Results 1 to 3 of 3
  1. #1
    Join Date
    May 2022

    Angry PIA over VPN Tunnel is leaking DNS

    Hello Untaglers,

    Im new here, recently moved from PFsense.

    EVERYTHING about untangle for now is far better and easier and im very happy.... except the last (
    VERY important feature for me in my region) - VPN tunnel

    I have tried EVERYTHING from what i have read on this and other forums but i still have DNS leaks when using untangle.

    3 interfaces (physical)
    Local (local ip
    VPN (VPN ip

    All connections from VPN interface are routed over the tunnel (confirmed)

    When i setup a VPN tunnel with PIA i get Leaks (dnsleaktest)

    Whats Strange is i have used the SAME PIA config file on a mobile app (openVPN) and my unraid server and there is no leak... meaning it has to be untangle...

    The DNS server it displays is still from my ISP (i live in a country where i need to bypass this sometimes)

    I have tried over writing the DNS server on the interface level
    VPN interface>DHCP configuration
    DNS override
    No success! still ISP DNS

    I have followed other post suggestions and did a port forward rule - no success...
    Protocol IS TCP AND UDP
    Destination pot IS 53
    Source Interface IS "VPN interface"

    I have tried other small work around without success and i want to understand the issue before i just start doing random bad practices.

    I can see many others have had the same issue but i dont see a proper fix for this, everything seems to have "put a band-aid on the broken leg"

    Guys be gentle on me, im by no means a networking guru... advanced home enthusiast at best

    Thanks for the help gents.
    Attached Images Attached Images

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Phoenix, AZ


    This always happens, and it happens for a very simple reason... DNS doesn't work the way you think it does! It works exactly as it's configured, an no amount of tunnel tomfoolery is going to change it!

    Your workstations are using a DHCP assignment to get online correct? This assignment by default makes Untangle the DNS server for them. Untangle is configured to use whatever DNS lands on its External interface for resolution.

    So, you spin up your tunnel, and traffic goes over it. But name resolution is happening in accordance with the above, that is to say DNSMasq on Untangle itself is handling the resolution, and it's doing so via the only mechanism it has... direct.

    If you want a specific client to use a DNS server over the tunnel you have to configure that specific client to USE a DNS server over the tunnel. There are several ways to do this, but all of them result in one problem... no DNS at all when the tunnel is down.

    Now you must have some grasp of all this, or you wouldn't be attempting to create a dedicated network to handle devices that need to behave this way. Which is a great idea I might add! And, you've configured things correctly from what I can see. You're overriding DHCP to hand out a specific DNS server, so the clients can use that!

    You're then backing that up with a port forward rule that enforces DNS resolution to that same address. That's also good.

    The problem? TCP and UDP 52 is indeed DNS, but it's not DoH or DoT. Worse... some things are hard coded to get home no matter what you do.

    But, I'd start with inspecting the IP configuration of a device on that VPN Connections network of yours, and make sure it's actually getting the expected DNS address.
    Rob Sandling, BS:SWE, MCP
    Phone: 866-794-8879 x201

  3. #3
    Master Untangler
    Join Date
    Apr 2020
    United Kingdom


    Hi and welcome!

    I had a similar thing a while ago...

    My issue was that even when I put my VPN's DNS server address on the WAN interface (ie what Untangle would use for resolution) I still had a DNS leak. Only when the host had a manually configured DNS did it not leak. My only assumption was that somewhere along the line, if DNS requests went outside the tunnel, even if they pointed to the VPNs servers, maybe they were being re-written by an ISP etc.

    I haven't got a separate LAN just for VPN clients, I use Untangle to tag devices that need to go over the VPN. I then use this tag as the basis for a port-forward to re-write the DNS request. It's a bit hacky and doesn't solve the issues Rob has pointed out, but it works for me.

    What happens if you put the address into the host's network settings? Does it still leak?

    Screenshot 2022-05-16 at 20.25.27.png
    dashpuppy likes this.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

SEO by vBSEO 3.6.0 PL2