Mullvad WG issue, Local Configuration DNS server doesn't resolve

[cynicalApples7]

I am hoping that someone can explain to me why the following DNS issue is happening. I cannot figure it out. I used this guide as a... guide https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html

I download a Linux .conf file from mullvad.net.
[Interface]
PrivateKey = *******************************************
Address = 10.64.30.159/32,fc00:bbbb:bbbb:bb01::1:1e9e/128
DNS = 10.64.0.1

[Peer]
PublicKey = egl+0TkpFU39F5O6r6+hIBMPQLOa8/t5CymOZV6CC3Y=
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 45.129.56.67:51820

I plug this into WireGuard
Interface > Local
Peer > Endpoints
and those the Local and those the Endpoint as Peer.





Connect, no errors:
interface: wg2
  public key: PkALQNDZXNxK43Fd079oAdTT2MLLQERTl2Zx6SkFfBQ=
  private key: (hidden)
  listening port: 51820

peer: R5LUBgM/1UjeAR4lt+L/yA30Gee6/VqVZ9eAB3ZTajs=
  endpoint: 45.129.56.68:51820
  allowed ips: ::/0, 0.0.0.0/0
  latest handshake: 35 seconds ago
  transfer: 676.02 MiB received, 23.65 MiB sent
  persistent keepalive: every 30 seconds

I can connect to mullvad.net and see that i am connected and have no DNS leaks. But I cannot resolve any DNS queries.

I am guessing it is a mistake in my Unbound DNS configuration.

Services: Unbound DNS: General


Here is just some general settings.

System: Settings: General


I have tried to add 10.64.0.1 as a DNS server to "System: Settings: General", that didn't work either. There are two ways in which I have gotten around this, but none of them are really optimal.

1. Is to set 10.64.0.1 on the Services: DHCPv4: [LAN]. That works, but it bypassed the Unbound DNS blocklist.

2. The second option is slighty better, is too use Mullvad DoT/DoH DNS servers, whereby the DNS blocklist still works, but it is slower.

Can someone spot  my mistake. Where am I gonna since I cannot just have the DNS server from the WireGuard configuration work?

I have out of curioisty subscribed to ProtonVPN and I did the same simple setup just adding the Interface and Peer entries from a .conf file. And that worked.

It appears to be an issues between my setup and Mullvad. I just do not know why or how.

[frankw]

I set mine up with a gateway, not sure if this is the issue. I did not touch unbound and am using a separate DNS server for local DNS. I don't think this has anything to do with unbound, as your config would send all traffic down the tunnel (0.0.0.0/0). Did you create the outbound NAT rule, as I didn't see that in your screenshots?

I attached my config if that helps.

[cynicalApples7]

I had a screenshot of my Outbound NAT, but I couldn't post more than 4 :D
I guess I would try a sett up a gateway.

[sunnbus]

Took me a while to configure WG on OPNsense (still working out some small issues) and had a similar problem to yours. Might be a a firewall DNS redirect problem, but here's my entire setup and difference compared to yours, which works well:
-in vpn "local," left DNS blank, unchecked "disable route" and left gateway blank
-set up an interface, static IPV4, IPV4 address your tunnel address, create an upstream gateway
-in system/gateways, interface should be abovementioned, address family IpV4, Ip address 10.64.0.1, far gateway checked and rest unchecked

firewall:interface - abovementioned, protocol TCP/UDP, source port and address any, destination address [gateway]address, destination port DNS, IP 127.0.0.1, redirect target port DNS //this redirects DNS requests made through your VPN gateway to local DNS server.
Hope this helps

[cynicalApples7]

Yes good idea. That might work since 10.64.0.1 is Mullvad default gateway