diff --git a/pkg/pickle/helpers/bitmask-root b/pkg/pickle/helpers/bitmask-root
old mode 100644
new mode 100755
index 45544d8d60dda05b21ccca1894085ce0c3b7017b..ce0050c718a3e2451ee86a80194582e8de962f5a
--- a/pkg/pickle/helpers/bitmask-root
+++ b/pkg/pickle/helpers/bitmask-root
@@ -730,6 +730,9 @@ def firewall_start(args):
     if QUBES_PROXY and QUBES_VER >= 3:
         # rewrite DNS packets for VPN DNS; Qubes preconfigures masquerade
         ip4tables("-t", "nat", "--flush", "PR-QBS")
+        for gateway in gateways:
+            ip4tables("-t", "nat", "--append", "PR-QBS", "--destination", gateway,
+                      "--jump", "RETURN")
         ip4tables("-t", "nat", "--append", "PR-QBS", "-p", "udp",
                   "--dport", "53", "--jump", "DNAT", "--to",
                   NAMESERVER + ":53")
@@ -737,8 +740,12 @@ def firewall_start(args):
                   "--dport", "53", "--jump", "DNAT", "--to",
                   NAMESERVER + ":53")
     else:
+        # As we may have OpenVPN running on port 53, we don't want to redirect that
+        for gateway in gateways:
+            ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "--destination",
+                      gateway, "--jump", "RETURN")
         # allow dns to localhost
-        ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp",
+        ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "--protocol", "udp",
                   "--dest", "127.0.1.1,127.0.0.1,127.0.0.53", "--dport", "53",
                   "--jump", "ACCEPT")
         # rewrite all outgoing packets to use VPN DNS server