Hello
Is it possible to take unbound requests and send them back through a wireguard gateway? If so, what would be the method?
Could you help me build the rules and understand them?
I have a functional wireguard gateway, and unbound operational too.
Thank you
If you want to send any local DNS request to a local Unbound through wireguard to an upstream DNS, the easiest way is to use the documentation for wireguard selective routing (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html) and modify it to only tunnel DNS traffic from any firewall IP to the upstream DNS IPs.
Quote from: cs1 on January 08, 2026, 02:47:13 PMIf you want to send any local DNS request to a local Unbound through wireguard to an upstream DNS, the easiest way is to use the documentation for wireguard selective routing (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html) and modify it to only tunnel DNS traffic from any firewall IP to the upstream DNS IPs.
Are you referring to the section "Dealing with DNS Leaks"? If so, which of the 5 points/solutions would you recommend?
Tia.
I already tried to deal with dns leaks. But at that time I wanted to redirect all my dns requests to wireguard gateway.
However I use now unbound and would like to know how to redirect all the dns traffic from unbound to the wireguard gateway in order to prevent dns leak.
But maybe this is not the right way to proceed ?
Quote from: hushcoden on January 18, 2026, 12:53:05 PMQuote from: cs1 on January 08, 2026, 02:47:13 PMIf you want to send any local DNS request to a local Unbound through wireguard to an upstream DNS, the easiest way is to use the documentation for wireguard selective routing (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html) and modify it to only tunnel DNS traffic from any firewall IP to the upstream DNS IPs.
Are you referring to the section "Dealing with DNS Leaks"? If so, which of the 5 points/solutions would you recommend?
Tia.
No, I'm referring to the documentation as a whole. The only difference is that in Step 8 you only tunnel requests by unbound to UDP/53.
Quote from: pitoucol on January 18, 2026, 11:22:43 PMI already tried to deal with dns leaks. But at that time I wanted to redirect all my dns requests to wireguard gateway.
However I use now unbound and would like to know how to redirect all the dns traffic from unbound to the wireguard gateway in order to prevent dns leak.
But maybe this is not the right way to proceed ?
If you modify the rule in Step 8 to tunnel DNS traffic via wireguard, that should work.
However, I get the feeling that what you're trying to do is something entirely different. Can you please explain what exactly you're trying to achieve? I get the feeling that whatever you're trying to do could be achieved much easier (e.g. let unbound talk to a trusted DNS via DNS-over-TLS).
Personally I found two possible ways:
- first is going in the unbound settings, show advanced settings and select the outgoing interface you want (be aware that if that interface is down, no dns queries will leave the firewall). It does not accept gateways group, so you can only chose single or multiple gateway, but you can't define the order of use;
- second to route everything through the wireguard connections like a multi-wan setup.