Wireguard DNS issue upon boot

majik · 12 March 2025 14:33

i’m having a DNS issue when auto-connecting to a WG server - when i boot my machine - a connection is made but it seems name resolution isn’t working

using Network Manager or wg-quick, if i disconnect and reconnect to the server, then DNS starts working

DNS is provided through the wireguard tunnel

the problem occurs whether i use Network Manager or wg-quick to auto-connect to the VPN

resolv.conf…

nameserver 10.0.0.1
nameserver 9.9.9.9
nameserver 2a0e:1c80:1337:1:10::1

network topology is dirt simple: PC > router > ONT

systemd-resolved service is running

jrichard326 · 12 March 2025 18:15

Is wireguard-tools installed?

majik · 12 March 2025 19:05

yessir

majik · 13 March 2025 16:04

anyone else please?

xabbu · 13 March 2025 17:12

If you want to use systemd-resolved, you can’t use the /etc/resolv.conf file. It will create conflicts. See the Arch Wiki on how to set up systemd-resolved
https://wiki.archlinux.org/title/Systemd-resolved#DNS

But since it is not always predictable which DNS Server is used by systemd-resolved, you might not want to use it in the first place.

If you disable systemd-resolved, create a /etc/resolv.conf with DNS server you might want to use. The nameserver entries are not used random. Only if the first entire fails, the next is tired. If your VPN doesn’t support IPv6, do not add a IPv6 DNS server address. For other reason, you might not want to add a IPv6 DNS server in general.
If you use NetworkManager, configure it to not touch your DNS configuration. Do not do something stupid like setting the immutable flag on /etc/resolv.conf.

majik · 14 March 2025 16:52

this has gotten all messed up - i can connect to a WG server but now cannot ping an IP or domain

$ nmcli
enp34s0: connected to Linksys Router
"Realtek RTL8111/8168/8211/8411"
ethernet (r8169), EA:EC:50:06:A1:D7, hw, mtu 1500
ip4 default
inet4 192.168.1.100/24
route4 192.168.1.0/24 metric 100
route4 default via 192.168.1.1 metric 100

azirevpn-us-mia: connected to azirevpn-us-mia
"azirevpn-us-mia"
wireguard, sw, mtu 1420
inet4 10.0.68.200/32
route4 default metric 50
inet6 fe80::6c0b:9209:9e48:b4ed/64
inet6 2a0e:1c80:1337:1:10:0:68:200/128
route6 default metric 50
route6 2a0e:1c80:1337:1:10:0:68:200/128 metric 50
route6 fe80::/64 metric 1024

lo: connected (externally) to lo
"lo"
loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536
inet4 127.0.0.1/8
inet6 ::1/128

DNS configuration:
servers: 10.0.0.1 91.231.153.2
interface: azirevpn-us-mia
type: vpn

servers: 2a0e:1c80:1337:1:10::1
interface: azirevpn-us-mia
type: vpn

servers: 9.9.9.9 192.168.1.1
interface: enp34s0

$ sudo wg show
interface: azirevpn-us-mia
public key: dGDr6up8mbh6Hu1ghgPToZyU5ViKkX5NTVBODJom02I=
private key: (hidden)
listening port: 48385
fwmark: 0xcc55

peer: 7U3kXuo8v1OgwRTpDArh4eOB3bl2G165eQq8uvFr118=
endpoint: 45.92.19.136:51820
allowed ips: 0.0.0.0/0, ::/0
transfer: 0 B received, 444 B sent

xabbu · 14 March 2025 16:59

What did you do?

majik · 14 March 2025 17:33

that’s the $20k question

i kept using the same WG server/peer for testing - the configs are auto-generated by the website - i just now tried another peer and WG is working

nevertheless, i still can’t resolve domains when using NM to auto-connect to a WG server - i have to disconnect, then re-connect, so i’m essentially back to sq. 1

another thing i noticed is that, if set my router connection to auto-connect to a peer in NM, then i have NO connections on boot, however if i disable that and set auto-connect for any one of the specific WG peer items in NM, then my router connection works (but i can’t ping anything, as described)