Routing DNS through VPN

Hello,

I'm currently having an issue where my router is trying to connect to my vpn's DNS sever through my wifi, rather than through my vpn. This is a problem since my wifi is coming from me using travelmate on my schools wifi. My school blocks the ip of my vpn's dns server, so despite having a connection, I can't search anything cause there's no dns.

I searched over the forums and found this post which seemed similar, but I got lost trying to figure out to take their solution and apply it to me.

https://forum.openwrt.org/t/getting-dns-requests-to-be-sent-through-wireguard/57565

I'm using wireguard, and mullvad vpn. Intersteingly, whenever I use mullvad's vpn app on my computer while still connected to my router, I'm able to search the web despite my router not having the dns configured.

Here are a bunch of the important settings I saw were needed in the post I linked

cat /tmp/resolv.conf

search lan
nameserver 127.0.0.1
nameserver ::1

vi /etc/config/dhcp

config dnsmasq                                                 
        option domainneeded '1'                                
        option localise_queries '1'                            
        option rebind_protection '1'                           
        option local '/lan/'                                   
        option domain 'lan'                                    
        option expandhosts '1'                                 
        option readethers '1'                                  
        option leasefile '/tmp/dhcp.leases'                    
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option noresolv '0'           
        option ednspacket_max '1232'  
                                      
config dhcp 'lan'                     
        option interface 'lan'        
        option start '100'            
        option limit '150'            
        option leasetime '12h'        
        option dhcpv4 'server'              
        option dhcpv6 'server'                       
        option ra 'server'                           
        list ra_flags 'managed-config’
		list ra_flags 'other-config'                           
                                                               
config dhcp 'wan'                                              
        option interface 'wan'                                 
        option ignore '1'             
        option start '100'            
        option limit '150'            
        option leasetime '12h'        
        list ra_flags 'none'          
                                      
config odhcpd 'odhcpd'                
        option maindhcp '0'           
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4’                          

vi /etc/hosts

100.64.0.6 localhost

::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

vi etc/config/network

config interface 'loopback'                                                    
        option device 'lo'                                                     
        option proto 'static'                                                  
        option ipaddr '127.0.0.1'                                              
        option netmask '255.0.0.0'                                             
                                                                               
config globals 'globals'                                                       
        option ula_prefix 'censored'                                
                                                                               
config device                                                                  
        option name 'br-lan'                                                   
        option type 'bridge'                                                   
        list ports 'eth0.1'                                                    
                                                                               
config interface 'lan'                                                         
        option device 'br-lan'                                                 
        option proto 'static'                                                  
        option ipaddr '192.168.1.1'                                            
        option netmask '255.255.255.0'                                         
        option ip6assign '60'                                                  
        list dns '100.64.0.6'                                                  
                                                                               
config device                                                                  
        option name 'eth0.2'                                                   
        option macaddr 'censored'                                     
                                                                               
config interface 'wan'                                                         
        option proto 'static'                                                  
        list dns '100.64.0.6'                                                  
                                                                               
config interface 'wan6'                                                        
        option device 'eth0.2'                                                 
        option proto 'dhcpv6'                                                  
        option reqaddress 'try'                                                
        option reqprefix 'auto'                                                
        option peerdns '0'                                                     
        list dns '100.64.0.6'                                                  
                                                                               
config switch                                                                  
        option name 'switch0'                                                  
        option reset '1'                                                       
        option enable_vlan ‘1'

config switch_vlan                                                             
        option device 'switch0'                                                
        option vlan '1'                                                        
        option ports '2 3 4 5 0t'                                              
                                                                               
config switch_vlan                                                             
        option device 'switch0'                                                
        option vlan '2'                                                        
        option ports '1 0t'                                                    
                                                                               
config interface 'wwan'                                                        
        option proto 'dhcp'                                                    
        option peerdns '0'                                                     
        list dns '100.64.0.6'                                                  
                                                                               
config interface 'trm_wwan'                                                    
        option proto 'dhcp'                                                    
        option metric '100'                                                    
        option peerdns '0'                                                     
        list dns '100.64.0.6'                                                  
                                                                               
