DNS Resolver doesn't process queries through Wireguard full tunnel
-
I’m trying to make a full tunnel work with Wireguard on pfSense and a Windows computer. The computer can access the tunnel and get to my servers using IP addresses, but not using the server FQDNs. (I’ve set them up using HAProxy with a wildcard certificate.) I can’t reach Websites using domain names. In these cases the failure message is that the DNS address could not be found.
The Netgate instructions include: " All traffic may be associated with a peer by using 0.0.0.0/0 for IPv4 or ::/0 for IPv6, but this won’t work for a tunnel with multiple peers. Only the last peer in the list will be configured properly." So I’ve removed my phone as a peer for the tunnel, but still get the same result.
I did not create a separate interface for Wireguard. I’m using Unbound as my DNS server. The general settings for DNS Resolver do not show an interface for Wireguard. However, the “Access Lists” tab includes an entry showing the tunnel network.
The Windows Wireguard app has the DNS server set to my pfSense interface (192.168.8.1).
In pfSense, I’ve tried to direct all DNS queries to Unbound. I have this rule in Firewall/NAT/PortForward:
And these rules in Firewall/Rules/WireGuard:
If I disable the rules directing port 53 traffic to Unbound and use 8.8.8.8 as the DNS address in the Windows peer app, I can get to Web sites. And in any case, I can't get to the servers using IP addresses, just not FQDNs.
I assume this is a problem of getting Unbound to respond to DNS queries from the remote peer, but I’m at a loss of what else to do. Any suggestions will be appreciated. -
I meant: "In any case I can get to the servers using IP addresses, just not FQDNs."
-
Solved by watching a video from Christian McDonald. The change was to the settings in the peer (client) app. I set the DNS address to the tunnel address (192.168.85.1) rather than my pfSense address.