DNS leaks via OpenVPN client config on ASUS Router

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)
Posts: 1
Joined: Sun Jun 26, 2022 4:51 pm

DNS leaks via OpenVPN client config on ASUS Router

Post by emizzle » Sun Jun 26, 2022 5:09 pm

Using the OpenVPN client of the latest Asus RT-AX88U firmware (NOT Merlin, OpenVPN v2.4.11, OpenSSL 1.1.1n), and testing for DNS leaks on https://ipleak.net, it seems there are leaks (shows WoodyNet IPs).

When I use the Tunnelblick OpenVPN client (OpenVPN v2.5.4, OpenSSL 1.1.1l), and repeat the same test on https://ipleak.net, I do not see any leaks.

I could be completely wrong, but it seems like DNS traffic is not getting tunnelled through the VPN when using only the router client. I'd ideally like to have any clients connecting to the router to have their DNS traffic tunnelled and use the TrackerSmacker. Does anyone know how to do this?

I then tried configuring WAN > DNS to,, and got the same result.

Configuring my local machine's DNS to didn't work, so I can't imagine assigning that in LAN - DHCP Server > DNS would help.

EDIT: Configured my local machine's DNS to (taken from https://cryptostorm.is/dns.txt) and it prevents leaks, but does this enable TrackerSmacker?

EDIT 2: I then set that server in LAN - DHCP Server > DNS, and it assigns my local machine's DNS to, (IP of my router). That eliminated some leaks but definitely not all. Maybe overriding the second DNS server is an option in Merlin? Happy to install that if it will help here.

User avatar
Site Admin
Posts: 1275
Joined: Wed Feb 05, 2014 3:47 am

Re: DNS leaks via OpenVPN client config on ASUS Router

Post by parityboy » Fri Aug 26, 2022 7:02 am


I use pfSense on custom hardware as opposed to an ASUS router but I imagine the principles are the same. I configure my WAN DNS to but I also tell it which gateway to use, i.e. the gateway for the VPN, since the 10.x.x.x addresses are only available via the VPN link. If I remember rightly TrackerSmacker is only available on - I'm not sure that it is available on the DNS instances sitting on public IPs.

Once the VPN is up, you should be able to ping and from your laptop/PC. If you can't, those pings are NOT going over the VPN link. You can check that you are protected by Cryptostorm by going here.

Post Reply