WireGuard and pbr - could not stop DNS Leak so far

That is incorrect. It would use whatever IP you assign them. There is no "advertised by WG". Wireguard peers are statically configured. In fact, I never suggested editing the WG config.

So did you try?

Eg, use 9.9.9.9:

  1. Assign all clients the DNS server 9.9.9.9
  2. Then:
config route
        option target '9.9.9.9'
        option netmask '255.255.255.255'
        option interface 'wg0'

or

config route
        option target '9.9.9.9/32'
        option interface 'wg0'

You can choose any IP, so you can exclusively assign it to clients using WG via Step 1, hence no leak. As long as you assign the peers the correct IP, they'll use the correct server, it seems optional for Step 2- that you wish/need to tunnel to the desired DNS over WG too.

It's kinda odd to say it won't work, when I (and others) are noting to you that they have setups with no DNS leaks.

I see one as well, and corrected, based on the information I've provided:

config mac 'iPhone1'
        option mac 'mac_address_iPhone1'
        option networkid 'lan' #<---I assume this needs to be LAN, not wg0
        list dhcp_option '6,9.9.9.9'

WG is Layer 3, so you cannot make assignments via DHCP in that manner. You have to configure the iPhone if it's connected via Wireguard, see e.g. setting:

  • Phone will use 9.9.9.9 when connected to peer (OpenWrt) - i.e. Step 1
  • 9.9.9.9 will be routed thru WG - i.e. Step 2

If you want to set the route more specifically, see: https://openwrt.org/docs/guide-user/network/routing/routes_configuration

The route statement can be customized to specify: SRC IP/range, etc. so only your WG IP SRC range will use WG for reaching the e.g. IP of 9.9.9.9.