VPN DNS leak solution, please?


Using my Netgear R7800 running OpenWrt 22.03.0-rc6 r19590-042d558536 / LuCI openwrt-22.03 branch git-22.204.42822-9a18337
I tried the fix at https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns and got this

message: Section @rule[9] (Support-UDP-Traceroute) is disabled, ignoring section
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible

If this fix can be implemented, would it be preferable to deleting option resolvfile ‘/tmp/resolv.conf.d/resolv.conf.auto’ in /etc/config/dhcp then writing:

option noresolv '1’
list server '"vpn dns"’
list server ‘"vpn dns’"

Without the latter fix I see a new IP but a number of public DNS server addresses (in addition to my VPN provider's,) while using the advanced test on dnsleaks.com/.
I have an Asus/Merlin router with VPN enabled and when using the extended test I get the new IP and just one of my VPN service's DNS servers using the advanced test.
Is there a way of getting that result with OpenWRT without modifying the DHCP config as outlined above?

Thank you!

Does your VPN interface have an 'Advance Settings' tab, and within that tab a couple settings to:

  • Use DNS servers advertised by peer "Unchecked"

If unchecked, the advertised DNS server addresses are ignored

  • Use custom DNS servers
    Add your VPN DNS

if so revert from your solution and test just using the DNS setting applied to your VPN Interface.

Add a metric of something greater than 0 to the WAN Interface DNS settings.

Ideally when on the VPN your DNS will be used as configured in the "Advanced Settings". When off the VPN, your DNS will revert back to ISP assuming you have the option on the WAN Interface 'Advance Settings":

  • Use DNS servers advertised by peer :ballot_box_with_check:

Hi and thanks very much for replying. I do have all the GUI features you mentioned. I tried the WAN DNS weight first but no joy. Then I added a higher weight to the LAN but still it returned multiple DNS servers. Do you see any downside to the changes I mentioned to the DHCP config? They work perfectly DND server-wise, as far as I can tell. Cheers!

In addition revert
option noresolv '1’

In order for the Weighted DNS to work it has to have access to the resolv file that will be populated shown here:


You do not change anything in the LAN section concerning DNS. I do not know what is.

Did i miss something? I read your post thinking that your DNS is leaking with your settings.
I'm proposing a situation/alternative setting in which I have no DNS leakage.

Hi Bill. Thanks for your reply. Forgive me but just seeing it now. I will give your suggestion a try ASAP.
(DND=DNS. Having LAM and WAM issues too. :blush:).

Hi and thanks again for your suggestions, Bill. I was hoping to have a VPN I could turn on and off at will, but the tun0 device disappears when I stop it and a reboot doesn't restore it, so I'm going to give up on the idea for now. All the best.

Hi Bill. A few minutes ago I said I was giving up on the VPN install and why and it was flagged as inappropriate. So I'll leave out the 'why' and just say thanks very much for your suggestions.