Wireguard Client VPN not using DNS

[Tommy_Tom_123]

Hi all,

I am currently using a RT-AX86u router running the latest Merlin 3004.388.8_2 firmware. I am using the Wireguard VPN client feature to have two devices tunning all their traffic over this VPN connection, which works great. The only issue I am facing is that these clients somehow use a mix of the local DNS as well as the DNS from the VPN server.

Configuration: Wireguard Profile that has a DNS configured in it (which is correctly read by AsusWRT Merlin, as it automatically fills the 'DNS server (optional)' field when loading in the Wireguard Profile). No further VPN profiles active, no DNS Director. The clients in question are a Chromecast with Google tv, and a Samsung TV.

Expected behaviour: the clients that are directed to use the VPN-Client feature should (only!) use the DNS server from the VPN profile.

Actual behaviour: The clients use both the local, and the VPN DNS according to DNS leak websites

What I have tried to fix it so far:
- Use this VPN profile on a different device --> Iphone with Wireguard app. I tried this exact VPN profile and here it forces the device to use the DNS server from the VPN tunnel.
- Remove and reload VPN profile and Client in the router
- Use DNS Director to try to force the VPN DNS server on these clients
- Use VPN director to force this profile on my laptop to see if perhaps my clients are stubborn (but DNS leak also happens on this laptop)
- Disabling AIProtection
- reboot router
- Reinstall router from scratch

I saw similar posts on this forum where disabling DNS Director was the solution, but I am not using that feature in the first place.
Am I doing something wrong here, could this be a bug or is this working as designed?

Any help is much appreciated!

 

[ZebMcKayhan]

Hi all,

I am currently using a RT-AX86u router running the latest Merlin 3004.388.8_2 firmware. I am using the Wireguard VPN client feature to have two devices tunning all their traffic over this VPN connection, which works great. The only issue I am facing is that these clients somehow use a mix of the local DNS as well as the DNS from the VPN server.

Configuration: Wireguard Profile that has a DNS configured in it (which is correctly read by AsusWRT Merlin, as it automatically fills the 'DNS server (optional)' field when loading in the Wireguard Profile). No further VPN profiles active, no DNS Director. The clients in question are a Chromecast with Google tv, and a Samsung TV.

Expected behaviour: the clients that are directed to use the VPN-Client feature should (only!) use the DNS server from the VPN profile.

Actual behaviour: The clients use both the local, and the VPN DNS according to DNS leak websites

What I have tried to fix it so far:
- Use this VPN profile on a different device --> Iphone with Wireguard app. I tried this exact VPN profile and here it forces the device to use the DNS server from the VPN tunnel.
- Remove and reload VPN profile and Client in the router
- Use DNS Director to try to force the VPN DNS server on these clients
- Use VPN director to force this profile on my laptop to see if perhaps my clients are stubborn (but DNS leak also happens on this laptop)
- Disabling AIProtection
- reboot router
- Reinstall router from scratch

I saw similar posts on this forum where disabling DNS Director was the solution, but I am not using that feature in the first place.
Am I doing something wrong here, could this be a bug or is this working as designed?

Any help is much appreciated!

Could your clients be using a privacy dns protocol? DNS-over-https (DoH) is quite common and router cannot detect/stop/redirect all of these.
While it may function very differently if the vpn is used on the client device.

Try to look in your devices setting to turn off dns privacy.

edit: If you haven't done so already, in your router GUI "set Prevent client auto DoH" to Yes (WAN -> Internet connection -> WAN DNS Setting) may help you.

 

[Tommy_Tom_123]

Could your clients be using a privacy dns protocol? DNS-over-https (DoH) is quite common and router cannot detect/stop/redirect all of these.
While it may function very differently if the vpn is used on the client device.

Try to look in your devices setting to turn off dns privacy.

edit: If you haven't done so already, in your router GUI "set Prevent client auto DoH" to Yes (WAN -> Internet connection -> WAN DNS Setting) may help you.

Thank you for your help!

I do not suspect that to be the cause: all the dns requests that are not going through the VPN tunnel, are going through the router (and not e.g. to google if that was hardcoded). I just checked with a fresh Win11 laptop with all secure DNS features turned off, and I could replicate the the problem.

Would you have any further ideas?

 

[Crimliar]

On the Samsung TV you should be able to go into it's network settings and set the DNS on the TV - that should fix that one. The Chromecast with Google TV - unless things have changed, the only way to get that to use any DNS other than what's built in (it won't use DNS suggested by DHCP), is to use DNS Director. If things have changed, then it's likely that Google have tightened things up even further, you might be able to get an idea what is going on using the System Log>Connections page in the WebUI.

 

[ZebMcKayhan]

Would you have any further ideas?

The only way I could think of, is if you have enabled ipv6 on the router.

Not sure where Merlin fw currently is on ipv6 but your vpndirector rule only covers ipv4 so ipv6 data may go out wan.

 

[Tommy_Tom_123]

On the Samsung TV you should be able to go into it's network settings and set the DNS on the TV - that should fix that one. The Chromecast with Google TV - unless things have changed, the only way to get that to use any DNS other than what's built in (it won't use DNS suggested by DHCP), is to use DNS Director. If things have changed, then it's likely that Google have tightened things up even further, you might be able to get an idea what is going on using the System Log>Connections page in the WebUI.

Hi thanks!

This might be a lead: the both devices (192.168.0.130 and .131) apparently do send out some requests to the VPN DNS server, which is IP 10.151.112.1, but the majority gets the status “unreplied”. Maybe the DNS server does not reply, or not in time, causing the router to resolve the requests locally. Weirdly enough I have 0 of such issues with other devices connected to this VPN.

 

[ZebMcKayhan]

Maybe the DNS server does not reply, or not in time, causing the router to resolve the requests locally.

That's not really the way this should work.
Wireguard redirects dns using the router firewall. So all packets from your .130 & .131 ip with destination port 53 should be dnat (change destination address) to wg dns. The router doesn't know if it works or not. If wg dns is not responding it should appear as broken connection on the client.

So, how could your clients send dns requests to the router and seemingly bypass this rule? Ipv6 usage is one reason.