Setup:
NetGate pfSense router at home.
Using a GL-iNet AXT-1800 travel router with 4.8.2 firmware.
I can use Tailscale or WireGaurd VPN able to connect to the home router.
When I connect via either VPN I have full access to the home LAN.
What I am seeing is that the filters/rules from the home router are not being applied to the devices on the travel router.
How do I tell the travel router/OS to use the DNS servers from my Home LAN instead of public DNS servers when connected to create the tunnel. I know I need the public DNS servers to get connected, but I have not figured out how to have it use VPN DNS servers when connected.
When using Tailscale, you’ll need to manually go to Admin Panel → Network → DNS and set the DNS to the Tailscale address of your Netgate pfSense. This maybe not convenient, as it won’t switch automatically.
Alternatively, you can check whether Netgate pfSense has a feature similar to our “Override DNS Settings for All Clients,” which would automatically redirect DNS requests.
When using WireGuard, you can add a DNS entry (pointing to the Netgate pfSense WireGuard IP) in the exported WireGuard profile from Netgate pfSense. This configuration will automatically take effect when the VPN is enabled/disabled, so it’s generally the recommended approach.
[Interface]
Address = xxxx
PrivateKey = xxxx
DNS = xxx #<-- Add this configuration
MTU = 1420
[Peer]
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = xxxx
PersistentKeepalive = 25
PublicKey = xxx
Also, make sure to disable “Allow Custom DNS to Override VPN DNS” under Admin Panel → Network → DNS.
In addition, for both methods, you may need to configure Netgate pfSense to allow remote clients to send DNS queries over the VPN. We’re not certain whether this is enabled by default or requires additional setup, so you may need to consult Netgate pfSense support for that part.
Awesome!! Thanks for the tips!!
They both work! Too bad that Tailscale couldn’t switch from normal public DNS to Tailscale DNS in an automatic way. A few more things to test.. This was a leaps and bounds process for me..
I thought I had this working.. I actually had the Tailscale client enabled, on the laptop..
Under Wiregaurd Client info:
I’m getting this message in the log:
Sun Mar 1 20:04:19 2026 daemon.notice netifd: Interface 'wgclient1' is setting up now
Sun Mar 1 20:04:20 2026 daemon.warn dnsmasq[16648]: no servers found in /tmp/resolv.conf.d/resolv.conf.wgclient1, will retry
Sun Mar 1 20:04:20 2026 daemon.info dnsmasq[16648]: read /tmp/hosts/dhcp.wgclient1 - 4 names
Sun Mar 1 20:04:20 2026 daemon.info dnsmasq[16646]: read /tmp/hosts/dhcp.wgclient1 - 4 names
Sun Mar 1 20:06:10 2026 user.notice wireguard-debug: USER=root ifname=wgclient1 ACTION=REKEY-GIVEUP SHLVL=1 HOME=/ HOTPLUG_TYPE=wireguard LOGNAME=root DEVICENAME= TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin PWD=/
Sun Mar 1 20:06:13 2026 daemon.notice netifd: Interface 'wgclient1' is now down
Sun Mar 1 20:06:13 2026 daemon.notice netifd: Interface 'wgclient1' is setting up now
Sun Mar 1 20:06:14 2026 user.notice firewall: Reloading firewall due to ifdown of wgclient1 ()
This is my current Wiregaurd client tunnel modified from the pfSense box:
[Interface]
Address = xx.x.xxx.x/32
PrivateKey = xxxx
DNS = xxx.xx.xx.x
MTU = 1420
Can’t access any device on the VPN Tunnel
I can still get to the internet
Under Tailscale:
Connect,
Change DNS:
Can’t access any device on the VPN Tunnel
I can still get to the internet
I wanted to check the /tmp/hosts/dhcp.wgclient file, but ssh was not working. I know the password of the router, but nothing was letting me in (have not checked the forums yet).
More of an update.. I did reset the router.
I can SSH to the router. I was using the wrong username.
I’m connected via Tailscale.
I did set DNS to the LAN/Router IP address
Now I can ping the router and a printer.
Can’t web to a printer via an IP address.
Tunnel web pages don’t work (like the printer). Internet works.
My ADs stop showing up, but the boxes they are in do.
I have yet to get Wiregaurd to work at all
Under WireGaurd,
I have tried specifying the IP address, using 0.0.0.0 for allowed IP address.
I do have Wiregaurd 1.94.2
The WireGuard logs on the AXT1800 indicate that it may not be able to connect to the server.
You can refer to this guide to check whether the WireGuard VPN server on your NetGate pfSense has been configured correctly:
You can also try exporting the configuration file to another device (such as a phone) and test it using a different network (e.g., cellular data) to verify whether it works as expected.
Regarding Tailscale:
Since ping is working normally, it suggests that Tailscale is running.
Have you checked the firewall settings on your NetGate pfSense? Specifically, whether it allows the AXT1800’s subnet (default: 192.168.8.0/24) to access those devices?
(As we are not very familiar with NetGate pfSense, we’re unable to provide detailed configuration guidance.)
My understanding of WireGaurd is simple. I’m better at Tailscale, but that does not work either.
My config is simple mostly keys rules. Netgate enabled them. I have opened a new ticket there.
I did install WireGaurd on my laptop. It is tethered on my iPhone and it also failed.
Tailscale comes right up on my laptop. I can ping devices with no issue.
So basically nothing works for VPN on the GL-1800.
Generally speaking, the home router (NetGate pfSense) should have the public IP address, so it would act as the VPN server.
If the WireGuard profile exported from NetGate pfSense cannot be used on your laptop + iPhone tethering after configuration, then the issue is likely on the NetGate pfSense side and you may need to seek assistance from their support.
Or is the situation that the device with the public IP address (or the one exposing the WireGuard server port to the internet via port forwarding) is the AXT1800, and it is currently running as the WireGuard VPN server?