I have one VLAN setup where all of the traffic is routed over VPN to ensure my ISP can’t see my data. When I connect my computer to that VLAN, I search “what is my IP” and my address is definitely the VPN address. Then I go to check “DNS Leaks” and it displays cloudflares servers rather than my VPN address. Does anybody know how to solve this issue so that there aren’t any leaks and the dns leak test will show my vpn address as well?
I went to my regular LAN that isn’t routed over VPN and then downloaded the vpn client on my computer. I connected via the client to vpn and performed the dns leak test; the dns server was reported as the same as my VPN IP address which is awesome meaning there weren’t any leaks. Any suggestions are welcome as I have tried many things. Is this even an issue or does it not really matter?
Your DNS requests are using the firewall resolver, aka the IP address of the VPN VLAN interface, which again uses the WAN gateway, not your ‘VPN-WAN gateway’.
Try the following:
- Add your VPN DNS servers in dhcp options for the ‘VPN VLAN’ DHCP server
If this is not enough (if DNS adresses are hardcoded on your devices in your VPN VLAN), create an alias constisting of IP addresses of VPN DNS servers. Name it something like ‘alias_vpn_dns’ and you can use this alias in a redirect rule.
- Throw up another DNS server on your VPN VLAN (may I suggest pihole?). Make the pihole use your VPN DNS as upstream. Then;
- add dns redirect for interface ‘vpn vlan’, source ‘vpn vlan net’ tcp/UDP:53 !alias_vpn_dns and then redirect to pihole ip.
- (Instead of using pihole- add another dns service on your pfsense (Bind? Unbound?), which goes out on the VPN gateway — and use another DNS port - 5353 - and redirect requests to !alias_vpn_dns to this instead; 127.0.0.1:5353)
- To further granulate on your firewall rule for the VPN VLAN:
- pass any:any tcp/udp:53 alias_vpn_dns with gw ‘vpn-WAN’ on your vpn-vlan interface
- (pass any:any tcp/udp:5353 VLAN VPN address with gw ‘vpn-WAN’ on your vpn-vlan interface)
- reject any any tcp/udp:53 !alias_vpn_dns * on your vpn-vlan interface
Hopefully this will get you in the right direction.
It was a pain writing this on mobile, hope it helps!
Edit: some spelling, some formatting
Do you have DNS forwarding turned on?
You also should create a /32 static route to your public DNS servers aimed at your WireGuard tunnel gateway so that DNS lookups are encrypted by riding over your tunnel.
The hardcoding dns servers in dhcp options worked. You are amazing. Thank you for the help. I am definitely a noob but I just learnt something that will come in handy for a long time! 
Nice to see such a thorough and useful reply to this, they’re becoming fewer and far between in general. I’m not even affected by this but i learned something. Thank you.
Haha dude you’re awesome! Will try this when I get home. On mobile as well right now haha
I do not. I have resolver turned on.
What are the exact steps for this? I would love to
I agree. He is awesome! Hard to find these days
