DNS leaking

Pungskalle · February 26, 2024, 10:17am

Im useing Flint 2 (GL-MT6000) v.4.5.6.

Flint 2 running both WG server and WG client, and VPN Cascading is enabled, but i get DNS leaks.

Adguard home:ON
DDNS:ON
VPN Policy Based on the Client Device : 4 local devices.

Laptop–> (Flint WG Server(Cascading ) -->WG Client) → Mullvad → Internet.
DNS leaks.

Laptop–> (Flint WG Client) → Mullvad → Internet.
No DNS leak.

admon · February 26, 2024, 10:17am

How did you test for DNS leaks?

Pungskalle · February 26, 2024, 11:12am

Both https://www.dnsleaktest.com/results.html and https://mullvad.net/sv/check

admon · February 26, 2024, 11:30am

And what exactly is the result?
Which DNS server do they tell you?

Pungskalle · February 26, 2024, 11:52am

-Connect to Flint 2 wireguard server:
172.69.235.71 - Cloudflare - Osaka, Japan.

Using Mullvad VPN
Leaking DNS servers
No WebRTC leaks

-Connect to Flint 2 by lan cable on router:
185.213.154.69 - 31173 Services AB - Gothenburg, Sweden

Using Mullvad VPN
No DNS leaks
No WebRTC leaks

Pungskalle · February 26, 2024, 12:28pm

Laptop gets DNS leaks and useing Wireguard on win 11.
PC dont gets any leaks.
Hope this helps explain a bit.

borat · March 11, 2025, 6:04am

Having an identical issue with matching configs, any luck finding a solution?

borat · March 11, 2025, 6:04am

I am currently auditing the OpenWRT/Luci configs to see how the "vpn cascading" changes firewall settings and alike. I do see that per the docs it is typical to use police based routing for this, but right off the bat I can see that is not what GLI-Net is doing because "/etc/config/pbr" does not exist.

For reference: Welcome to docs.openwrt.melmac.net! | stangri’s OpenWrt Packages Documentation.

*Note: the VPN cascading docs should have some brief notes on how it is implemented on the back end IMO

borat · March 11, 2025, 6:40pm

Progress: when clicking "enable vpn cascading" one single line in /etc/config/firewall is changed... "config forwarding 'wgserver2ovpnclient' goes from option enabled '0' to option enabled '1'.
(To recreate test, turn of cascading, copy /etc/config/firewall as /etc/config/firewall_no_cascade, turn on cascading, then run: diff -y /etc/config/firewall_no_cascade /etc/config/firewall )

A FEW THOUGHTS:

There is no "wgserver2wgclient" or "ovpnserver2ovpnclient", so the 'wgserver2ovpnclient' indicates to me that cascading was only designed for a wgserver through to a ovpnclient. Perhaps accidentally? Update wg>ovpn did not fix dns leaks.
I have "Block Non-VPN Traffic" turned on in global vpn options for all LAN to use the wgClient, so perhaps just sending the wgServer traffic to LAN would achieve cascading effects? I could use the server to access all my local services and naturally outbound traffic would be caught by the kill switch? Update, tried this with many different firewall configs... no luck.

UPDATE!

Fixed?
OK, so when gli.net generates a WGserver config it assigns a DNS for the [Interface]. For me this was DNS = 64.6.64.6,10.0.0.1 which causes google/cloudflair dns services to explicitly kick in.

Solution: change your WGserver conf DNS to use the same DNS as your WGclient's
You will then be using the DNS of your VPN provider.

Note, I feel like I have located the core issue here but would like to go a step further ensuring that the tunnel AND dns are encrypted.