Custom VPN-only DNS is used before it is available when using Wireguard
I'm trying to setup systemd-resolved
to be able to finally use my Wireguard VPN without having wg-quick racing with NetworkManager. Unfortunately I'm having a weird issue.
My NetworkManager configuration is as follows (unimportant/private lines elided):
[connection]
id=VPN
type=wireguard
interface-name=wg0
[wireguard-peer....]
endpoint=<hostname>:<port>
allowed-ips=xx.xx.xx.1/24
[ipv4]
address1=xx.xx.xx.xx/24
dns=xx.xx.xx.yy;
dns-priority=-1
dns-search=~;
method=manual
never-default=true
Without being connected:
# resolvectl
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
resolv.conf mode: stub
Link 2 (wlp3s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: aa.aa.aa.1
DNS Servers: aa.aa.aa.1
DNS Domain: ~.
When trying to connect, the DNS is setup correctly, but before the Wireguard link is established. Unfortunately, this means that the IP to the Wireguard peer cannot be resolved:
# nmcli c up VPN
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/7)
# resolvectl
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
resolv.conf mode: stub
Link 2 (wlp3s0)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Link 12 (wg0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: xx.xx.xx.yy
DNS Servers: xx.xx.xx.yy
DNS Domain: ~.
# wg show
interface: wg0
public key: ....
private key: (hidden)
listening port: ...
peer: ....
preshared key: (hidden)
allowed ips: xx.xx.xx.0/24
persistent keepalive: every 25 seconds
If I remove dns-search
and dns-priority
entirely, the custom DNS is not used at all and the link works fine (but I don't get internal DNS):
# resolvectl
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
resolv.conf mode: stub
Link 2 (wlp3s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: aa.aa.aa.1
DNS Servers: aa.aa.aa.1
DNS Domain: ~.
Link 11 (wg0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
# wg show
interface: wg0
public key: ...
private key: (hidden)
listening port: ...
peer: .....
preshared key: (hidden)
endpoint: <external ip>:<port>
allowed ips: xx.xx.xx.0/24
latest handshake: 1 second ago
transfer: 124 B received, 180 B sent
persistent keepalive: every 25 seconds
How can I solve this?
For reference, wg-quick
appears to resolve the Wireguard peer's IP before doing anything, then sets the resolved IP statically when setting up the link. I assume NetworkManager will do roaming if the IP changes, but I can totally live without it in my case.
Versions:
# resolvectl --version
systemd 247 (247.2-1-arch)
+PAM +AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid
# NetworkManager --version
1.26.4-1