Wireguard, NetworkManager, systemd-resolved and DNS leaks

Support Network
1

Set up a wireguard client, they said, it will be easy, they said.

Wrong.

I have disabled and masked systemd-resolved as suggested in various posts even in this forum.

I have put the VPN provider’s DNS into /etc/resolve.conf

I have set NetworkManager to do nothing with regards to DNS (adding dns=none in the NetworkManager.conf file)

When bringing the wireguard interface up using wg-quick, I get an error saying:
Failed to set DNS configuration: Could not activate remote peer 'org.freedesktop.resolve1': activation request failed: unknown unit

which aborts the operation altogether

No idea what causes it but since I already want manual DNS configuration, no big deal, I just removed the DNS line in the wireguard configuration file and ran wg-quick up again.

This time it worked. I get connectivity. Thinking I have completed my goal, I was quick to declare victory.

But this is where I get stuck. Webpages can’t seem to resolve quickly. I type in google.com and sometimes it loads instantly, sometimes it just fails to load altogether. I have switched all kinds of proxies and DNSoverHTTPS in the settings, so it is not the browser.
I type in resolvectl query google.com and bang, I get the same error as before (prior to removing the DNS line from the wireguard config):

google.com: resolve call failed: Could not activate remote peer 'org.freedesktop.resolve1': activation request failed: unknown unit

well guess what, I shouldn’t have stopped systemd-resolved because apparently now everything just breaks.

But what about setting custom DNS and not letting my system override it with whatever my network gateway spits?

moderation: removed ranting

2

I don’t think anyone has ever suggested to mask systemd-resolved as a workaround for having DNS issues - on the contrary - if you want VPN to function properly it is better to use systemd-resolved than using openresolv.

It also appears from your topic that when you have disabled systemd-resolved then wireguard refuse to run - suggesting that the advise to mask systemd-resolved is bad advise when using wireguard.

3

Yes. But I disabled it because I would end up getting my DNS overridden by my router. In any case, I got it to work with systemd-resolved but only partially. I am now getting random issues with resolvectl query hanging.
Query times out. No idea what is causing it. One minute it works, the next it does not.

Here is what I did:

I put the wireguard config in /etc/wireguard

/etc/resolv.conf is an actual file
added to /etc/NetworkManager/NetworkManager.conf :

[main]
dns=none

As for /etc/resolv.conf just added:

nameserver my.vpn.dns.server

Added the following to /etc/systemd/resolved.conf :

[Resolve]
DNS=VPN'sDNS
FallbackDNS=
Domains=~.
DNSOverTLS=no

for simplicity purpses, I want global DNS settings and not Link-specific ones:
next step would be to make sure that link-specific DNS settings are gone.

told systemd-resolved to ignore dhcp-pushed DNS:

resolvectl dns INTERFACENAME VPN.DNS.IP
resolvectl domain INTERFACENAME ~.
systemctl restart systemd-resolved

after that I ran:
nmcli connection modify INTERFACENAME ipv4.ingore-auto-dns yes
do the same for IPv6:
nmcli connection modify INTERFACENAME ipv6.ingore-auto-dns yes

systemctl restart NetworkManager
systemctl restart systemd-resolved

Again, after messing with wg-quick up and down it works but after a few minutes when connected to the VPN it just gets stuck. No webpages load. I have added PreUp and PostDown commands to my wg conf that change the /etc/systemd/resolved.conf DNS to either VPN’s DNS or Cloudflare. But I don’t think that is relevant.

4

Did you remove openresolv? If not I suggest you do - it can generate stupid issues - like overwriting /etc/resolv.conf with dhcp acquired nameservers.

5

I have not installed openresolv. I have systemd-resolvconf instead. I tried switching mDNS off as I found some warnings in the journal but still running into the same issue. This is on a freshly-installed and updated Manjaro. I have only installed wireguard. Once I connect to the VPN server, I get connectivity and no leaks for like 2-3 minutes. Then it just stops working with no warning or anything.

I rebooted the system. Connected to the VPN. running resolvectl query manjaro.org works now but only first time is taking data from network, rest it is showing it is resolving from cache. Fair enough, but there is no connection when I open the browser - just times out.

I tried pinging 1.1.1.1 but I got no reply, 100% packet loss, it does not appear the issue is with DNS. It just randomly drops connectivity, some 1-2 minutes after bringing the wireguard interface up. Weird

another edit: I think I got it, it seems the killswitch in the wg config file was causing this. Ever since commenting it out, I get connectivity.

6

But if you didn’t remove it - then it is there - as a default Manjaro uses openresolv - not systemd-resolved.

Yes - that is the intended function of the kill switch - if the VPN drops - you loose connection and the kill switch prevents the system from falling back to the system connection.

7

I have the latest release downloaded directly from manjaro.org a few days ago.
It may have been a recent change but Manjaro definitely does not come with openresolv anymore.

pacman -Rns openresolv:
error: target not found: openresolv

As for the killswitch, the connection with the VPN server doesn’t drop. The behaviour is always the same - always a minute or two after connecting everything else just goes awol. wg show does show connection however so there’s that.

I have noticed that

ip route show

doesn’t show the wg interface at all. I have to manually add it but then I am not sure how. Obviously I have to delete it each time the interface goes down.

I managed to add it to PostUp and PreDown rules in the wg config so I got it going. Of course, the problem didn’t entirely go away.

The behaviour I noticed is, I run wg-quick up, then type in ping 1.1.1.1, i get response (every now and then it drops packets), but the moment I open firefox and type in the URL some website, all hell breaks loose and ping starts dropping packets like crazy. it sometimes recovers and the website actually loads, other times it just goes kaput until i restart the interface. Oh . and I also get the limited connectivity notification.
It’s just very unstable. But I don’t believe it is the server. The moment I switch the killswitch off, I don’t get DNS leaks or anything meaning that if the connection was indeed unstable, in those brief moments, I would leak my ISP IP, no?

Oh and restarting systemd-resolved while the VPN interface is up, readds the default via routergateway dev eth0 entry in the routing table which is the default route straight through my adapter and now I have two default routes. How blissful.
Again, automation where I don’t want it and no automation where I want it.
I guess systemd really is a piece of…

8

My guess is you have already uninstalled it at some point.

pacman -Qs openresolv
openresolv  3.13.2-2 [Installed]
    resolv.conf management framework (resolvconf)

pacman -Ss openresolv
extra/openresolv 3.13.2-2 [Installed]
    resolv.conf management framework (resolvconf)
9

I was not aware - apparently we have ditched openresolv - I have not investigated when.

10

Am working on a manjaro installation from 12.2024 at the moment - there systemd.resolvconf is installed - and I do know that I did not touch this at all.

11

Nope, on a fresh install, at least for the KDE-plasma iso, neither openresolv nor systemd-resolvconf are installed. I manually installed systemd-resolvconf at a later point but now I deleted it as well.

12

Interestingly, this machine uses openresolv; likely since the system was originally installed some years ago.

If systemd-resolved is now default, it must only have been as from a comparatively recent ISO release; perhaps late 2024.