Wireguard Tunnel Connects but No Internet/DNS Resolution

[rsbonini]

I have a Wireguard server up and running and multiple clients are able to connect to it and rest of the LAN reliably.
The clients are not able to reach the internet when connected to the tunnel.  I think it's a failure to get DNS resolutions.

I would like connected clients to be forced to use the UnBound DNS service running on OPNSense.  I've gone through the OPNSense Wireguard documentation and double checked interface names, NAT rules, IP address formatting, DNS Access Control Lists, etc, and I'm just not seeing where I've gone wrong.

Anyone mind taking a look and letting me know if they have some suggestions?

Here's the Wireguard config as a starting point:

Code Select Expand

    <wireguard>
      <general version="0.0.1">
        <enabled>1</enabled>
      </general>
      <server version="0.0.2">
        <servers>
          <server uuid="######">
            <enabled>1</enabled>
            <name>WGVPN</name>
            <instance>0</instance>
            <pubkey>######=</pubkey>
            <privkey>######=</privkey>
            <port>######</port>
            <mtu/>
            <dns/>
            <tunneladdress>10.10.2.1/24</tunneladdress>
            <disableroutes>0</disableroutes>
            <gateway/>
            <peers>######</peers>
          </server>
        </servers>
      </server>
      <client version="0.0.6">
        <clients>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C1</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.104/32</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C2</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>######</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C3</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.105</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C4</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.107/32</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
          <client uuid="######">
            <enabled>1</enabled>
            <name>C5</name>
            <pubkey>######=</pubkey>
            <psk/>
            <tunneladdress>10.10.2.110</tunneladdress>
            <serveraddress/>
            <serverport>######</serverport>
            <keepalive/>
          </client>
        </clients>
      </client>
    </wireguard>

[RamSense]

Hi rsbonini,

I think you have added wireguard with wg interface added.
In the client wg config have you added dns: ip of wireguard interface? 10.10.2.1?

I used this guide when I set wg up on my opnsense:

https://homenetworkguy.com/how-to/configure-wireguard-opnsense/

[tiermutter]

Looks like there is nothing configures for DNS...

[rsbonini]

So I did go through that guide for Wireguard setup, and couldn't find anything missing, everything seems to match.

Looks like there is nothing configures for DNS...

What in the configuration needs to be set for DNS?  As far as I can tell I only need to set the DNS address (the server's tunnel address) on the client side.  I've got UnBound applied to the Wireguard interface and I have the server's tunnel address on the UnBound Access list.  Is there something in the Wireguard config I am missing?

Also, this should clearly be in the VPN sub-forum, if a mod wants to move that over there it'd be great appreciated.

[tiermutter]

I am not using unbound, so can´t say anything about how to configure for this situation.
You told that you´re not sure if it is a DNS problem...
Is there a query log in unbound to check whether the requests are reaching unbound or not?
There is an interface assigned to WG and a FW rule allowing WG to any/WAN?
Can you provide scrennshots of WG config, FW rules, ...?

[Taunt9930]

@rsbonini - In Services > Unbound > General, Network Interfaces has your wireguard interface been selected, or 'All'? Either needs to be the case.

[tiermutter]

As said: I do not use unbound and never used it before...
You should check if it is really a DNS problem or if there is generally no WAN connection for your WG.
Can you ping e.g. 8.8.8.8 from WG?

[rsbonini]

There is an interface assigned to WG and a FW rule allowing WG to any/WAN?

I think so:

Can you ping e.g. 8.8.8.8 from WG?

Yes, I can ping 8.8.8.8 as well as other IPs I know on the internet from my machine while connected remotely to the WG server.  This would seem to confirm that it's a DNS issue.

In Services > Unbound > General, Network Interfaces has your wireguard interface been selected, or 'All'? Either needs to be the case.

Yep:

[Greelan]

Have you restarted unbound after adding the WG interface?

[rsbonini]

Have you restarted unbound after adding the WG interface?

Yes, both manually and via multiple reboots of the OPNSense box.

[jf5876]

Did you add DNS: <ip address> to the [Interface] of your client tunnels?