Wireguard Client VPN not using DNS

[Tommy_Tom_123]

Hi all,

I am currently using a RT-AX86u router running the latest Merlin 3004.388.8_2 firmware. I am using the Wireguard VPN client feature to have two devices tunning all their traffic over this VPN connection, which works great. The only issue I am facing is that these clients somehow use a mix of the local DNS as well as the DNS from the VPN server.

Configuration: Wireguard Profile that has a DNS configured in it (which is correctly read by AsusWRT Merlin, as it automatically fills the 'DNS server (optional)' field when loading in the Wireguard Profile). No further VPN profiles active, no DNS Director. The clients in question are a Chromecast with Google tv, and a Samsung TV.

Expected behaviour: the clients that are directed to use the VPN-Client feature should (only!) use the DNS server from the VPN profile.

Actual behaviour: The clients use both the local, and the VPN DNS according to DNS leak websites

What I have tried to fix it so far:
- Use this VPN profile on a different device --> Iphone with Wireguard app. I tried this exact VPN profile and here it forces the device to use the DNS server from the VPN tunnel.
- Remove and reload VPN profile and Client in the router
- Use DNS Director to try to force the VPN DNS server on these clients
- Use VPN director to force this profile on my laptop to see if perhaps my clients are stubborn (but DNS leak also happens on this laptop)
- Disabling AIProtection
- reboot router
- Reinstall router from scratch

I saw similar posts on this forum where disabling DNS Director was the solution, but I am not using that feature in the first place.
Am I doing something wrong here, could this be a bug or is this working as designed?

Any help is much appreciated!

 

[ZebMcKayhan]

Hi all,

I am currently using a RT-AX86u router running the latest Merlin 3004.388.8_2 firmware. I am using the Wireguard VPN client feature to have two devices tunning all their traffic over this VPN connection, which works great. The only issue I am facing is that these clients somehow use a mix of the local DNS as well as the DNS from the VPN server.

Configuration: Wireguard Profile that has a DNS configured in it (which is correctly read by AsusWRT Merlin, as it automatically fills the 'DNS server (optional)' field when loading in the Wireguard Profile). No further VPN profiles active, no DNS Director. The clients in question are a Chromecast with Google tv, and a Samsung TV.

Expected behaviour: the clients that are directed to use the VPN-Client feature should (only!) use the DNS server from the VPN profile.

Actual behaviour: The clients use both the local, and the VPN DNS according to DNS leak websites

What I have tried to fix it so far:
- Use this VPN profile on a different device --> Iphone with Wireguard app. I tried this exact VPN profile and here it forces the device to use the DNS server from the VPN tunnel.
- Remove and reload VPN profile and Client in the router
- Use DNS Director to try to force the VPN DNS server on these clients
- Use VPN director to force this profile on my laptop to see if perhaps my clients are stubborn (but DNS leak also happens on this laptop)
- Disabling AIProtection
- reboot router
- Reinstall router from scratch

I saw similar posts on this forum where disabling DNS Director was the solution, but I am not using that feature in the first place.
Am I doing something wrong here, could this be a bug or is this working as designed?

Any help is much appreciated!

Could your clients be using a privacy dns protocol? DNS-over-https (DoH) is quite common and router cannot detect/stop/redirect all of these.
While it may function very differently if the vpn is used on the client device.

Try to look in your devices setting to turn off dns privacy.

edit: If you haven't done so already, in your router GUI "set Prevent client auto DoH" to Yes (WAN -> Internet connection -> WAN DNS Setting) may help you.

 

[Tommy_Tom_123]

Could your clients be using a privacy dns protocol? DNS-over-https (DoH) is quite common and router cannot detect/stop/redirect all of these.
While it may function very differently if the vpn is used on the client device.

Try to look in your devices setting to turn off dns privacy.

edit: If you haven't done so already, in your router GUI "set Prevent client auto DoH" to Yes (WAN -> Internet connection -> WAN DNS Setting) may help you.

Thank you for your help!

I do not suspect that to be the cause: all the dns requests that are not going through the VPN tunnel, are going through the router (and not e.g. to google if that was hardcoded). I just checked with a fresh Win11 laptop with all secure DNS features turned off, and I could replicate the the problem.

Would you have any further ideas?

 

[Crimliar]

On the Samsung TV you should be able to go into it's network settings and set the DNS on the TV - that should fix that one. The Chromecast with Google TV - unless things have changed, the only way to get that to use any DNS other than what's built in (it won't use DNS suggested by DHCP), is to use DNS Director. If things have changed, then it's likely that Google have tightened things up even further, you might be able to get an idea what is going on using the System Log>Connections page in the WebUI.

 

[ZebMcKayhan]

Would you have any further ideas?

The only way I could think of, is if you have enabled ipv6 on the router.

Not sure where Merlin fw currently is on ipv6 but your vpndirector rule only covers ipv4 so ipv6 data may go out wan.

 

[Tommy_Tom_123]

On the Samsung TV you should be able to go into it's network settings and set the DNS on the TV - that should fix that one. The Chromecast with Google TV - unless things have changed, the only way to get that to use any DNS other than what's built in (it won't use DNS suggested by DHCP), is to use DNS Director. If things have changed, then it's likely that Google have tightened things up even further, you might be able to get an idea what is going on using the System Log>Connections page in the WebUI.

