If the server is properly setup it already accepts all traffic so a rule should not be necessary.
But what might be necessary is checking if DNSMasq is listening on all interfaces (it does by default) and allow DNSmasq to answer non local queries:
Luci DNS-DHCP > Filter > Local service only : untick/disable
/etc/config/dhcp:
config dnsmasq
option localservice '0' <<<<
Ok. Been messing with this all morning.
The routed device I'm testing at location B has a local IP address that's routed through the tunnel. Internet is available and WAN address showing as Location A, but still getting local DNS.
Location A - Receives Local DNS (router/DNS at 192.168.2.1)
Location B - Receives Local DNS, VPN clients receive Location A WAN address, but Location B DNS. (router/DNS 10.0.1.1)
Location B /etc/config/dhcp
config 'tag1'
list dhcp_option '6,192.168.2.1,8.8.8.8'
config host
option name 'Z8'
option mac '00:1E:B8:B7:70:DC
option ip '10.0.1.81'
option tag 'tag1'
*I have tried without 8.8.8.8 and internet is lost, so I still think it's a DNS forwarding issue.
Location B PBR settings
Name: TestDevice
Local addresses/Devices: 10.0.1.81
Local Ports: -
Remote Addresses/domains: -
Remote ports: -
Protocol: tcp udp
Chain: prerouting
Interface: wg0
Location A /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolf.conf.auto'
option nonwildcard '1'
option localservice '0'
option ednspacket_max '1232'
There is no DNS Hijacking enabled in the firewall on either side.
Location A WG config - /etc/config/network
config interface 'wg1'
option pro 'wireguard'
option private_key 'xxx'
option listen_port '51821'
list addresses '10.10.9.1/32'
config wireguard_wg1
option description 'US'
option public_key xxx
list allowed ips '192.168.10.1/24'
list allowed ips '10.10.9.3/24'
option persistent_keepalive '25'
option route_allowed_ips '1'
Location B WG config - /etc/config/network
config interface 'wg0'
option proto 'wireguard'
option private_key xxx
option listen_port '51820'
option ipv4table '100'
list addresses '10.10.9.2/32'
config wireguard_wg0
option description 'Hilltop'
option public_key xxx
option endpoint_host xxx
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
Anything else worth posting that could be of help?
Ok, I think I found a work around for now. I configured the DNS as the IP address of the wireguard server interface and now there doesn't appear to be a leak and I'm getting local DNS servers shown when I run a DNS Leak test. Set this manually on the device using the VPN and also in the dnsmasq config.
Sites such as Google maps are giving some interesting behavior. Upon opening the site I'm shown the general area of Location A. If I opt for precise location I'm shown mine. Not sure where it's getting that information from.
precise location checks your wifi and sometimes some browser settings
@egc - any advice on making sure VPN clients use the Wireguard server for time synchronization?
If your VPN clients have all their traffic routed via the tunnel then also NTP queries will go via the tunnel.
Your clients usually have their own NTP server addresses baked in, alternatively you can hand out an NTP server address via DHCP option 42.
You can also use a REDIRECT rule similar to the DNS hijack but instead of port 53 you use NTP port 123