Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    wireguard remote access dns

    Scheduled Pinned Locked Moved WireGuard
    3 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spltngheadache
      last edited by spltngheadache

      I've setup wireguard for remote access to my LAN from my phone. Local traffic passes fine but I've noticed even with the applicable firewall rule:

      source: wgsubnet (172.27.80.0/24)
      dest: firewall (self)
      proto: udp
      port: DNS (53)

      The resolver on pfsense ignores the wg clients. I see the requests happen in tcpdump. I looked in the DNS resolver settings but see that the "Wireguard" interface doesn't show up. If I create a dedicated interface for this, I can set that interface in the resolver settings and things to appear to work as expected. Am I missing something to allow the regular "Wireguard" tab rules to hit unbound? It doesn't make a lot of sense to have to setup an interface just for remote access purposes.

      The WG clients are set to use the wg tunnel IP set for the firewall: i.e. 172.27.80.1

      D 1 Reply Last reply Reply Quote 0
      • D
        dma_pf @spltngheadache
        last edited by

        @spltngheadache said in wireguard remote access dns:

        I looked in the DNS resolver settings but see that the "Wireguard" interface doesn't show up. If I create a dedicated interface for this, I can set that interface in the resolver settings and things to appear to work as expected.

        You do not see WireGuard in DNS settings because it is not bound to an interface. Only tunnels bound to an actual interface will show up in DNS settings. The Wireguard tab that shows up in the firewall rules is not bound to a particular interface and the rules applied to it work differently than on an interface.

        Wireguard tab rules are evaluated first, and are applied to all Wireguard tunnels whether or not they are linked to an interface. In essence they are global rules. The packets processed by these rules don't have a "Reply-to:" tag attached to them. This can lead to routing issues.

        Wireguard Interface rules apply to that interface only and the packets contain the "Reply-to' tag.

        https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/rules.html

        It would be helpful if you could post pictures of your NAT/Outbound, NAT/Port Forward, LAN rules, Wireguard rules, and Wireguard Interface rules.

        S 1 Reply Last reply Reply Quote 0
        • S
          spltngheadache @dma_pf
          last edited by spltngheadache

          I solved this by adding an additional interface directive in the DNS Resolver advanced options box. I confirmed that the running unbound config didn't include the wg interfaces and that's why it wasn't responding.

          There's no "wireguard" in the Network Interfaces box of the DNS Resolver screen unless you create a Firewall interface based on the wg interface. I don't use ALL because I do not want some of my interfaces to have the option of using pfsense's unbound. Interestingly enough, the proper access-control directives did exist in the config already.

          I added these lines and created a firewall rule allowing the wg subnet to access DNS on this IP.

          server:
  interface: 172.27.80.1
  interface: 172.27.80.1@853
          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.