Skip to content

libnmc-base: don't set DNS priority when importing Wireguard connections

This is actually trying too hard to prevent DNS leaks, breaking normal expected use of split DNS. Let systemd-resolved handle sending our DNS queries to the right place instead.

It's true that NetworkManager is trying to emulate the behavior of wg-quick here, and wg-quick uses 'resolvconf -x' to attempt to set "exclusive" DNS. But with systemd-resolved this is implemented by setting a . routing domain for the Wireguard interface. That is a really big hammer already, since Domain=. overrides +DefaultRoute, ensuring most DNS queries can only go to other interfaces with Domain=~. NetworkManager follows systemd-resolved's recommended convention by only applying Domain=~. to other "privacy VPNs" since 1.26.6. Setting DNS priority only prevents domain-specific "leaks", which are almost always desired. For example, it prevents using both the Wireguard VPN and a corporate VPN at the same time.

Note that all of the justification behind !688 (closed) applies here as well.

Fixes #585 (closed)

Merge request reports

Loading