Please Help - How to: WireGuard VPN without DNS leaks AND local DNS

Recently I setup WireGuard as a privacy VPN on my pfSense router. Unfortunately I still have some problems with my local DNS. Namely, I can’t reach the pfSense admin panel by domain name, but the IP works.

My setup: I’m using WireGuard instead of OpenVPN, which works as expected. However, I am not sure which DNS servers to specify, and the location of the settings is also questionable for me. If I set up the DNS server addresses of my specific VPN provider in the DHCP service (on the specific network/VLAN) and therefore override the DNS servers on the general settings page, I don’t have any DNS leaks, but I can’t resolve my local DNS. If I do the opposite (set the DNS servers on the general settings page), I can resolve my local DNS, but I get DNS leaks (even though I have the correct WireGuard IP address from my provider).

Both make sense to me, but I’m too much of a noob to find the setting that provides the best of both worlds.

How can I fix this (having local DNS and routing without DNS leaks over my VPN at the same time)? I really liked Tom’s setup (from the OpenVPN Privacy VPN Video) because I can define multiple VPN connections with one kill switch floating rule for individual networks. I need to keep it that way.

Any help would be appreciated as I don’t know what to do and have already spent quite some time trying to trace this problem.

As a third approach, I specified the local DNS address of my pfSense firewall in the DHCP-specific network settings, with the result that I reach my VPN server and local DNS while being bugged by DNS leaks (again).

Doesn’t anyone know the answer?

I’m not sure if HAProxy is related?

I think you have to add an ACL in your DNS resolver to allow your tunnel addresses access. Something like this.

I am not sure what you mean.

I provide some screenshots. If you need more to understand my setup, please let me know. With the DNS server overrides in my specified VLAN, I have no DNS leaks. My WireGuard tunnel setup also works fine. I just can’t query any local DNS because all DNS goes through the tunnel.

I followed this guide: WireGuard Setup guide for pfsense

My General DNS Settings:

The DNS Overrides (like on the IVPN guide) for the specific VLAN (

The ACL thing I don’t have any idea about it:

I also don’t understand why I have to specify my VPN DNS server’s address in the general settings AND do an DNS override.

My fault, I understand what you are trying to do now. You are specifying to only use IVPN DNS servers so you wont be able to resolve any DNS names.

If you want the best of both worlds you will have to setup a DNS server on the same network as your LAN (I assume) and then set that DNS server to forward requests to the IVPN provided DNS servers. In this way you can still create DNS records locally and all your DNS queries externally will be going out properly without leaks. Then point all of your devices to your new DNS server.

Amazing! Thanks for your answer, I will try this later. The easiest way to do this would be to set up a PiHole, right?

Isn’t there a way to do this directly from the pfSense box?

What would be the best PiHole (or other local DNS server) setup if I have multiple VLANs going out over different VPN servers and providers?

I think that depends. Are you wanting all your devices going over the IVPN tunnel? If not then I’m not sure that is a viable option to use PFsense. I’m also not entirely sure that would work. I haven’t done that before.

I would say, use whatever is comfortable to you and satisfies your needs. I don’t really have a preference but, I can tell you which ones I have used in the past.

I want specific VLANs going over different tunnels. There is no problem to set this up within pfSense (besides my local DNS problem),

Thanks for your help.