As I've mentioned several times in prior threads, you can't trust the results of these online leak testing tools when it comes to the router.
None of your clients are directly configured w/ *public* DNS servers. If you specify "Exclusive" on the OpenVPN client, and specify "Yes (all)" on the routing, then DNSMasq (acting as a local DNS proxy) will be reconfigured to *exclusively* use the DNS server(s) push'd by the OpenVPN server. OTOH, if you specify "VPN Director" on the routing, then one or more redirects are created in the firewall to route all port 53 DNS traffic from those bound to the VPN to one of the DNS servers push'd by the OpenVPN provider. Notice the client itself is never directly configured w/ the OpenVPN DNS server(s). Given that fact, I can't see how online leak testing tools can reliably determine which DNS servers are available to and/or accessed by the client. It's a completely different situation when the client is *directly* configured (i.e., on the client itself) w/ these DNS servers. And presumably the latter is the situation most expected from these online leak testing tools.
You determine the DNS server(s) push'd to the router's OpenVPN client by either (in the case of "Yes (all)" routing) checking the contents of /tmp/resolv.dnsmasq, or (in the case of "VPN Director" routing), checking the DNSVPN1 (or DNSVPN2, DNSVPN3, etc., as the case may be) chain in the NAT table.
Code:
iptables -t nat -vnL DNSVPN1
In my own case, that's 10.191.0.1.
Code:
admin@lab-merlin1:/tmp/home/root# iptables -t nat -vnL DNSVPN1
Chain DNSVPN1 (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 192.168.1.7 0.0.0.0/0 to:10.191.0.1
With that information in hand, the only way I've found to know w/ 100% accuracy what DNS servers are being used, and via which network interface, is to dump the port 53 traffic in connection tracking.
Code:
cat /proc/net/nf_conntrack | grep 'dport=53 '
When the client is actively generating DNS requests, you should see port 53 connections to the DNS server's IP address (in my case, 10.191.0.1). And you can verify it's using the VPN's network interface based on the second pair of src/dst IP addresses; the dst (destination) IP will be the OpenVPN client's assigned IP on the tunnel (iow, the reply is expected back over the tunnel since that's where the request was originally sent).
If you monitor connection tracking over time, that's the only DNS traffic you should see for those devices bound to the VPN. And you can safely ignore anything these online leak testing tools are telling you. Because connection tracking is *definitive* when it comes to this matter, regardless what anything else may be telling you to the contrary.
Is the above a rather tedious process? Yes. But imo it's far better for your peace of mind to investigate and understand the local operations of your router, then depend on the guesswork of some remote online testing tool. As far as I'm concerned, the latter is worthless.
