Can't lookup hostnames without the top-level domain whilst connected over a WireGuard tunnel

I have WireGuard setup and working on my router but I'm having issues reaching my servers on my private LAN via the hostname whilst connected via WireGuard unless I supply the top-level domain. For example I can example my TrueNAS shares via the hostname FS-Home whilst connected to the LAN but as soon as I'm connected through WireGuard I have supply the hostname with the TLD FS-Home.lan

I've listed the relevant configuration files below.

/etc/config/dhcp
config dnsmasq
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option ednspacket_max '1232'
	option logqueries '1'
	option filterwin2k '1'
	option rebind_protection '0'
	option localservice '0'
/etc/config/network

config interface 'loopback'

	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf4:3055:d8e6::/48'

config device 'br0'
	option type 'bridge'
	option name 'br0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config bridge-vlan 'admin_vlan'
	option device 'br0'
	option vlan '4'
	list ports 'lan1:u*'
	list ports 'lan4:t'
	list ports 'wan:t'

config interface 'admin'
	option proto 'static'
	option device 'br0.4'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.4.255'
	option delegate '0'

config bridge-vlan 'private_device'
	option device 'br0'
	option vlan '5'
	list ports 'lan2'
	list ports 'lan4:t'
	list ports 'wan:t'

config interface 'private'
	option proto 'static'
	option device 'br0.5'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.5.255'
	option delegate '0'
	option ip6assign '64'
	option ip6hint '5'
	option ip6ifaceid '::1'

config bridge-vlan 'guest_device'
	option device 'br0'
	option vlan '6'
	list ports 'lan4:t'
	list ports 'wan:t'

config interface 'guest'
	option proto 'static'
	option device 'br0.6'
	option ipaddr '192.168.6.1'
	option netmask '255.255.255.192'
	option broadcast '192.168.6.63'
	option ip6assign '64'
	option ip6hint '6'
	option ip6ifaceid '::1'

config bridge-vlan 'iot_device'
	option device 'br0'
	option vlan '7'
	list ports 'lan3'
	list ports 'lan4:t'
	list ports 'wan:t'

config interface 'iot'
	option proto 'static'
	option device 'br0.7'
	option ipaddr '192.168.7.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.7.255'
	option delegate '0'

config bridge-vlan 'srv_mngmnt_device'
	option device 'br0'
	option vlan '8'
	list ports 'lan4:t*'
	list ports 'wan:t'

config interface 'srv_mngmnt'
	option proto 'static'
	option device 'br0.8'
	option ipaddr '192.168.8.1'
	option delegate '0'
	option netmask '255.255.255.0'

config bridge-vlan 'wan_device'
	option device 'br0'
	option vlan '20'
	option ports 'wan:t'

config interface 'wan'
	option device 'br0.20'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option peerdns '0'
	list dns '208.67.220.220'
	list dns '208.67.222.222'
	option delegate '0'
	option gateway '192.168.20.253'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'br0.20'
	option reqprefix 'auto'
	option reqaddress 'none'
	option peerdns '0'
	list dns '2620:119:35::35'
	list dns '2620:119:53::53'
	option sourcefilter '0'

config interface 'wg_private'
	option proto 'wireguard'
	option private_key 'REDACTED'
	option listen_port '51820'
	option mtu '1420'
	option delegate '0'
	option force_link '1'
	list addresses '10.0.5.1/32'

config wireguard_wg_private
	option public_key 'REDACTED'
	option preshared_key 'REDACTED'
	option description '1_private_Alpha'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.0.5.2/32'

config wireguard_wg_private
	option public_key 'REDACTED'
	option preshared_key 'REDACTED'
	option description '2_private_Bravo'
	list allowed_ips '10.0.5.3/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_private
	option public_key 'REDACTED'
	option preshared_key 'REDACTED'
	option description '3_private_Charlie'
	list allowed_ips '10.0.5.4/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_private
	option public_key 'REDACTED'
	option preshared_key 'REDACTED'
	option description '4_private_Delta'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.0.5.5/32'

What am I missing?

Nothing.

When on LAN your device likely configured the "Search Domain" of .lan

Since your WG has no such setting, you must explicitly specify the FQDN. BTW, as a general practice - you should always specify the FQDN when trying to reach a host.

The weird thing is I've had hostname without the TLD working before via a WireGuard tunnel but I can't remember how I got it working.

Is there no way of getting the WireGuard client to lookup the hostname on the upstream DNS (dnsmasq in this case)?

Is it Windows?

Sure

  • Use the FQDN
  • Removing the .lan domain from DNS config
  • Add entries to the DNS without the name

The client I'm using for testing with WireGuard is Android but Windows behaves the same.