Simple Wireguard setup, DNS leaking?

Hello! I am new to OpenWrt and everything seems to be working fine, except DNS as my client is still using the router provided DNS. Here is my setup -

RPI - Home
OpenWrt - Remote

My OpenWrt connects to the RPI back home, I then added some simple rules to route one OpenWrt client through the VPN.

ip rule add from x.x.x.x table vpn
ip route add default via dev wg table vpn

On the client I can hit the web, I can hit local IPs, but when I goto DNSLeak it is still showing the OpenWrt WAN DNS server. I put option dns in the config, but it doesn't seem to take.

Is there a way to force DNS over this tunnel to use the DNS server I specify at home (PiHole)?

Thanks!

You face a little bit of a chicken and egg problem. Do you know the ip address of your remote tunnel endpoint at home in a static way? if so, you can bring up the wireguard tunnel before needing any DNS (just make sure to set up your NTP servers as static IP addresses too so you can set your time properly after boot). Then you can use your home system as the DNS.

On the other hand, if you have to do something like dynamic DNS to find your home server, then you need DNS before you can set up the wireguard tunnel... so you will probably need a custom hotplug even that detects when the wireguard comes up, and changes the DNS. For example you could just redirect via DNAT every DNS packet to the home IP.

If you're in the Dynamic DNS situation, one option would be to set your DNS to statically use the home DNS, and use a special /etc/rc.local script that uses nslookup to explicitly lookup your home dynamic DNS via say 1.1.1.1 (might also be a good idea to explicitly lookup an NTP server and do ntpdate to set the time) and then sets up the wireguard tunnel, at which point DNS will start working properly.

Disable peer DNS and configure a VPN-routed DNS provider:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

1 Like

Thank both of you! I will look into this more later as I have created another issue I have to post about haha...

My home server has a dynamic address. Is there already a solution for this DNS leak problem? For example a sample script?

Can this be solved by Selective DNS forwarding?