Applying all your changes broke my DNS queries. Had to revert back.
Openwrt Wireguard Server (road warrior setup) force clients to use DNS
Setting option localservice '0' alone didn't work
This guide is quite old and for the unsupported version 19.07.
Because it seems that you are using the unbound as primary.
What is the output of
uci export unbound ?
Yes I've stated already that I'm using an unbound/Adblock setup
The latest documentation on unbound is 3 years old and still has the same settings:
uci export unbound package unbound config unbound 'ub_main' option add_extra_dns '0' option add_local_fqdn '1' option add_wan_fqdn '0' option dhcp_link 'dnsmasq' option domain 'lan' option listen_port '53' option dhcp4_slaac6 '0' option dns64 '0' option dns64_prefix '64:ff9b::/96' option domain_type 'static' option edns_size '1232' option extended_stats '0' option hide_binddata '1' option interface_auto '1' option localservice '1' option manual_conf '0' option num_threads '1' option protocol 'default' option query_minimize '0' option query_min_strict '0' option rate_limit '0' option rebind_localhost '0' option rebind_protection '1' option recursion 'default' option resource 'default' option root_age '9' option ttl_min '120' option ttl_neg_max '1000' option unbound_control '0' option validator '0' option validator_ntp '1' option verbosity '1' list iface_trig 'lan' list iface_trig 'wan' list iface_wan 'wan' config zone 'auth_icann' option enabled '0' option fallback '1' option url_dir 'https://www.internic.net/domain/' option zone_type 'auth_zone' list server 'lax.xfr.dns.icann.org' list server 'iad.xfr.dns.icann.org' list zone_name '.' list zone_name 'arpa.' list zone_name 'in-addr.arpa.' list zone_name 'ip6.arpa.' config zone 'fwd_isp' option enabled '0' option fallback '1' option resolv_conf '1' option zone_type 'forward_zone' list zone_name 'isp-bill.example.com.' list zone_name 'isp-mail.example.net.' config zone 'fwd_google' option enabled '0' option fallback '1' option tls_index 'dns.google' option tls_upstream '1' option zone_type 'forward_zone' list server '188.8.131.52' list server '184.108.40.206' list server '2001:4860:4860::8844' list server '2001:4860:4860::8888' list zone_name '.' config zone 'fwd_cloudflare' option enabled '0' option fallback '1' option tls_index 'cloudflare-dns.com' option tls_upstream '1' option zone_type 'forward_zone' list server '220.127.116.11' list server '18.104.22.168' list server '2606:4700:4700::1111' list server '2606:4700:4700::1001' list zone_name '.'
Change it to 0
10.0.5.1 in the VPN client config and verify the DNS service is listening either wildcard or both LAN and VPN interfaces/subnets.
In addition, make sure to disable DoH/DoT on the client.
I will give it a try as soon as I can, however I'm looking for a server-side solution. I don't want my clients choosing the DNS. DoH/DoT is disabled (unbound/adblock works on my home LAN with same client).
This can be problematic as the client can still use directly routed DNS advertised by the mobile/remote ISP over the WAN interface unless you explicitly override it by the VPN client configuration.
So your suggestion above worked! If I specify on the client side in Wireguard app the DNS as 10.0.5.1 I get my unbound/adblock filtering! Now how can I force this/hijack this so that all WG clients/peers use 10.0.5.1 no matter what they input???
My Wireguard interface is linked to the LAN zone which is DNS hijacked. Is there something more I can try? Is there a way to direct all traffic from a peers IP (in this case 10.0.5.2)?
Looks like your VPN interface is in the LAN zone, so the configured DNS hijacking should apply to both LAN and VPN networks.
I'm afraid this might be difficult to accomplish since the user can specify an IPv4 or IPv6 DNS routed directly to WAN bypassing the connected VPN.
We can only guess, as we cannot reliably confirm how routing is implemented on the client, unless we analyze client side routing tables and rules.