DNS Leak - Nested VPN Setup - Slate AX

As per previous post: Nested VPN setup - Slate AX

** Primary Issue **

  • DNS Leak
  • I PLAN… (IF i buy the GL-AXT 1800) to have the same setup, as per the 1 year old previous post:


  • Laptop using the Palo Alto Networks(GlobalProtect) VPN for work
  • OPNSense firewall with OpenVPN server
  • Slate AX(GL-AXT 1800) with OpenVPN Client which connects to OPNSense firewall


  • Slate AX connect to OPNSense with OpenVPN
  • Laptop connect to Slate AX by wifi
  • GlobalProtect on laptop will connect to my company via Internet


  • I expect my laptop traffic will through the Slate ax to OPNSense then connect to my company.
  • It will guarantee my traffic will exit from my firewall.
  • It will also guarantee my laptop public IP address will stay with OPNSense’s public ip
  • It ** WILL NOT ** DNS Leak


  • As per: Nested VPN setup - Slate AX
    I am concerned I will buy the router and it will not work as per the scenario above
  • Contacted support to ask if they resolved the issue. Advised they didnt, and that it is “it is rather strange and not clear so nothing was worked out.”

** DNS leak is my primary concern **

Simple Resolution:

  • Can you confirm, or not. If DNS leak happens in the given scenario above?

The post you cited is not about dns leak but cannot connect to vpn.

For your setup, you should not worry about your vpn but there is one typical problem for nested vpn. The GlobalProduct may not be able to connect at all because of mtu settings.

So this is the steps that I can suggest.

  1. Connect vpn from AXT1800 to your Opnsense

  2. Check IP and dns leaks using the following tools

All the ip and dns should be your server side, not your local side.

  1. Connect your GlobalProtect. If you have problem that it does not connect, change your computer’s mtu to lower.

For example in Windows

First find out the network interfaces that your computer is using to connect to the router.
netsh interface ipv4 show subinterfaces

Then set a lower mtu e.g. 1280. Pls do replace the with your real interface name
netsh interface ipv4 set subinterface <subinterface name> mtu=1280 store=persistent