Hello,
I have set Unbound to listen on All interfaces.
I have defined the Wireguard interface as static.
Yet at each reboot, Unbound is not listenning on the wireguard interface, and I have to restart Unbound for this to work on wireguard interface.
Would is be possible that Unbound is started *before* wireguard interface is up and hence does not take it into account?
Any ideas?
Thanks !
The ACL entry is missing after boot. It cannot be generated automatically before wireguard is up, which is after unbound is up. Unfortunately unbound is not capable of runtime reconfiguration for ACL so that unbound needs to be restarted which we don't do by default to prevent resolution disruption (and possible cache flush) on any wireguard up and down.
Cheers,
Franco
Thank you Franco for the explanation !
(a manual ACL entry for the wireguard subnet should work)
Another approach that I am taking with BIND, because it is even more finicky about interfaces and IP addresses coming and going than Unbound, is to bind the server to 127.0.0.1 only and use port forwarding NAT rules on each interface that shall be accessible for clients. Also helps greatly with HA setups and virtual IP addresses.