VPN/WARP is bypassing my DNS Family Filter

GreyHat · September 7, 2025, 5:00am

Hi, I am a newbie and just started using OpenWRT
I wanted to setup Cloudflare's Family Filter for protection against Adult Malware but I am having trouble setting it up.
Let me go through the stuff I did..

Device and Version

I am using Netgear Orbi RBR50 as an OpenWRT Router.
OpenWRT version is : LuCI openwrt-24.10 branch (25.168.50434~d6b13f6) / OpenWrt 24.10.2 (r28739-d9340319c6)

1 - Setting up DNS Server
I used https-dns-proxy/luci-app-https-dns-proxy to setup Cloudflare's Family protection version and that part seems to be going well so far and Every device is following these DNS protocols.

Problems
The problem is that whenever I turn on VPN or WARP on my mobile of other devices, it seems to just bypass the DNS protocol that I've set and I can easily access adult content.
I tried port forwarding at port 53 in Network -> Firewall -> Port Forward but that was of no use(but I've reverted that change since then).
How can I make sure that this DNS protocol can never be bypassed by VPN or WARP?

frollic · September 7, 2025, 5:08am

You can't, that's the whole point of VPN.

You need to block client VPN communication in the firewall.

GreyHat · September 7, 2025, 5:16am

Is there a reference or guide where someone has blocked client VPN communication in the firewall?

frollic · September 7, 2025, 5:25am

wireguard and openvpn are easy to block on port level just drop or reject the traffic, or use the banIP package with the IP list posted at (for instance) https://github.com/az0/vpn_ip.
if the target is your buddy's server, it'll be a lot harder to find, since IP and DNS name won't be on any list.

blocking wireguard looks something like this, but it'll only work if target is using the default wireguard port.
openvpn uses UDP 1194, but also TCP 443, the latter can't be blocked, since it's also the HTTPS port.

GreyHat · September 7, 2025, 5:53am

Yeah, from what I've looked alot of VPN including ProtonVPN and WARP uses 443, so that's no good. In that case, let me try with banIP package to see how to use it and implement it, and see myself that it can atleast block the widely available sources.
I'll let you know if it serves the purpose. Thanks

frollic · September 7, 2025, 5:58am

If you're using the DNS name filter, you'll most likely also need to implement https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns, including the extras, to stop your clients from bypassing your local DNS.

Good luck.

brada4 · November 22, 2025, 11:16am

Yep, it is how vpns are supposed to work.

timur.davletshin · November 22, 2025, 11:42am

There is always a chance that someone will be able to bypass your DNS restrictions by using DoH, DoT or even VPN. You control your devices and smartass kids get family control on every device. That's it.

From technical point of view I would start with Adblock installation and selecting port 53 (regular DNS) and port 853 (DoT, like that builtin in Android phones) interception, plus, selecting "doh_blocklist" and VPN section in "utcapitole" filter in Feed Selection tab. All that is available via LuCI and fits perfectly even on lower end devices.

Protip: Don't try to control your wife's phone. That's a sure way to divorce.