Unbound access control missing for wireguard interface

I'm using unbound as DNS resolver for the entire LAN. It works great, except for my wireguard clients.

I have created a lan and wireguard interface:

# /etc/config/network
config interface 'lan'
	option proto 'static'
	option ipaddr ''
	option netmask ''
	option ip6assign '60'
	option ip6hint '10'
	option device 'br-lan'

config interface 'wg'
	option proto 'wireguard'
	option private_key 'XXX'
	option listen_port '51820'
	list addresses ''
	list addresses 'fd32:c57f:6b8d:4a03::1/64'

config wireguard_wg 'wgclient'
	option public_key 'XXX'
	option preshared_key 'XXX
	list allowed_ips ''
	list allowed_ips 'fd32:c57f:6b8d:4a03::2/128'
	option description 'Wireguard mobile'

Both are added to the lan firewall zone:

# /etc/config/firewall
config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan wg'
	option forward 'ACCEPT'

But the generated unbound access control only include the IP range of the LAN interface, and not the wireguard interface:

  access-control: allow
  access-control: 2a02:1810:4f03:f710::1/60 allow
  access-control: fd81:631b:716f:10::1/60 allow
  access-control: allow
  access-control: ::1/128 allow
  access-control: fe80::/10 allow

Therefore DNS queries from wireguard clients are rejected. I already tried adding the wireguard interface to the unbound iface_lan parameter. According to the documentation, I think this parameter should do the trick, but it doesn't seem to have any effect.

As a workaround, I added the access control parameters manually:

# /etc/unbound/unbound_srv.conf
access-control: allow
access-control: fd32:c57f:6b8d:4a03::1/64 allow

And then everything works, but shouldn't that happen automatically with the iface_lan parameter? So this looks like a bug to me.


It may be the order or progress rate of set up. Wireguard may not be configured by the time Unbound /etc/init script runs. The "wg" interface may not exist at that time. You may need to add a hook in /etc/init or /etc/hotplug for wireguard to give unbound a kick when it is ready...

1 Like

If that (wg not yet up) were the true cause, shouldn't a /etc/init.d/unbound reload/restart (after wg interface is up) add the required acces-control statements ? It does not.

Strangely, of three routers running 21.0.1 and unbound 1.13.2, two refuse client requests over the wg interface and one that does allow the requests and includes the needed statement in unbount.conf. A few experiments haven't yet made clear why.

Any ideas ?

In my setup reloading or restarting unbound (with /etc/init.d/unbound reload|restart) does also not add the access-control statements. Even with the wg interfaced added to the iface_lan parameter.

Is there anything else I can try?

Thank you for the tip on adding the access control details manually to the unbound_srv.conf file. It fixed the lack of DNS for my wireguard client.

Adding the wireguard interface to the "Recursive DNS->Advanced->LAN Networks" failed to fix the issue on Openwrt 22.03 either. So it looks like the bug may still be there.

Hi, adding the wireguard interfaces to LAN Networks works fine for me in OpenWrt 22.03, I can query the DNS from the wireguard clients.

These are my two wireguard interfaces in /etc/config/unbound:

config unbound 'ub_main'
	list iface_lan 'vpn_dmz'
	list iface_lan 'vpn_lan'