The new PostUp rules work for me without the extra access-control line in my unbound conf! Great digging, thanks for troubleshooting with us!!
1 Like
No, thank you, both of you, for sticking along to help us to better understand the issue.
I'm not sure how we deal with your PR, Blockhead. It could be that it will be closed now that the underlying cause has been found and can be addressed. Regardless, we appreciate your time and effort you've put in to make Pi-hole a better experience.
As it turns out that our Wireguard docs have been at fault here, I think we can manage to fix that. 
I did have a few other suggestions in the PR to the docs, from what I recall, for issues that tripped a novice like me up. Please take what you like from them when correcting the docs. It is in your good hands.
Hi, this was very useful. Helped me get wireguard working with all traffic forwarded. This is on a vanilla install of 64 bit bookworm on a pi4 with a clean install of pihole and unbound (following the guides precisely)
The wireguard nftables in the official guide are still outdated/don't work - Bucking_Horn's work perfectly - thanks for that.
n.b. my pi sits behind my router, with only the wireguard port forwarded - I didn't see the point of having ufw on for this use case. I see in the pull request Blockhead made there were some notes for ufw - think these might be useful to include as well.
Just wanted to re-iterate that the official pi-hole guide on unbound (Make local devices accessible - Pi-hole documentation) does not contain this fix.
Using the PostUp rules from this post fixed it for me.
BTW, can anyone share the PostDown part or isn't required ?
Thank you.
I just used the same post down rules in the guide. I believe the βnameβ given to the rules/table is wireguard so should still work (none expert here)
You could do the same check to verify they are gone after wireguard is down:
sudo nft list table ip wireguard; sudo nft list table ip6 wireguard