Surfshark Wireguard VPN DNS leak

Having had OpenVPN setup for awhile, I then setup today Wireguard on Openwrt (Linksys WRT3200ACM with 19.07), I am based in Romania, and trying to setup UK server.

My IP address now shows correctly as UK, but the DNS is showing as Germany.

Not sure what I have done wrong, as I would think that the DNS would either show as Romania or UK? not sure where Germany has come from?

I will share next my config files if anyone is able to help. Thanks!

Try checking via here. -> DNS Leaker. It's always best to use the tools provided via the VPN provider. For load balancing reasons. They tend to route traffic through other countries.

1 Like

Please delete your last posts you technically doxxed yourself. And, try this handy guide provided via surf shark. I think you skipped the step about setting up using surf sharks DNS servers.

1 Like


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'
	option ula_prefix 'fd0a:b426:4e56::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask ''
	option ip6assign '60'
	option ipaddr ''

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'pppoe'
	option ipv6 'auto'
	option password '....'
	option username '...'
	list dns ''
	list dns ''
	option peerdns '0'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'static'
	option broadcast '...'
	option ipaddr '...'
	option gateway '...'
	option netmask ''
	list dns ''
	list dns ''

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'nordvpntun'
	option ifname 'tun0'
	option proto 'none'

config interface 'wg0'
	option proto 'wireguard'
	list addresses ''
	option private_key '...'

config wireguard_wg0
	option public_key 'iBJRXLZwXuWWrOZE1ZrAXEKMgV/z0WjG0Tks5rnWLBI='
	option description 'UK'
	option endpoint_port '51820'
	list allowed_ips ''
	option route_allowed_ips '1'
	option endpoint_host ''

whoops thanks! So when I followed this guide, the DNS server option wasn't where it was for the video, I think because I'm on an older version of Openwrt? but I changed them in WAN instead...was this not the correct place?

The thing I don't understand is where Germany is appearing from? I am in Romania, so in my limited understanding I would have expected UK to show if I had done this correctly, or Romania if I had messed something up? I am definitely not an expert though so I'm sure it's my error!

Please delete the Wireless Config, DHCP, Firewall, network posts.

According to the video you should find the correct server information via the manual config file. You may be using the "German DNS server" or leaking via a previously installed VPN

1 Like

I think I worked it out, the DHCP config had DNS forwarding setup to NordVPN DNS, so I changed that to Surfshark and now DNS and IP both showing UK, and speedtest is at 500mb/s so think all good now, thanks so much for your help!


Please remove your infos, ie: mac address etc

1 Like

You're welcome.:grin: Don't forget to remove those extra posts.:safety_vest: Hopefully a mod set up this server to actually remove them. When recommended to delete them.

1 Like

There doesn't appear to be anything sensitive in the configs he's posted. It's fairly standard for people to post such things when asking for assistance and, while the OP could request their deletion, it's not going to cause any harm if they don't.


thanks, will delete them, although I don't think there is anything personal in the configs? I had added them because before when I asked for help everyone needed my config to help,

@krazeh @pipedreams86 I'm not going to quote it but they list their public key configuration in plain text.

While I do agree local configurations "" are fine. I take the FUD approach with VPN configurations. You never know what can be reversed these days.

Firstly, it's a public key which, as the name suggests, is a lot less sensitive than private keys.

Secondly, it's the public key for the surfshark end so all you can do with it is encrypt data that surfshark can decrypt.

Thirdly, unless the malicious actor somehow manages to add the public key (and other relevant info) to the surfshark end, they're not going to be able to make a connection with the provided details.

Fourthly, even if they could make a connection the traffic would pass between their device and surfshark, not the OPs.

Fifthly, when you first started suggesting config files were deleted there were no VPN details.

It is, of course, important to remain vigilant and protect sensitive data. But it's equally important to be clear about what are real, substantive threats, and what are not. Especially in a space where we rely on people providing details about their setups so we can effectively troubleshoot and assist them.

1 Like

I don't like being the "um actually guy" But, in the video you can clearly see Surfshark themselves pixelate that specific data. @ the 4:35 mark.

In this day and age where VPNs are consistently being targeted for customer sensitive data. I would not suggest providing any information that you would use to login, encrypt or decrypt using their services.

Especially on a public forum cataloged via a exploitable searchengines. Hopefully you can rotate and re-roll this information.

I was inferring to the DNS server details which can be poisoned/spoofed. Something the end-user actually shows concerns about.

So? Surfshark pixelating a public key doesn't change the fact that public keys are less sensitive than private keys (which you definitely shouldn't be disclosing) and are used to encrypt data. In this case, data which can only be decrypted by Surfshark (as they are the ones who know the corresponding private key). I mean, you could try using the details to connect to Surfshark yourself but I'd be very surprised if you got a successful handshake or any data transfer.

Would it better if the OP had not included the key in the first place? Yes. Is it appropriate to give them the impression they are now at significant risk having done so? No.

It would have been far more appropriate to indicate it was better they didn't disclose the public key with an explanation as to what it is used for and simply advise that if they wanted to be 100% definitely certain that they weren't at risk they should just generate a new key.

I hardly think the OP indicating they use NordVPN and Surfshark DNS servers (details for which are already easily located online) is going to put them at any significant level of risk. But again, the key in responding to this is education (i.e. explain what the problematic information is and the potential risks), rather than scaremongering.


This still makes the information "sensitive" even if it is less serious then a leaked private key.

And, again...

:church: You are preaching to the choir:

I'm a bit surprised this rule and others like it. Are not stapled to the top of this forum.

But, I do overstand why:
How To Ask Questions The Smart Way by Eric Steven Raymond is slightly hidden.

Now, can we both go enjoy our day, ...instead of this measuring contest? :wink:

Thanks all for your input and educating me on the config files I posted. I have deleted the posts now just to be safe, but can repost with the relevant info redacted if needed.

I am still working on the DNS…it appears I still have a leak, as I am trying to get my Sky Glass tv service to work, and it still shows no internet. Everything else is working fine so far and i have speeds of 500mbps with UK DNS and IP addresses showing, but I really want to get the Sky Glass streaming service to work…when I go to the Mullvad check page it shows a DNS leak, how would I trouble shoot this? I am with Surfshark not Mullvad but considering Mullvad, I have so far tried NordVPN, Surfshark and Express VPN and so far Sky Glass puck/TV won’t work…however Sky Go streaming is working fine, and bbc iPlayer etc, so it is something specific to Sky Glass that isn’t working, they somehow seem to know I am using a VPN even though the DNS/IP are showing correctly as UK. The sky glass tv shows an error of being connected to the router but not having internet connection.

Thanks all!

If you are using most VPN providers DNS Leak Checkers and you aren’t pointed at their’s they will declare that you have a DNS leak.


For most devices like televisions and streaming devices. You can have two paths the first and usual culprit a region lock due to some very expressive laws built to combat piracy. :pirate_flag:

Or, you may have skipped the bonus section of the video @ the 8:13 mark. Usually if you edit the DNS on the specific device to point towards the VPNs DNS. It sorts itself out.

As for other VPN providers showing a DNS leak. Others and myself mentioned previous
"It's always best to use the tools given via the VPN provider"

1 Like