716: from all fwmark 0x20000/0xff0000 lookup 202
32717: from all fwmark 0x10000/0xff0000 lookup 201
32766: from all lookup main
32767: from all lookup default
root@Home:~#
Create a policy to route Google DNS over the VPN.