[Solved] PBR and Wireguard -- DNS Leak

I'm currently trying to get Policy Based Routing to play nicely with Wireguard. I have both WG and PBR set up and I have a specific IP address of a device (192.168.1.225) connected to my router getting sent through Wireguard while all other traffic is correctly routed through WAN. The issue is that I'm seeing DNS leaks on the device being tunneled through Wireguard -- I'm still seeing my ISP where I should only be seeing Cloudflare from my VPN provider. I'm using https://www.dnsleaktest.com/. The other weird thing is that I'm only getting reported leaks in Chrome and Safari, not on Firefox.

My hunch is that I'm not understanding something about how DNS gets resolved by the router and that I'm missing something fairly straightforward.

One thing I'd like to do is keep DNS resolution tied to my ISP for the WAN connection, while DNS resolution for Wireguard should be handled entirely by the Wireguard client.

Some general settings below:

// /etc/config/network

config interface 'loopback'                    
        option device 'lo'        
        option proto 'static'                  
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'             
                            
config globals 'globals'    
        option ula_prefix 'xxxxx'
                              
config device                
        option name 'br-lan'       
        option type 'bridge'          
        list ports 'eth0.1'        
                                      
config interface 'lan'             
        option device 'br-lan'        
        option proto 'static'             
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'    
        option ip6assign '60' 

config device                      
        option name 'eth0.2'          
        option macaddr 'xxxx'
                                   
config interface 'wan'                
        option device 'eth0.2'
        option proto 'dhcp'               
        option broadcast '1'
                            
config interface 'wan6'                   
        option device 'eth0.2'
        option proto 'dhcpv6'
        option auto '0'       
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'   
                       
config switch                  
        option name 'switch0'  
        option reset '1'  
        option enable_vlan '1' 
                               
config switch_vlan           
        option device 'switch0'
        option vlan '1'       
        option ports '2 3 4 5 0t'
                        
config switch_vlan             
        option device 'switch0'
        option vlan '2'          
        option ports '1 0t'    
                       
config interface 'wireguard_1'   
        option proto 'wireguard'
        option private_key 'xxxxx'
        list addresses 'xxxx'
        option peerdns '0'    
        list dns '103.xx.xx.100'
                                                                         
config wireguard_wireguard_1        
        option description 'Imported peer configuration'
        option public_key 'xxxxx' 
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'                
        option endpoint_host 'xxxxx'                          
        option endpoint_port 'xxxxx'

// /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option quietdhcp '1'
	option strictorder '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dns_service '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'MBP'
	option ip '192.168.1.225'
	option mac 'xxxxx'

// /etc/config/pbr

config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option webui_show_ignore_target '1'
	option enabled '1'

config policy
	option name 'MBP'
	option interface 'wireguard_1'
	option src_addr '192.168.1.225'

config policy
	option name 'Other Requests'
	option src_addr '192.168.1.1/24'
	option interface 'wan'

Thanks for any and all help

make it .225/32

make it .1.0/24
Other than that and judging from the dhcp configuration, you advertise to all the lan hosts the OpenWrt as nameserver, which in turn uses either the WG nameserver or the one from wan, in a random manner. To tell this lan host to use a specific nameserver, use the mac classifier and advertise the WG nameserver. At the same time, remove the nameserver from the WG interface to refrain from using it for the other hosts.

1 Like

Thanks for the helpful overview. I've made the changes you've suggested, but I'm not entirely following the DHCP configuration updates. I think the problem I'm having is with "nameserver" and what that corresponds to in the configuration.

Following the suggestion to use the mac classifier, I've added this entry to my dhcp file:

# this host was already here
config host
        option name 'MBP'
        option ip '192.168.1.225'
        option mac 'MAC ADDRESS'

config mac 'test'
        option mac 'MAC ADDRESS'
        option networkid 'vpn'
        list dhcp_option '3'
        # below is the wireguard local ip
        list dhcp_option '6,10.5.0.2'

I'm not sure this is how you "advertise" the WG "nameserver" to the host. Could you provide an example configuration for this?

Additionally, could you clarify what you mean when you say, "you advertise to all the lan hosts the OpenWrt as nameserver". I understand what you mean conceptually (all lan hosts are pointed to OpenWrt, which is arbitrarily using the WG or Wan nameserver), but I'm unclear what part of my dhcp config is doing this.

Thanks again

Make sure client side web browser based DoH is not enabled. Sometimes it's turned on by default and will show up in a leak test.

That's right, however you shouldn't disable the default gateway (option 3). Remove that line.

fixed.

That is right and it's the default configuration. To advertise itself as default gateway and nameserver in dhcp.

Thanks for the help. That was the fix.

Fix for anyone with a similar issue:

/etc/config/dhcp

config mac 'vpn'
    option mac 'MAC_ADDRESS'
    option network 'vpn'
    list dhcp_option '6,LIST_DNS_OF_WG_INTERFACE'

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.