Flint 3 4.8.1 VPN+AdguardHome+NextDNS= IP LEAK

Max3 · July 28, 2025, 7:09am

I just received my Flint 3 and I decided to try 4.8.1 beta.
I turned ON a VPN tunnel (tried OPVPN and Wireguard - I currently use Proton) and I enabled Adguard Home using NextDNS as Upstream DNS servers (tried H3, Quic, TLS).
Doing some dns leak tests on Browserleaks and Dnsleaktest everything seems fine BUT one thing bothers me: on NextDNS logs I see that my requests are from my WAN (my real IP) instead of my VPN Tunnel.

Tried this even on my Flint 2 with 4.8.0 beta and I had the same IP leak on NextDNS.

Then I tried reverting to 4.7.14 and everything is working as expected: on my NextDNS logs I see my VPN Tunnel address instead of my real IP...

bruce · July 29, 2025, 7:59am

Hi,

To be short, I tested it on Flint 3 v4.8.1 firmware and it didn't reproduce this issue. Please let me know what features you enable and configure, or say how to reproduce?

Enable WireGuard Client using Proton VPN

Bruce_2025-07-29_16-00-471302×657 36.7 KB
Enable ADG and set my Next DNS as the only upstream DNS server. The screenshot is DoT (TLS).

Bruce_2025-07-29_15-55-121297×959 65.1 KB

image1239×805 31.9 KB
Check the Next DNS Log that the source IP is from the Proton VPN server (my profile), and no DNS leakage is found

image1168×607 31.2 KB

image1251×914 38.9 KB

Bruce_2025-07-29_15-59-251031×388 16.9 KB

Max3 · July 29, 2025, 8:38am

That's the right settings.
However, My LAN1 port is set to WAN and I have a multi-WAN setup in failover mode.
EDIT: In Adguard Home I've chosen "parallel requests" instead of "load balancing", try also using H3 and QUIC please, as they seems the cause of the leak.

bruce · July 31, 2025, 11:21am

Well, I will test again.

Edit, looks like to reproduce, will further check to confirm.

Edit2, R&D found the h3 does not support, will further check.
Is it possible to temporarily remove h3, and use https, quic, and tls?

Max3 · August 1, 2025, 8:28am

From what I've experienced H3 and QUIC basically makes the leak to appear instantly.
But it also happens even using TSL, with the only difference that it seems it requires more connection time to appear.

Max3 · August 11, 2025, 10:57am

So, after further testing, the issue is really easy replicable on my side with both Flint 3 and Flint 2.
Any protocols cause leaks in Adguard Home with HTTPS being the less affected (requires more connection time and has less leaks).
Basically Adguard Home is totally unreliable in this state...

bruce · August 14, 2025, 6:25am

Thanks for the update!

Yes, we have also reproduced this issue on other router models, R&D will fix this issue and sync it to SDK for all models.

R&D has update the codes for resolve the issue, and the next version will be reorganized.
The test firmware is doing DNS stress tests.

Thank you again for your test!

Max3 · August 14, 2025, 8:08am

Amazing, thank you!

Messerchmidt · August 17, 2025, 7:51pm

You are asking an aweful lot of a consumer grade device. You should probably have a pc setup with proxmox and opnsense, and use this flint 3 as a wifi ap and maybe tailscale server.

lsquare · August 17, 2025, 11:57pm

Why do you say that? Please elaborate.

lsquare · August 17, 2025, 11:59pm

Yikes, does this affect the Beryl AX too? I thought I was seeing some funny things when playing around with some DNS leak sites as well.

bruce · August 19, 2025, 3:28am

Yes, very sorry, it affects the v4.8.0 firmware of Beryl AX, and the R&D has submitted repair codes, will be improved in the next version.

lsquare · August 19, 2025, 6:46am

Wowsers. I thought GL.iNet's quality testing would be better than this. Is it not safe and secure to use 4.8? What can I do in the meantime to secure the router without downgrading the firmware?

bruce · August 19, 2025, 7:58am

If Beryl AX maintains v4.8.0 firmware, you can temporarily disable ADG or not use ADG encrypted DNS, but encrypted DNS in GL GUI.

lsquare · August 19, 2025, 8:15am

If I use a VPN app on my phone connected to the Beryl AX, will I be safe?

When can we expect a fix to be ready?

bruce · August 20, 2025, 6:53am

Safety.

The repaired codes have been submitted, and the next firmware version will improve this issue.

lsquare · August 20, 2025, 7:11am

When? Improve? You mean it'll be fixed for good?

bruce · August 21, 2025, 3:31am

In the next two weeks,
Yes.

Max3 · August 26, 2025, 2:18pm

Just tried firmware 4.8.1 2025-08-20, seems that the issue has been completely resolved!
Also, average DNS resolution time has returned to be low, I forgot to mention that it was crazy high with previous firmware (70-100ms).

bruce · August 27, 2025, 11:35am

I just planned to sync this message. I didn't expect you to find out first!