Wireguard full tunnel DNS(?) problems

I’m trying to make a full tunnel work with Wireguard on pfSense and a Windows computer. The computer can access the tunnel and get to my servers using IP addresses, but not using the server FQDNs. (I’ve set them up using HAProxy with a wildcard certificate.) I can ping, but can’t reach Websites using domains. In these cases the failure message is that the DNS address could not be found.
The Netgate instructions include: " All traffic may be associated with a peer by using for IPv4 or ::/0 for IPv6, but this won’t work for a tunnel with multiple peers. Only the last peer in the list will be configured properly." So I’ve removed my phone as a peer for the tunnel, but still get the same result.
I did not create a separate interface for Wireguard. I’m using Unbound as my DNS server. The general settings for DNS Resolver do not show an interface for Wireguard. However, the “Access Lists” tab includes an entry showing the tunnel network.
The Windows Wireguard app has the DNS server set to my pfSense interface (
In pfSense, I’ve tried to direct all DNS queries to Unbound. I have this rule in Firewall/NAT/PortForward:

And these rules in Firewall/Rules/WireGuard:

I assume this is a problem of getting Unbound to respond to DNS queries from the remote peer, but I’m at a loss of what else to do. Any suggestions will be apprecieated.

If you use another DNS server (let’s say, then can you reach websites using domains?

Spectre, good idea. When I change the DNS server in the “client” and disable the two rules above, I am able to reach internet Web sites. But obviously not my local servers using their FQDNs. I left the rules disabled and changed back to my pfSense address and can’t reach anything requiring DNS. For some reason, Unbound does not service DNS requests coming through the tunnel.

Solved by watching a video from Christian McDonald. The change was to the settings in the peer (client) app. I set the DNS address to the tunnel address ( rather than my pfSense address.