I am not sure where else to flag this, so I apologise if this is the wrong place.
I worked through the WireGuard server guide and it seemed to go OK. I could connect my Android phone, get an IP etc. but name resolution failed, it could not contact the DNS server.
I thought may be it was a firewall problem or something else, but no. That was all fine. Turns out is was the way dnsmasq was configured (and I think this might be a default setting). "Local Service Only" was enabled and that mean dnsmasq would not serve any request coming in over the Wireguard VPN. Once I disabled that, all was fine.
As I was a bit paranoid about having a DNS server open to the world should I have something else misconfigured, I added "lan" and "vpn" to the "Listen interfaces" option of dnsmasq.
It might be worth adding something to the wiki pages about the need to check the dnsmasq configuration.
Unfortunately not, using "192.168.9.1" the error is the same: Mon Nov 16 20:14:28 2020 daemon.warn dnsmasq[10215]: Ignoring query from non-local network
I still need to perform the other configurations.
As long as you don't open the dns port on the wan interface, this shouldn't be a problem. The local service in dnsmasq is basically ignoring anything with a hop more than 1
But my first point remains. The documents as they stand do not let a Wireguard Client use the router's DNS. I am not sure if I am meant to log a defect or something against the wiki page, hence why I made this post.
My problem is solved, but they next person might hit the same thing.
Make sure you can reproduce the issue and post the output redacting the private parts:
ubus call system board; uci show network; uci show firewall; uci show dhcp; \
ip address show; ip route show table all; ip rule show; iptables-save; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
netstat -l -n -p | grep -e dnsmasq
I just spent an hour of debugging with the same problem twistedLucidity had. It turned out that I configured the Wireguard interface with a /32 netmask. Configuring it with a /16 mask fixed the problem and dnsmasq accepts VPN adresses as local again.