Wireguard Peer how to use local DNS

Hi there,

I configured Wireguard server on my Mikrotik Router.
Wireguard interface ha IP addr: 10.0.0.0/24
My peer has ip 10.0.0.50/24

I would like that the WG peer can access services on one of my VLAN (192.168.10.0/24) and uses the DSN on this VLAN (192.168.10.254).
This because my DNS (PiHole) also works as local DNS.
The WG tunnel works because peer 10.0.0.50 can reach local service using the IP but not wirth the DNS Name.

Also I have another Peer, a VPS in cloud, that I would reach it (i.e.) via SSH using the WG tunnel (VLAN → WG Tunnel → VPS)

Please note that in the Firewall rules I have another WG server running on a Virtual Machine that uses the port 55820.

This is my configuration:

# 2024-10-04 11:14:38 by RouterOS 7.13.2
# software id = V3NG-AA16
#
# model = RB3011UiAS
# serial number = xxxxxxxx
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface wireguard
add listen-port=55840 mtu=1420 name=wireguard_server
/interface vlan
add interface=bridge1 name=vlan_guest vlan-id=20
add interface=bridge1 name=vlan_home vlan-id=4
add interface=bridge1 name=vlan_iot vlan-id=10
add interface=bridge1 name=vlan_mgmt vlan-id=99
/interface list
add name=wan
add name=vlan
add name=mgmt
/ip pool
add name=home_dhcp_pool ranges=192.168.2.64-192.168.2.249
add name=iot_dhcp_pool ranges=192.168.10.64-192.168.10.199
add name=guest_pool ranges=192.168.20.100-192.168.20.110
add name=mgmt_pool ranges=192.168.0.100-192.168.0.110
/ip dhcp-server
add address-pool=home_dhcp_pool interface=vlan_home lease-time=1d name=\
    home_dhcp
add address-pool=iot_dhcp_pool interface=vlan_iot lease-time=1d name=iot_dhcp
add address-pool=guest_pool interface=vlan_guest name=guest_dhcp
add address-pool=mgmt_pool interface=vlan_mgmt name=mgmt_dhcp
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether7
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether8
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether9
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=mgmt
/interface bridge vlan
add bridge=bridge1 tagged=\
    bridge1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,sfp1 \
    vlan-ids=4
add bridge=bridge1 tagged=\
    bridge1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,sfp1 \
    vlan-ids=10
add bridge=bridge1 tagged=\
    bridge1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,sfp1 \
    vlan-ids=20
add bridge=bridge1 tagged=\
    bridge1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,sfp1 \
    untagged=ether10 vlan-ids=99
/interface list member
add interface=ether1 list=wan
add interface=vlan_mgmt list=vlan
add interface=vlan_home list=vlan
add interface=vlan_iot list=vlan
add interface=vlan_guest list=vlan
add interface=vlan_mgmt list=mgmt
/interface wireguard peers
add allowed-address=10.0.0.50/32 client-address=10.0.0.50/32 client-dns=\
    192.168.10.254 client-endpoint=93.42.74.148 comment="Pixel 6a" \
    endpoint-port=55840 interface=wireguard_server private-key=\
    "xxxxxxxx" public-key=\
    "xxxxxxxx"
/ip address
add address=192.168.0.1/24 interface=vlan_mgmt network=192.168.0.0
add address=192.168.2.1/24 interface=vlan_home network=192.168.2.0
add address=192.168.10.1/24 interface=vlan_iot network=192.168.10.0
add address=192.168.20.1/24 interface=vlan_guest network=192.168.20.0
add address=10.0.0.0/24 interface=wireguard_server network=10.0.0.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.2.0/24 dns-server=192.168.2.254,192.168.2.253 gateway=\
    192.168.2.1
add address=192.168.10.0/24 dns-server=192.168.10.254 gateway=192.168.10.1
add address=192.168.20.0/24 caps-manager=0.0.0.0 dns-server=1.1.1.1 gateway=\
    192.168.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment=\
    "Allow WireGuard to establish connection" dst-port=55840 protocol=udp
add action=accept chain=input comment=\
    "Allow access from WireGuard Peer to network" src-address=10.0.0.0/24
add action=accept chain=forward comment="Allow WireGuard to access VLAN IoT" \
    dst-address=192.168.10.0/24 src-address=10.0.0.0/24
add action=accept chain=forward comment="Allow VLAN IoT to Access WireGuard" \
    dst-address=10.0.0.0/24 src-address=192.168.10.0/24
add action=accept chain=input comment="Allow vlan" in-interface-list=vlan
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=vlan_mgmt
add action=accept chain=forward comment="Allow VLAN Home to access VLAN IoT" \
    in-interface=vlan_home out-interface=vlan_iot
add action=accept chain=forward comment=\
    "Allow Wireguard traffic to internet - LXC" dst-port=55820 \
    in-interface-list=wan out-interface=vlan_iot protocol=udp
add action=accept chain=forward comment=\
    "Allow Bastion PC to access PC-Federico via RDP" dst-address=192.168.2.76 \
    dst-port="" protocol=tcp src-address=192.168.10.10 src-port=""
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=vlan out-interface-list=wan
add action=drop chain=forward comment="Drop Invalid Connection"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=wan
add action=dst-nat chain=dstnat comment="Wireguard Server" dst-port=55820 \
    in-interface-list=wan log=yes log-prefix=wg protocol=udp to-addresses=\
    192.168.10.35
/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway="" routing-table=\
    *400 scope=30 suppress-hw-offload=no target-scope=10
/lcd
set backlight-timeout=10m
/system clock
set time-zone-name=Europe/Rome
/system identity
set name="Router RB3011"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp1.inrim.it
add address=ntp2.inrim.it
add address=time.inrim.it
add address=pool.ntp.org
/tool mac-server
set allowed-interface-list=mgmt
/tool mac-server mac-winbox
set allowed-interface-list=mgmt

Thank you in advance for your help!

Your config has many errors in it, but more importantly your config also doesnt seem to match your intentions.
What are the requirements for pihole, should all vlans use it, only one vlan, what is the purpose of pihole on your network.

Hi and thank for the reply.

Fot the configuration I followed the guide on the forum (Router and VLAN).

Basically I have 3 VLAN separated. Each VLAN has its DHCP Server.

With wireguard, I would like to access the “IoT VLAN” that is my homelab with several servers running VMs with differente servces.
One of this service is PiHole running in a LXC container.
I also have NGINX Reverse Proxy and so, PiHole is used to resolve the DNS Name (for my local services).

With WireGuard I would like to use the DNS name to access my services and to do that, the WG Peer should use the PiHole to resolves name.

Which error did you find?

Further more, I have a VPS and I would have it connected via WG to my Homelab.

Thanks for the help!

Any help would be very appreciated

Hi,
can you ping or open the pihole web page via IP address from your mobile phone, while it is connected over LTE & wireguard?
If yes, it’s only a configuration issue on your phone → you have to set the DNS server in your mobile phone’s wireguard configuration.
If no, what are your “allowed IPs” in your mobile phone’s configuration, e.g. “0.0.0.0/0, ::/0” for full tunnel?