Wireguard DNS goes not trough the Tunnel

Hello,
im in trouble with that issued since weeks...

my settings are very similare to that post!
but in my case

I use a vps that runs the wireguard server and pi hole DNS server.
My first problem is that if i connected via wireguard
I cant reach the server via ssh or ping him with my devices behind my openwrt router
But thats not a big problem but maybee a solution for my secound problem,
In pi hole i have the option to answer dns request:
only local, only wg0 interface or permite all origins!
The safest way is local and wg0 right? Im the only how can send request via wg0 right...
But if openwrt used my server for DNS than it works only with the: permite all origins option.
AND in pi hole web admin gui:
I can see that the dns request not comes from my router it comes from my ISP!
That tells me that the DNS request not goes trough the tunnel! if he would do that than in pi hole option: request via wg0 or maybee local(one hope away) should be work and im be able to see my router under query log as dns request device right...

I hope @trendy still up in that forum he must be very familar with the post. I cant see where is my failure or what rule say that the DNS request must go trough wg0 Tunnel?
Im hope there are a solution... i will post my settings later this day...
what the fastes option to do that vi /etc/... is there a comand to copy the entire file?

Im very happy for that forum all my problems im able to solve here.
that the first case where older topics not bring the solution
Im very thankfull for every bit of help!
Regards

Maybe you are not routing all traffic via the VPN?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

This might give us some information about what is going on

Also does the vps have a static route for the lan network of OpenWrt?

Hello
thanks for the quick answer here my config...

root@OpenWrt:~# ubus call system board

{
	"kernel": "5.10.146",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.2",
		"revision": "r19803-9a599fee93",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 22.03.2 r19803-9a599fee93"
	}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd31:860c:5ed5::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'

config device
	option name 'wan'
	option macaddr 'blblblbl'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns 'blblbl(vps server ip[pi hole])'

config interface 'wg0_int'
	option proto 'wireguard'
	option private_key 'blblblblblbl='
	list addresses '10.8.0.2/32'
	option peerdns '0'   

config wireguard_wg0_int
	option description 'USA'
	option public_key 'blblblbbl'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'vps server(wireguard server)'
	option endpoint_port '51820'
	option route_allowed_ips '1'

config rule
	option in 'lan'
	option lookup '100'

config route
	option interface 'vpn'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '100'

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'wg0_zone'
	option network 'wg0_int'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option dest 'wg0_zone'
	option src 'lan'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
        list server 'vps server(pi hole)'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
        list dhcp_option '6,vps server(pi hole)'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

the firewall config was a test i copy paste it from forum
there are lot of rules there i dont need if it importend for the solution
i will change it back....

Hello,
good to know you here im not sure how i do that?
i post my configs maybee you see the answer there
atherwise pls explain me what i have to do...
Thanks

I see you have enabled policy based routing is that what you want or do you just want all traffic to go via the VPN?
Can you also show the output of (again use </> pre-formatted text and redact keys etc):
ip route show
ip route show table 100
ip rule show
wg show

You are masquerading the egress traffic, so the lan IPs will be converted to WG interface IP. Therefore there is no need for static route on vps to work.
The policy routing is wrong (there is no vpn interface) and is blackholing all your lan traffic. Remove it and try again.

root@OpenWrt:~# ip route show

default dev wg0_int scope link 
vps server via 192.168.2.1 dev wan 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.2.0/24 dev wan scope link  src 192.168.2.101 

ip route show table 100
i have no output or maybe no different..

root@OpenWrt:~# ip rule show

0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 

root@OpenWrt:~# wg show

interface: wg0_int
  public key: pubkey
  private key: (hidden)
  listening port: 51014

peer: pubkey
  endpoint: vps server:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 14 seconds ago
  transfer: 1.76 MiB received, 414.10 KiB sent

Yeah my bad has read that solution from you and try but was a total different topic i think..
now i have deleted that:

config rule
	option in 'lan'
	option lookup '100'

config route
	option interface 'vpn'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '100'

and after that i had make the commands from @egc
and the dns still comes from ISP

@trendy advice should have solved it.

Now everything including your DNS should go through the tunnel.

Please check if everything works and then check @trendy's advice as the solution

Sorry to remove the

config rule
	option in 'lan'
	option lookup '100'

config route
	option interface 'vpn'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '100'

was not the failure?
what did @trendy mean what i have to do?