config interface 'trm_wwan6'                                                   
        option device '@trm_wwan'                                              
        option proto 'dhcpv6'                                                  
        option reqaddress 'try'                                                
        option reqprefix 'auto'                                                
        option peerdns '0'                                                     
        list dns '100.64.0.6'                                                  
                                                                               
config interface 'wgo'                                                         
        option proto 'wireguard'                                               
        option private_key ’vpn key censored'       
        list addresses ‘vpn ipv4 address'                                        
        list addresses 'vpn ipv6 address'                        
        option peerdns '0'                                                     
        list dns '100.64.0.6'                                                  
                                                                               
config wireguard_wgo                                                           
        option description ’text'                                          
        option public_key ‘public key censored '        
        list allowed_ips '0.0.0.0/0'                                           
        list allowed_ips '::0/0'                                               
        option route_allowed_ips '1'                                           
        option endpoint_host ‘end host censored '                          
        option endpoint_port '51820'                                           
                                               

also I censored some things I thought should remain private, let me know if that was a mistake. I also tried to change my settings myself, so if something looks different than the default thats why.

any help is greatly appreicated

The router doesn't have to have/know a DNS, if you point your clients to some other DNS IP, then your routers IP, it'll work just fine.

Wouldn't you like to use encrypted DNS? If so I think if you follow this guide:

And enter those installation commands then your router will be setup to direct DNS queries to Cloudflare through stubby. You can change the DNS server set up for use in stubby to e.g. CleanBrowsing Family Filter to block obscene content.

that looks like it might solve my problem. but I either can't get it to work properly or its still failing.

