WireGuard - had to create outbound pass rule for DNS in Road Warrior setup

[Koloa]

I set up WireGuard on my OPNsense appliance (Deciso), and whilst I could see the firewall rule triggering for the inbound traffic, I could never get a successful handshake or traffic to route.

After trying many things for way longer than I should have, the "fix" was for me to set an outbound "pass" firewall rule for both In and Out in the WG_Mobile definition.  The guides only talk about "In".

Yes, I have created/assigned an Interface, so did not create a NAT rule (as per the various guides and their advice on this).

tcpdump on wg1 showed the packets coming in, DNS queries heading to my OPNsense IP address, and the responses coming back, but, the WireGuard client on iOS wouldn't work unless I either set this outbound rule to permit the responses to go back to the Peer.

Is this expected behaviour?  https://docs.opnsense.org/manual/how-tos/wireguard-client.html implies not.

It would behave as expected if I told the iOS WG client to use 1.1.1.1 as the DNS resolver, but if I used any of the IPs on the OPNsense box, the packets would never make it back to the iOS device.

Perhaps I have been staring at the problem for too long and am missing something obvious?