Wireguard VPN and DNS leaks

alexsec · November 8, 2025, 3:07am

Hi,

I’m trying to create a manual wireguard VPN connection following the vpn provider’s instructions on how to use Network Manager for this.

I have installed wireguard-tools. I have imported the wireguard config file to Network Manager using nmcli, the wireguard connection has been created and activated automatically and everything seems to be working fine except for one thing.

There seems to be an issue with the dns addresses. Since I need static IP’s for my LAN connections, I’m configuring Network Manager’s IPv4 connections manually on the LAN adapter’s profile. This means that I put specific addresses for a Primary and a Secondary dns server on the LAN adapter’s profile.

The wireguard config file contains the vpn’s dns addresses. As a result, when I check for dns leaks after the vpn connection is established, the check shows that both the LAN profile’s and the wireguard profile’s dns addresses are used. This of course means that there is a leak.

If I remove the dns addresses from the LAN adapter’s profile, and leave the wireguard profile’s dns addresses intact, no dns connections are made at all, since the site names are not resolved.

If I use my gateway’s IP address as dns on the LAN adapter’s profile, and leave the wireguard profile’s dns addresses intact again, the dns leak test shows that the connection is using both my internet provider’s dns’s and the vpn provider’s dns’s. Leak again.

The only way to have no dns leaks at all is to place the vpn provider’s dns addresses in both the wireguard’s and the LAN adapter’s Network Manager profiles.

The only thing I haven’t tried yet is to remove the vpn’s dns addresses from the wireguard profile and just keep them on the LAN adapter’s profile. I figured since they exist in the wireguard config file, they have to remain there.

Is this the only way to create non-dns-leaking wireguard connections using Network Manager? Do I have to place the dns addresses provided by the vpn service in both the wireguard’s and the LAN adapter’s Network Manager profiles?

Thank you.

jsulig · November 8, 2025, 3:58am

Does adjusting DNS priorities of connections help?

arvidjaar · November 8, 2025, 6:18am

From your very long text it is still unclear what you want to achieve. If you want to only use DNS server from the VPN connection when this connection is active - set ipv4.dns-priority/ipv6.dns-priority to a negative value. Read man nm-settings, search for the ipv4.dns-priority and ipv6.dns-priority.

marel · November 8, 2025, 7:55am

I think you did set up a VPN and did run a DNS Leak test and saw the site indicated a DNS Leak.

What is a DNS leak and why should I care?

So I am not surprised that if you if you point the DNS servers to your provider there is a DNS leak.

alexsec · November 8, 2025, 3:28pm

@arvidjaar

I want Network Manager to use the dns servers I have put in the network adapter’s profile when the vpn is inactive.

The moment I activate the vpn connection though, it must switch to the vpn’s dns only and not use the dns addresses in the adapter’s profile at all, even if the vpn’s dns servers go down for some reason.

jsulig · November 8, 2025, 4:05pm

Try negative values for vpn connections
https://networkmanager.dev/docs/api/latest/settings-ipv4.html#:~:text=Negative%20values%20have%20the%20special%20effect%20of%20excluding%20other%20configurations

alexsec · November 8, 2025, 9:23pm

@arvidjaar @jsulig

Modifying the ipv4.dns-priority parameter to -200 does the job indeed. Thank you both for your answers.

system · November 15, 2025, 9:23pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.