Post again the configurations to see the current status:

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Is that normal that i cant ping my server after that moment im conected with wg0?
With Debian and Wireguard Client that dident happend...
have read about a subnet problem?? and tried a ip route solution on Wireguard server:

PostUp = ip rule add table 200 from 203.0.113.5
PostUp = ip route add table 200 default via 203.0.113.1
PreDown = ip rule delete table 200 from 203.0.113.5
PreDown = ip route delete table 200 default via 203.0.113.1

im note 100pro sure that i hase do that on server
i hase read that in Step 7

but the problem still there... maybe you know a solution!
anyway^^

root@OpenWrt:~# ubus call system board; \

uci export network;
uci export dhcp; uci export firewall;
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru;
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv./ ; head -n -0 /etc/resolv.*
/tmp/resolv.* /tmp/resolv./
{

"kernel": "5.10.146",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.2",
		"revision": "r19803-9a599fee93",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 22.03.2 r19803-9a599fee93"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd31:860c:5ed5::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'

config device
	option name 'wan'
	option macaddr 'blblblb'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns 'vps server'

config interface 'wg0_int'
	option proto 'wireguard'
	option private_key 'key'
	list addresses '10.8.0.2/32'
	option peerdns '0'

config wireguard_wg0_int
	option description 'USA'
	option public_key 'key'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'vps server'
	option endpoint_port '51820'
	option route_allowed_ips '1'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	list server 'vps server'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	list dhcp_option '6,vps server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'wg0_zone'
	option network 'wg0_int'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option dest 'wg0_zone'
	option src 'lan'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.101/24 brd 192.168.2.255 scope global wan
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
13: wg0_int: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.8.0.2/32 brd 255.255.255.255 scope global wg0_int
       valid_lft forever preferred_lft forever
default dev wg0_int scope link 
vps server via 192.168.2.1 dev wan 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.2.0/24 dev wan scope link  src 192.168.2.101 
local 10.8.0.2 dev wg0_int table local scope host  src 10.8.0.2 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1 
broadcast 192.168.2.0 dev wan table local scope link  src 192.168.2.101 
local 192.168.2.101 dev wan table local scope host  src 192.168.2.101 
broadcast 192.168.2.255 dev wan table local scope link  src 192.168.2.101 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 state UP qlen 1024
    inet6 fe80::6238:e0ff:febc:33d8/64 scope link 
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::6038:e0ff:febc:33d8/64 scope link 
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd31:860c:5ed5::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::6238:e0ff:febc:33d8/64 scope link 
       valid_lft forever preferred_lft forever
fd31:860c:5ed5::/64 dev br-lan  metric 1024 
unreachable fd31:860c:5ed5::/48 dev lo  metric 2147483647 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wan  metric 256 
local ::1 dev lo table local  metric 0 
anycast fd31:860c:5ed5:: dev br-lan table local  metric 0 
local fd31:860c:5ed5::1 dev br-lan table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev wan table local  metric 0 
local fe80::6038:e0ff:febc:33d8 dev wan table local  metric 0 
local fe80::6238:e0ff:febc:33d8 dev eth0 table local  metric 0 
local fe80::6238:e0ff:febc:33d8 dev br-lan table local  metric 0 
multicast ff00::/8 dev eth0 table local  metric 256 
multicast ff00::/8 dev br-lan table local  metric 256 
multicast ff00::/8 dev wan table local  metric 256 
multicast ff00::/8 dev wg0_int table local  metric 256 
0:	from all lookup local 
32766:	from all lookup main 
lrwxrwxrwx    1 root     root            16 Oct 14  2022 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Aug 10 11:18 /tmp/resolv.conf
-rw-r--r--    1 root     root            40 Aug 10 11:18 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            40 Aug 10 11:18 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver vps server

The configuration from the OpenWrt looks fine to me. Are you sure it is correct from the server side too?

This isn't something you should be running on the server side. The server should only have allowed IPs the 192.168.1.0/24 and 10.8.0.2/32 for the OpenWrt peer.

