VPN doesn't work correctly

Hi,
I've a VPN on my guest network and wireguard is configured.
The streaming services don't work because my DNS are not correctly configured.
I use surfshark.
I check my DNS on https://www.dnsleaktest.com/ and the ISP and hostname aren't those of surfshark.
Surfshark DNS are:
162.252.172.57
149.154.159.92
and usually the IPS is datacamp limited.
I obtain this from my connection.



And this is my configuration of openwrt:


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Stamp'
	option encryption 'psk2'
	option key '**************'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'guest'
	option mode 'ap'
	option ssid 'tivi'
	option encryption 'sae'
	option key '***********'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Call'
	option encryption 'psk2'
	option key '**************'
	option network 'lan'


Wg client:

config client
    option port_start '51820'
    option port_end '52820'
    option try_insecure '1'
    option try_http '1'

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option name 'Guest'
	option src_addr '192.168.5.1/24'
	option interface 'wg0'

config policy
	option name 'LAN'
	option src_addr '192.168.1.1/24'
	option interface 'wan'
	option enabled '0'



config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4e:84b5:945d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '94.140.14.14'
	list dns '9.9.9.9'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option metric '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '********************'
	list addresses '10.14.0.2/16'
	list dns '162.252.172.57'
	list dns '149.154.159.92'
	option metric '10'

config wireguard_wg0
	option description 'it-mil-2.conf'
	option public_key '*******************'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'it-mil.prod.surfshark.com'
	option endpoint_port '51820'
	option route_allowed_ips '1'

config device
	option name 'br-guest'
	option type 'bridge'

config interface 'guest'
	option device 'br-guest'
	option proto 'static'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'
	list dns '162.252.172.57'
	list dns '149.154.159.92'



config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'
	option masq '1'

config zone
	option name 'guest'
	list network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'guest'
	option dest 'vpn'

config rule
	option name 'Allow-Guest-DHCP'
	list proto 'udp'
	option target 'ACCEPT'
	option src 'guest'
	option dest_port '67-68'

config rule
	option name 'Allow-Guest-DNS'
	option target 'ACCEPT'
	option src 'guest'
	option dest_port '53'



config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option dhcpv4 'server'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,162.252.172.57'
	list dhcp_option '6,149.154.159.92'


Check if browser is bypassing the OS DNS config (DoH etc.)

This tool might be usefull:

Disable webRTC and implement DNS hijacking (which would stop the DoH @psherman mentioned).

I don't know how to install it.
I tried to install curl by terminal but I can't.
I don't know why.
I'm on mac.

I'm sure google knows, but it's a browser feature, has nothing to do with OpenWRT.

I configured it.


![Screenshot 2023-08-24 alle 07.43.06|690x143]
I made a test on 3 different browser at the same time with dns leak test website.
I obtained 3 different results:
On safari:
93.189.61.195 free.ds.melbicom.net. Melbikomas UAB Amsterdam, Netherlands
95.174.64.246 host246.reachnigh.us. M247 Europe SRL Milan, Italy

On chrome:
162.158.131.128 None Cloudflare Milan, Italy
162.158.131.88 None Cloudflare Milan, Italy

On firefox:
149.102.238.165 unn-149-102-238-165.datapacket.com. Cogent Communications Zurich, Switzerland

I test the apple TV and today the streaming services work.
Have I install dnsleaktest to test if it works correctly?
Because I try to do it, but I can't.
It gives me errors.

max@MacBook-Air-di-Max ~ % curl https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.sh -o dnsleaktest.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:29 --:--:--     0curl: (6) Could not resolve host: raw.githubusercontent.com

this is still only for the plain DNS, you need to stop (or disable) DoH and DoT too.
DoT is easy to stop in the fw, DoH not so much, since it uses https.

DNS encrypted services (DNS over TLS / DNS over HTTPS / DNScrypt) do not use port 53.

In this guide they use port 53:

then you haven't read the whole guide.
and there's a difference between DNS IPs you provide, and DNSes they use

1 Like

Like I stated in my response above - DNS encrypted services (DNS over TLS / DNS over HTTPS / DNScrypt) do not use port 53.

DNS hijacking won't work for you. You can use TCPdump / wireshark to capture packets and check what type of querries your machine is making, or use a device for witch you are sure that uses only plain DNS on UDP 53

it will, for those applications/OSes using clear text DNS, but most aren't.
not related to the issue, but YT app for instance use 8.8.8.8:53 as DNS, or at least used to.

1 Like

yes, yes, i meant to say for the purpose of the test @ilcobrapizzica is conducting atm.

1 Like

I read only the page I link, with DNS hijacking.
I don't find other port numbers.
Which port have I to use?
I'm not an expert and I don't understand very well this topic.

then you didn't read it carefully enough, DoT clearly uses a port.

for DoH you use an IP set.

use the cli, instead of trying to replicate the commands via LuCI.

I need only that apple TV receive the correct DNS form wireguard.
I think that this is the problem that block streaming services.
If I use the app on smartphone with the same server it works, but sometimes doesn't wok from router connection,

then why not set it up on the apple TV ?

it's forbidden. You cannot install VPN apps.

another nail in my "why I won't use Apple stuff" coffin ...

but there's also https://www.imore.com/music-movies-tv/tvos/apple-tv-is-getting-vpn-apps-with-tvos-17-and-it-could-be-a-game-changer

1 Like

I used to use an amazon fire tv.
It was perfect in everything and I liked it better.
The only problem with amazon is that the storage was very small and above all with each update the system was slower.
Basically they force you to change your device every 2 or 3 years.
At least with apple you can keep the device even 10 years without problems.
Thanks for the link but unfortunately TV OS 17 will be released maybe this winter and then I would like to see when it comes out if it will really accept VPN service apps.
Right now the only way to get a VPN is to provide it from your router.