Testing123, Very likely you are leaking. How exactly have you hidden your IP location, as should be? If you're using/dropping anything to ISP/WAN at all, for fallback for specific clients using your ISP's server, or for fallback/fail for your OpenVPN-unneled clients, listing both DNS servers on the WAN page, is probably where the leakage is coming from, that is, if you've set WAN up 'normally' the same as most people do who don't use Openvpn configs/tunnels exclusively. Without knowing what model router you have, of if you are/aren't using WAN/ISP for resovling your DNS instead of using your VPN provider's configs/solution, if you want all of your traffic to utilize only your OpenVPN tunnels, you'll have to change at least how a couple of items to be sure this is handled to eliminate leaks, regardless of what your routing table shows.
With our Asuswrt router, there's no DNS servers listed in the WAN DNS server fields; we use only the OpenVPN provider's configs and the provider's DNS in the Openvpn clients in the router. WAN is only used so that the VPN tunnels have a means of 'tunneling-out' through the ISP's connection and internet, via the VPN provider's network. No client is allowed to drop or fall back/fail to the WAN/ISP DNS, public DNS for any reason, since the VPN provider's network handles everything. You can try (once) to turn WAN off, but all it will do is cut off your router from your modem and ISP; your VPN tunnels won't tunnel out anymore. It's like pulling your Ethernet cable out of the router/modem. The VPN provider's DNS is entered in the LAN/DHCP page's DNS first field, and google public 8.8.8.8 as fallback -only- in the sense if for some reason, one of your clients doesn't understand the VPN provider's DNS internal DNS handling (most do). When the DNS servers are listed thusly, they show in the OpenVPN configs in the logs when the tunnels are working, and the VPN configs usually ignore them, even though they 'see' how you've listed them. At least that's how it shows on our router.
All of our devices are assigned static IPs in a specific range on the LAN DHCP page. On the Openvpn client's page, for each client you use, the DNS handling of the VPN provider's config should be set to Exclusive or Strict to ensure only the tunneled clients assigned to each particular tunnel are only using that config; on the same OpenVPN page the policy rule is set to 'Strict' and to 'Drop' all tunneled traffic if the tunnel goes down for whatever reason. On our RT-AC3200 running RMerlin v380.68_4 FW it works well for us. If any client is routed or dropped to WAN/ISP or uses DNS over WAN/ISP, your ISP will 'see' those DNS server listings, and you're bound to spout leaks. As for having WAN connect automatically, unless you have special voodoo-magic wizardry you'd care to share
WAN has to be connected whenever the router boots up, so your OpenVPN tunnels/configs have access to an internet connection, to' tunnel through' your ISPs network. Any DNS listing placed in the WAN DNS fields will show up in the routing tables as linked to WAN (it always shows up somehow/somewhere), but that's probably why you're seeing four DNS servers. That in itself doesn't automatically mean you're leaking to the ISP, but I'd bet my beachfront home in Antartica that you are.
There are so many associated variables how DNS, WAN and/or how your clients do and/or use or drop to them, that without knowing your model/configuration and other pages, I'm offering a 'guestimate' only. It all works (mostly) in the same general way, with different router GUIs/layout. I'm not an engineer or network wizard, but If your tunnels are tightly bound to your VPN providers exclusively, and drop immediately if theres an error and/or disconnection, it's dollars to donuts that the OpenNIC listing in that WAN fiels is where leaks are coming from. I used to have an OpenNIC DNS server listed, but one of our settings was off; when the tunnel dropped the OpenNIC server started screaming to the ISP that we were in Oceania/Antartica, etc. Generate lots of info in your logs, browser history and spend some quality time with wireshark, as well as Doileak.com and other fine leak test sties that can help you track the leaks down. If you use flash in any client/host, banish it, eradicate it from your systems at once, as well as WebRTC, and place a few quality plugins or extensions in your browsers.
If your time isn't the same locally on your router and on your clients/host/server as it is in the time zone where your VPN provider's endpoint is located, that can be problematic and will show up on Doilieak. Almost always, your provider's OpenVPN configs covers you, since they almost always use their own DNS, and mostly disregard anything you place in the LAN/DHCP DNS server fields as is on our router. Hope this proves a bit helpful and good luck. Cheers.