@trendy is the superior authority but I will give my take for what it is worth

First from earlier posting there is a connection and traffic flowing through the tunnel

It depends on the server how it is setup if you have outward connection from the server.
For that it needs FORWARD allowed and Masquerading rule, but you can test from a client with:
ping 8.8.8.8 and traceroute 8.8.8.8 or for windows tracert 8.8.8.8

To connect to the server itself the server has to allow traffic from the WG interface on the INPUT chain, this also applies when you want to SSH into the server from the WG interface

Now on to your DNS:
You have set as DNS server the address of the VPS server in two places, it is not wrong but confusing and redundant.
I would just set it at the WAN interface.

But first you are using a DNS server which is only available when the tunnel is up.
this can be problematic as you can end up in a catch 22 situation.
If you set an URL as endpoint then this can not be resolved as you only have DNS after the tunnel is up. You can use an IP address as endpoint then you will not have this problem.

But you are not out of the woods yet.
It is possible that the tunnel will not start if your time is too far back (e.g. 1970). WireGuard only needs Forward/monotonic time but in my personal experience it will not start if the time is too far back but that could just be me.
By default , (I think) the ntp client only has an URL set so without DNS it will not work (might also set an ip address). So not sure if it will work this way, but I am curious about experience of others maybe WireGuard just works with a date in 1970?
Anyway I personally use a hotplug script which sets DNSMasq to an alternate resolv file with only the WG DNS server after the WG interface is up.

But just test it and see if the tunnel is up after a reboot, it just might work.

[quote="tomtom396, post:13, topic:168135"]

config interface 'wan'
	list dns 'vps server'

Long story short, I would remove the list server 'vps server' from DNSMasq and if the WG interface does not start after a reboot add a good public DNS server e.g. 9.9.9.9 to the WAN interface.

Your clients will not use this public DNS server at all as you are using option 6 so that should be good

About the VPS DNS server it has to listen on the WG interface to resolve queries coming from your WG client

So it is possible that a lot of your problems can be attributed to missing settings (Firewall, DNS) on the server side.
Unfortunately I cannot help you with that

To connect to the server itself the server has to allow traffic from the WG interface on the INPUT chain, this also applies when you want to SSH into the server from the WG interface

yeah that was my thoughts too but i think with linux i was able to conect via wg0 but anyway i will
test it later today with a linux vm to be 100pro sure thats the problem not on server side.

Now on to your DNS:
You have set as DNS server the address of the VPS server in two places, it is not wrong but confusing and redundant.
I would just set it at the WAN interface.

Yes that my i tried everythink i read config^^ sorry for that! First i set list dns to config dnsmasq
after not working i put it also in wan but you total right thats redundant. i will fix that now!

Thanks for your thoughts on that issued i read all 3-4 times...
I hope really there is a solution for it, in the thread i read 10times from my first post im note sure
if he has finally found a solution and if android hardcode really was the problem...
im very intrested to solve that with openwrt i have 3devices there perfect for open wrt...

I have a vps there is payed for 4or5 days i pay them weekly and use them only@ for testing
there is low budget with 1or2gb ram i think!
but pi hole and wireguard doing great.
If we found no solution or all data says the dns goes trough tunnel etc.
Im happy to share that server with you @egc and @trendy if you want...
atherewise i will post screenshots from admininterface or pi hole outputs with you!
Im 100percent sure thats the dns goes from me to ISP and than to my vps!
But in ping 1.1.1.1 traceroute there i cant see thats ISP server... maybe there no DNS packets traced?
And yeah i will post the trceroute output today later!

the 192.168.1.0/24

is not in my servér config
I put that in and will replay.

Make sure the firewall on the server allows the INPUT from the WG interface at least. You are able to establish a connection for WG, so the incoming WG packets on the ethernet interface are not blocked.

Hello
i think im a way closer to the solution than before.

Im said not to you that my open wrt router is behind a normal router...

I Tested with Debian a client had dns leak too than i set dns = vps server in client config
now he used vps dnsserver TROUGH wireguard and in pi hole im also able to use the nconfig:
only local requests and i see my local IP in admin weg gui

now i set dns = vps server in open wrt wireguard interface and deleted it in wan interface
similare to the debian config but dident work still leak now i change back to only list server in wan interface.

My test with debian client to reach server if wg0 are up, failure too!
But im still in hope!
there is a different in DNS forwarding between debian and open wrt if wireguard installed...
Thanks for helping me!

Use dnsleaktest.com and verify which dns servers are used instead of the Pihole.
Make sure the browser is not using some DoH.
From your config there is no visible leak to another dns.