I’m running Unbound on a VPS (Alpine Linux) with both Tailscale (/dev/tailscale0) and a WireGuard client to a commercial VPN (/dev/wg0). In short, it accepts connections from Tailscale and routes them over the VPN.
I have Unbound configured on the VPS responsible for sending DNS queries over TLS DNS. It queries through the VPN using outgoing-interface: with the client 172. IP from WireGuard.
The problem is I’d very much like to forward queries for a zone to my router at home. I’ve got it to work but only if I completely remove outgoing-interface. This is obviously not ideal.
It looks like Unbound isn’t in a hurry to support this — do any workarounds come to mind?
In what way is it not working?
I suppose you could create a stub zone in unbound with the NS record set to the home DNS server. As long as routing is working correctly, you shouldn’t need to specify an interface.
If that doesn’t work, maybe try a different DNS server with more powerful configuration.
The problem is I need Unbound to send queries via one network interface (the VPN) while the specific zone needs to be routed through another.
Is this a response to my question or suggestions, or are you just restating your original post? I understood your scenario just fine.
This is a very confusing setup, and I’m not sure what the intent or end goal is here, but it sounds like you just want split-tunneling for a specific subnet that puts traffic where you want it to go.
The problem with this is that you need something specific to differentiate traffic because source won’t be enough: DNS, IP subnet, origin port…etc. VLANs won’t work with Wireguard, and I’m not sure you want to go down the rabbit hole of trying to tag other traffic if youre not sure what it is.
I’m almost at the point where I want to create a virtual interface that just has rules that say “if going to
192.168.143.1use/dev/tailscale0” and then have a default route to/dev/wg0.I’m not a professional but my current Tailscale + VPN setup has been extremely nice for the past year.
You’re describing split tunneling. If you’re unfamiliar, just look it up. It’s how most VPNs in workplaces are deployed when you only want specific access to specific things. Just need to change the route rules in your Wireguard config, and set the correct forwarding.
I know what split tunneling is, but I have my routing set up exactly as I’d like.
The issue here is that Unbound seems unable to send queries to one forwarding zone using a specific interface/IP address and sending queries to a second forwarding zone using a completely different interface/IP address.
How would it know what to send? Why are you bothering if Unbound if you know how all the networking works?