here is one of the troublshooting command outputs that i saw

logread -e dnsmasq; netstat -l -n -p | grep -e dnsmasq

Sun Jul 24 08:33:38 2022 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: Connected to system UBus
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: started, version 2.85 cachesize 150
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: UBus support enabled: connected to system bus
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: using only locally-known addresses for domain test
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: using only locally-known addresses for domain onion
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: using only locally-known addresses for domain localhost
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: using only locally-known addresses for domain local
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: using only locally-known addresses for domain invalid
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: using only locally-known addresses for domain bind
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: using nameserver ::1#5453
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: using nameserver 127.0.0.1#5453
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: using only locally-known addresses for domain lan
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: read /etc/hosts - 4 addresses
Sun Jul 24 08:33:39 2022 daemon.info dnsmasq[1412]: read /tmp/hosts/dhcp.cfg01411c - 0 addresses
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[1412]: exiting on receipt of SIGTERM
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: Connected to system UBus
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: started, version 2.85 cachesize 150
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: UBus support enabled: connected to system bus
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq-dhcp[2914]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: using only locally-known addresses for domain test
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: using only locally-known addresses for domain onion
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: using only locally-known addresses for domain localhost
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: using only locally-known addresses for domain local
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: using only locally-known addresses for domain invalid
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: using only locally-known addresses for domain bind
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: using nameserver ::1#5453
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: using nameserver 127.0.0.1#5453
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: using only locally-known addresses for domain lan
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: read /etc/hosts - 4 addresses
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: read /tmp/hosts/dhcp.cfg01411c - 1 addresses
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq-dhcp[2914]: read /etc/ethers - 0 addresses
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: read /etc/hosts - 4 addresses
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq[2914]: read /tmp/hosts/dhcp.cfg01411c - 1 addresses
Sun Jul 24 08:33:57 2022 daemon.info dnsmasq-dhcp[2914]: read /etc/ethers - 0 addresses
Sun Jul 24 08:34:10 2022 daemon.info dnsmasq-dhcp[2914]: DHCPDISCOVER(br-lan) ac:bc:32:b4:c0:d5
Sun Jul 24 08:34:10 2022 daemon.info dnsmasq-dhcp[2914]: DHCPOFFER(br-lan) 192.168.1.231 ac:bc:32:b4:c0:d5
Sun Jul 24 08:34:10 2022 daemon.info dnsmasq-dhcp[2914]: DHCPDISCOVER(br-lan) ac:bc:32:b4:c0:d5
Sun Jul 24 08:34:10 2022 daemon.info dnsmasq-dhcp[2914]: DHCPOFFER(br-lan) 192.168.1.231 ac:bc:32:b4:c0:d5
Sun Jul 24 08:34:11 2022 daemon.info dnsmasq-dhcp[2914]: DHCPREQUEST(br-lan) 192.168.1.231 ac:bc:32:b4:c0:d5
Sun Jul 24 08:34:11 2022 daemon.info dnsmasq-dhcp[2914]: DHCPACK(br-lan) 192.168.1.231 ac:bc:32:b4:c0:d5 Bees-MBP
tcp        0      0 100.64.82.10:53         0.0.0.0:*               LISTEN      2914/dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      2914/dnsmasq
tcp        0      0 100.64.0.6:53           0.0.0.0:*               LISTEN      2914/dnsmasq
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      2914/dnsmasq
tcp        0      0 fe80::8634:97ff:fef8:f12e:53 :::*                    LISTEN      2914/dnsmasq
tcp        0      0 fe80::da07:b6ff:feaf:845a:53 :::*                    LISTEN      2914/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      2914/dnsmasq
tcp        0      0 fe80::da07:b6ff:feaf:845a:53 :::*                    LISTEN      2914/dnsmasq
tcp        0      0 fdb7:1eea:dec::1:53     :::*                    LISTEN      2914/dnsmasq
tcp        0      0 fe80::da07:b6ff:feaf:845a:53 :::*                    LISTEN      2914/dnsmasq
tcp        0      0 fe80::da07:b6ff:feaf:845b:53 :::*                    LISTEN      2914/dnsmasq
udp        0      0 100.64.82.10:53         0.0.0.0:*                           2914/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           2914/dnsmasq
udp        0      0 100.64.0.6:53           0.0.0.0:*                           2914/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           2914/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           2914/dnsmasq
udp        0      0 0.0.0.0:42782           0.0.0.0:*                           2914/dnsmasq
udp        0      0 0.0.0.0:53793           0.0.0.0:*                           2914/dnsmasq
udp        0      0 fe80::8634:97ff:fef8:f12e:53 :::*                                2914/dnsmasq
udp        0      0 fe80::da07:b6ff:feaf:845a:53 :::*                                2914/dnsmasq
udp        0      0 ::1:53                  :::*                                2914/dnsmasq
udp        0      0 fe80::da07:b6ff:feaf:845a:53 :::*                                2914/dnsmasq
udp        0      0 fdb7:1eea:dec::1:53     :::*                                2914/dnsmasq
udp        0      0 fe80::da07:b6ff:feaf:845a:53 :::*                                2914/dnsmasq
udp        0      0 fe80::da07:b6ff:feaf:845b:53 :::*                                2914/dnsmasq
udp        0      0 :::58052                :::*                                2914/dnsmasq
udp        0      0 :::53195                :::*                                2914/dnsmasq

This indicated to me that you still have the wg0 if DNS entry for MullVad

This would be askew form the Stubby setup, where everything is managed by /etc/config/stubby or /etc/stubby/stubby.yml

Did you leave that wg0 DNS config on purpose?

1 Like

Did you enter these:

# Install packages
opkg update
opkg install stubby
 
# Enable DNS encryption
/etc/init.d/dnsmasq stop
uci set dhcp.@dnsmasq[0].noresolv="1"
uci set dhcp.@dnsmasq[0].localuse="1"
uci -q delete dhcp.@dnsmasq[0].server
uci get stubby.global.listen_address \
| sed -e "s/\s/\n/g;s/@/#/g" \
| while read -r STUBBY_SERV
do uci add_list dhcp.@dnsmasq[0].server="${STUBBY_SERV}"
done
uci commit dhcp
/etc/init.d/dnsmasq start

Could you paste output of config files - DHCP etc?