I'm using unbound as DNS resolver for the entire LAN. It works great, except for my wireguard clients.
I have created a lan and wireguard interface:
# /etc/config/network config interface 'lan' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' option ip6assign '60' option ip6hint '10' option device 'br-lan' config interface 'wg' option proto 'wireguard' option private_key 'XXX' option listen_port '51820' list addresses '10.0.0.1/24' list addresses 'fd32:c57f:6b8d:4a03::1/64' config wireguard_wg 'wgclient' option public_key 'XXX' option preshared_key 'XXX list allowed_ips '10.0.0.2/32' list allowed_ips 'fd32:c57f:6b8d:4a03::2/128' option description 'Wireguard mobile'
Both are added to the lan firewall zone:
# /etc/config/firewall config zone option name 'lan' option input 'ACCEPT' option output 'ACCEPT' option network 'lan wg' option forward 'ACCEPT'
But the generated unbound access control only include the IP range of the LAN interface, and not the wireguard interface:
access-control: 192.168.1.1/24 allow access-control: 2a02:1810:4f03:f710::1/60 allow access-control: fd81:631b:716f:10::1/60 allow access-control: 127.0.0.0/8 allow access-control: ::1/128 allow access-control: fe80::/10 allow
Therefore DNS queries from wireguard clients are rejected. I already tried adding the wireguard interface to the unbound iface_lan parameter. According to the documentation, I think this parameter should do the trick, but it doesn't seem to have any effect.
As a workaround, I added the access control parameters manually:
# /etc/unbound/unbound_srv.conf access-control: 10.0.0.1/24 allow access-control: fd32:c57f:6b8d:4a03::1/64 allow
And then everything works, but shouldn't that happen automatically with the iface_lan parameter? So this looks like a bug to me.