WG DNS leak over VPN

Disclaimer I just woke up and did not have my morning coffee yet

When using DNS via the VPN it is easy to get a DNS leak.
This is caused by the way OpenWRT treats DNS servers.
Basically all DNS servers added to the interfaces are used and not only the DNS server you added to the WG interface.

What you need to stop a DNS leak is to exclusively use the DNS server you set in the WG interface. See for some background information:

To solve this there are scripts which exclusively use the DNS server you set on the WG interface when the tunnel is up and make sure that there is a route setup through the WG interface for that DNS server (needed if you use PBR).
I use this script:

For a proper setup if both sides are OpenWRT routers three things are important

The first is to make sure that the DNS server from the other side can actually process your queries.
DNSmasq has to listen on all interfaces so also on the WG interface, by default this is the case but if you changed that then you have to add the WG interface as listen interface.
The second is that DNSMasq of the other side has to answer non local request.
For this disable Local Service only (DNSMasq: -local-service):
Luci DNS-DHCP > Filter >Local service only : untick/disable,
or in /etc/config/dhcp:

config dnsmasq
	option localservice '0'

The third is that the client side is now using a DNS server with a local RFC1918 address.
DNSmasq has rebind protection which shield you from using local addresses as that can be used to spoof DNS so on the client side you have to disable Rebind Protection:
Luci DNS-DHCP > Filter > Rebind protection untick/disable

config dnsmasq
    option rebind_protection '0'

instead of disabling Rebind protection you can also whitelist the domain of the other side
Luci DNS-DHCP > Filter >Domain Whitelist "set name of domain of other side"

config dnsmasq
    list rebind_domain 'set name of domain of other side'