Unbound is stops working when I try to add WG1, a FQDN based connection. As you can see, I can ping google.com by name. Then I restart wireguard. WG0 comes up but WG1 fails because of DNS. Immediately afterward I can no longer resolve DNS:
root@owlhouse:/usr # ping google.com
PING google.com (172.217.5.14): 56 data bytes
64 bytes from 172.217.5.14: icmp_seq=0 ttl=119 time=15.542 ms
64 bytes from 172.217.5.14: icmp_seq=1 ttl=119 time=15.475 ms
64 bytes from 172.217.5.14: icmp_seq=2 ttl=119 time=15.842 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 15.475/15.620/15.842/0.160 ms
root@owlhouse:/usr # /usr/local/etc/rc.d/wireguard restart
[#] rm -f /var/run/wireguard/wg0.sock
[#] resolvconf -d wg0
wg-quick: `wg1' is not a WireGuard interface
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│ │
│ Running wireguard-go is not required because this │
│ kernel has first class support for WireGuard. For │
│ information on installing the kernel module, │
│ please visit: │
│ https://www.wireguard.com/install/ │
│ │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 192.168.12.1/24 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet 192.168.12.12/32 -interface wg0
[#] route -q -n add -inet 192.168.12.11/32 -interface wg0
[#] route -q -n add -inet 192.168.12.10/32 -interface wg0
[+] Backgrounding route monitor
[#] ifconfig wg create name wg1
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg1
┌──────────────────────────────────────────────────────┐
│ │
│ Running wireguard-go is not required because this │
│ kernel has first class support for WireGuard. For │
│ information on installing the kernel module, │
│ please visit: │
│ https://www.wireguard.com/install/ │
│ │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg1 /dev/stdin
Name does not resolve: `vaaa.bbb.ccc:51820'
Configuration parsing error
[#] rm -f /var/run/wireguard/wg1.sock
root@owlhouse:/usr # ping google.com
ping: cannot resolve google.com: Host name lookup failure
root@owlhouse:/usr #
I can see no errors in syslog. And DNS is working for everything else on the LAN - just not on the FW itself. Is this an unbound problem or a wireguard problem?
Unbound:
<unbound>
<enable>1</enable>
<custom_options>#server:
#tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853</custom_options>
<dnssec>1</dnssec>
<noreglladdr6>1</noreglladdr6>
<acls>
<aclname>VPN</aclname>
<aclaction>allow</aclaction>
<description/>
<row>
<acl_network>192.168.1.0</acl_network>
<mask>24</mask>
<description/>
</row>
</acls>
<acls>
<aclname>WGaccess</aclname>
<aclaction>allow</aclaction>
<description/>
<row>
<acl_network>192.168.12.0</acl_network>
<mask>24</mask>
<description/>
</row>
<row>
<acl_network>10.11.14.0</acl_network>
<mask>24</mask>
<description/>
</row>
</acls>
</unbound>
Show a traceroute to an address. Maybe its going out via the wg interface due to some rule you added or something.
Do you have DNS set in the WireGuard conf? If so resolv.conf will be overwritten when WG is restarted which may be causing your issues