Hi thanks!

This might be a lead: the both devices (192.168.0.130 and .131) apparently do send out some requests to the VPN DNS server, which is IP 10.151.112.1, but the majority gets the status “unreplied”. Maybe the DNS server does not reply, or not in time, causing the router to resolve the requests locally. Weirdly enough I have 0 of such issues with other devices connected to this VPN.

 

[ZebMcKayhan]

Maybe the DNS server does not reply, or not in time, causing the router to resolve the requests locally.

That's not really the way this should work.
Wireguard redirects dns using the router firewall. So all packets from your .130 & .131 ip with destination port 53 should be dnat (change destination address) to wg dns. The router doesn't know if it works or not. If wg dns is not responding it should appear as broken connection on the client.

So, how could your clients send dns requests to the router and seemingly bypass this rule? Ipv6 usage is one reason.

 

[Tommy_Tom_123]

That's not really the way this should work.
Wireguard redirects dns using the router firewall. So all packets from your .130 & .131 ip with destination port 53 should be dnat (change destination address) to wg dns. The router doesn't know if it works or not. If wg dns is not responding it should appear as broken connection on the client.

So, how could your clients send dns requests to the router and seemingly bypass this rule? Ipv6 usage is one reason.

I see, my internet connection indeed has a native ipv6 connection (which I do not wish to disable). Thanks for your help and information! Fingers crossed that in a future FW the DNS Director will cover both ipv4 and ipv6.

 

[ZebMcKayhan]

I see, my internet connection indeed has a native ipv6 connection (which I do not wish to disable). Thanks for your help and information! Fingers crossed that in a future FW the DNS Director will cover both ipv4 and ipv6.

Hopefully, but Ipv6 is tricky as the router is not handing out addresses, only prefix:es. the device self-assigns the rest and with various level of randomness. not easy to set up rules.

it would be possible to use mac address and setup custom firewall rules to block ipv6 from these specific clients to be forwarded / received but its not optimal.

The Wireguard Session Manager addon https://www.snbforums.com/threads/session-manager-4th-thread.81187/post-793726 have full support for IPv6 but requires you to setup ip rules for ipv4 and ipv6 to cover both (https://github.com/ZebMcKayhan/WireguardManager#create-rules-in-wgm) and if you have dynamic IPv6 you will find this problematic and work-arounds like mac-based ipset is alittle tricky (https://github.com/ZebMcKayhan/WireguardManager#create-and-setup-ipsets), (https://github.com/ZebMcKayhan/WireguardManager#managesetup-ipsets-for-policy-based-routing)

 

[Crimliar]

FYI: A quick check of device IP settings should show that by default the router does hand out an IPv6 DNS address. In my case though, that DNS address though is the routers' internet address and not it's local IPv6 address!

 

[ZebMcKayhan]

FYI: A quick check of device IP settings should show that by default the router does hand out an IPv6 DNS address. In my case though, that DNS address though is the routers' internet address and not it's local IPv6 address!

Yea, I cannot confirm as I only have ipv6 enabled on the router but not on my lan. But I could see in dnsmasq.conf:

dhcp-option=lan,option6:23,[::]

According to dnsmasq.conf man pages:

For IPv6, [::] means "the global address of the machine running dnsmasq", whilst [fd00::] is replaced with the ULA, if it exists, and [fe80::] with the link-local address.

my ISP provides me with both a global lan prefix and a global WAN ipv6 address. Wierd if dnsmasq chooses the WAN ipv6 and not br0 ipv6.

 

[Crimliar]

Im lazy, so I'm not even looking that deeply, just checking the details on my laptop WiFi connection shows the router IPv6 WAN ( ::1) address is also used for DNSv6

 

[Tom Jo-Jo Junior Shabadoo]

I am also facing a DNS problem with Google TV (I believe it started after a recent update of the Google TV (Walmart Onn Box)). I cannot get it to use the DNS of the tunnel on OpenVPN nor WireGuard. Static routes 8.8.8.8/8.8.4.4 enable/disabled, DNS director on/off, Prevent client auto DoH on/off/auto. Accept DNS Configuration Exclusive
It will always use the router, whatever is configured in the routers "DNS-over-TLS", AdGuard or Cloudflare etc.

 

[ZebMcKayhan]

It will always use the router, whatever is configured in the routers "DNS-over-TLS", AdGuard or Cloudflare etc.

Perhaps they have enabled mac randomization? So the box doesn't get the ip you once set for it, thus dodging your vpndirector rule and dns redirect?

It could be persistant, which means it's a product of your SSID and will always be the same mac on the same ssid.

Or it could be non-persistant and basically change mac every now and then even on the same network.

 

[Tom Jo-Jo Junior Shabadoo]

Perhaps they have enabled mac randomization? So the box doesn't get the ip you once set for it, thus dodging your vpndirector rule and dns redirect?

Hi,
The MAC stays consistent and picks up the IP reserved under DHCP settings.