I've got a very lean system to install the toys. I started with my Mikrotik not knowing what would work/fit/stay. This was done not long (March 2022) ago on version
openwrt-19.07.8-ar71xx-mikrotik-rb-nor-flash-16M-initramfs-kernel to stable. Back then I was a OpenVPN desktop client user and that is how I rolled.
Model MikroTik RouterBOARD 951Ui-2nD (hAP)
Architecture Qualcomm Atheros QCA9533 ver 2 rev 0
Target Platform ath79/mikrotik
Firmware Version OpenWrt 22.03.0-rc5 r19523-bfd070e7fa / LuCI openwrt-22.03 branch git-22.167.28394-8a4486a
Kernel Version 5.10.127
I've found some newer menus to work in DNS servers for my commercial VPN provider with SurfShark. This was in addition to the DNS Privacy stub resolver 'Stubby'.
Pic Hidden to keep your eyesight burn free.
These are the steps I took to get SurfShark's DNS severs working while the 'wg0' interface in running w/ my peer.
What I have experienced so far is that when I'm surfing with 'wg0' up (forced up)
DNS checks on the popular leak sites see me running within the commercial VPN providers network. GOOD!
Otherwise; when the 'wg0' interface is down (forced down)
Stubby takes over and all the popular leak sites see me running the CloudFlare DNS servers. GOOD!
DNSSEC is not affected as I let "dnsmasq-full" handle that. So far, by the use of the tools provided by the Git Readme, my dig to the sever still populate the 'ad' flag.
The key thing to note is the
flags: qr rd ra adpart - the
adflag signifies that DNSSEC validation is working. If that flag is absent DNSSEC validation is not working.
The reason for all this fiddling around was due mainly to seeing the options in the new OpenWrt rc., and also the continued support and use of the WireGuard desktop app.
My router is CPU limited and I find that running the desktop app w/ the keys I generate, provide an extra few Mb speed. The desktop app also allows for configuring the DNS servers of choice. Long Story, but I hope the details will provide some feedback or intrigue into your own situation.