I think that I have a problem with incorrect configuration of the firewall, because any changes with DNS in the LAN or DHCP section i do not get the result that i need.
Traffic dns goes is bypassing server vpn
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'WGZONE'
option network 'WGINTERFACE'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option dest 'WGZONE'
option src 'lan'
Any,wireguard dns server, google dns (if i add a google he is visible together with my ISP's dns)
I do not know how to check
I do not know how to check it, but if add custom google dns, it seems solves the problem. But if i want to use only vpn dns server, how to be?
If i add a external vpn dns server ,no internet
The iptables rules are not needed (and is basically doing nothing)
According to the configuration you are passing to the clients the 10.64.0.1 as nameserver. Is that what you want to do?
You could also not pass any nameserver via DHCP, let dnsmasq act as proxy nameserver for the lan, and add an option dns '10.64.0.1' in the lan interface.
~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
1 10.64.0.1 (10.64.0.1) 44.903 ms 45.042 ms 44.783 ms
2 185.62.204.1 (185.62.204.1) 46.003 ms 47.903 ms 46.763 ms
3 te5-8.fra1-b1.core.citynetwork.se (86.107.242.208) 44.803 ms 43.643 ms 44.782 ms
4 te-5-16.fra1-02.core.citynetwork.se (86.107.242.199) 57.024 ms 63.483 ms 46.242 ms
5 te-5-7.sto2-02.core.citynetwork.se (91.123.207.54) 74.465 ms 74.064 ms 74.144 ms
6 as15169-10g-sk1.sthix.net (192.121.80.47) 74.824 ms 75.645 ms 75.284 ms
7 108.170.254.33 (108.170.254.33) 76.324 ms 108.170.253.161 (108.170.253.161) 76.565 ms 108.170.254.49 (108.170.254.49) 76.985 ms
8 66.249.95.235 (66.249.95.235) 75.464 ms 216.239.48.1 (216.239.48.1) 75.384 ms 74.464 ms
9 google-public-dns-a.google.com (8.8.8.8) 74.644 ms 75.164 ms 75.124 ms
It is not obvious from what you have posted here, so run all the tests I asked you, not just one out of four.
Also verify the nameserver that your pc is using: nslookup www.google.com
I apologize for being rude.
I'm at a loss , dns leaks has on the android tablet and pc
root@OpenWrt:~# traceroute 10.64.0.1
traceroute to 10.64.0.1 (10.64.0.1), 30 hops max, 38 byte packets
1 10.64.0.1 (10.64.0.1) 44.721 ms 44.601 ms 48.342 ms
pc - lan
kris@pc:~$ traceroute 10.64.0.1
traceroute to 10.64.0.1 (10.64.0.1), 30 hops max, 60 byte packets
1 OpenWrt.lan (192.168.99.1) 0.523 ms 0.534 ms 0.671 ms
2 10.64.0.1 (10.64.0.1) 45.753 ms 46.303 ms 46.533 ms
kris@pc:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 OpenWrt.lan (192.168.99.1) 0.487 ms 0.540 ms 0.565 ms
2 10.64.0.1 (10.64.0.1) 47.151 ms 47.191 ms 47.402 ms
3 185.62.204.1 (185.62.204.1) 48.394 ms 48.399 ms 52.361 ms
4 te5-8.fra1-b1.core.citynetwork.se (86.107.242.208) 47.295 ms 47.396 ms 47.471 ms
5 te-5-16.fra1-02.core.citynetwork.se (86.107.242.199) 84.973 ms 84.987 ms 85.029 ms
6 te-5-7.sto2-02.core.citynetwork.se (91.123.207.54) 76.896 ms 74.672 ms 74.789 ms
7 as15169-10g-sk1.sthix.net (192.121.80.47) 75.560 ms 75.641 ms 75.662 ms
8 108.170.254.49 (108.170.254.49) 76.990 ms 108.170.253.161 (108.170.253.161) 77.290 ms 108.170.254.33 (108.170.254.33) 77.351 ms
9 216.239.58.37 (216.239.58.37) 76.898 ms 74.125.37.129 (74.125.37.129) 76.937 ms 216.239.58.43 (216.239.58.43) 77.287 ms
10 google-public-dns-a.google.com (8.8.8.8) 74.472 ms 74.341 ms 75.764 ms
Ipv4-wise everything is fine and you use the tunnel towards the internet. If your provider offers IPv6, you would need to either disable it or set lower priority so that it doesn't interfere, as @IIeachii suggested.
What does ifconfig | grep inet give in openwrt?
Okay let's take a step back.
I tried this dnsleak page that you posted earlier but it was stuck in a loop so I never understood what information does it provide.
From what it looks, your connections go through VPN. What did you get there that proves otherwise?
pc with changes in Interfaces - WAN ,uncheck Use DNS servers advertised by peer Use custom DNS servers
for example OpenDNS 208.67.222.222 , 208.67.220.220
on PC