Hello all,
I don’t know how many of you are using wireguard on a Linux client, but I found an interested problem as it relates to DNS and was wondering if anyone had any solutions that they could point me to that would be better than my hacky workaround that I have put together.
The Problem
My wg-easy client config file looks like so:
[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
Address = 10.8.0.2/24
DNS = 10.63.0.222
[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
PresharedKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 0
Endpoint = wg.mydomain.com:51820
As you can see, it sets the DNS server to 10.63.0.222
which works fine genarally as my /etc/resolv.conf
file gets overwritten to:
# Generated by resolvconf
nameserver 10.63.0.222
… which results in dig
commands coming back from my internal DNS server.
However, I found that as soon as I would run any docker compose up
commands, my /etc/resolv.conf file was getting reset back to using the stub resolver at 127.0.0.53
, which resulted in my computer using the DNS server handed down to me from the DHCP server at this remote location (not ideal).
The Workaround
As a hacky workaround, I found that I could run some commands to manually reconfigure my systemd resolver to set the IP address of my internal server. I do this like so:
sudo echo "[Resolve]" | sudo tee /etc/systemd/resolved.conf.d/wireguard.conf
sudo echo "DNS=10.63.0.222" | sudo tee -a /etc/systemd/resolved.conf.d/wireguard.conf
sudo echo "Domains=~." | sudo tee -a /etc/systemd/resolved.conf.d/wireguard.conf
sudo echo "" | sudo tee -a /etc/systemd/resolved.conf.d/wireguard.conf
sudo systemctl daemon-reload
sudo systemctl restart systemd-resolved
This must be done after having successfully made the VPN connection.
When I have finished with the VPN connection, I need to reset things back to how they were by removing the config file, and restarting the resolver service like so:
# change DNS back to how it used to be.
sudo rm /etc/systemd/resolved.conf.d/wireguard.conf
sudo systemctl daemon-reload
sudo systemctl restart systemd-resolved
To make life easy, I put the whole lot in a single script, that makes the connection, updates the DNS, and ties up the console until I run ctrl-c, which will then shutdown the connection and return DNS to how it was before. I do this in a tmux session (through byobu).
#!/bin/bash
wg-quick up /path/to/vpns/connection-name/client.conf
# configure systemd to use the wireguard connected DNS server.
sudo echo "[Resolve]" | sudo tee /etc/systemd/resolved.conf.d/wireguard.conf
sudo echo "DNS=xxx.xxx.xxx.xxx" | sudo tee -a /etc/systemd/resolved.conf.d/wireguard.conf
sudo echo "Domains=~." | sudo tee -a /etc/systemd/resolved.conf.d/wireguard.conf
sudo echo "" | sudo tee -a /etc/systemd/resolved.conf.d/wireguard.conf
sudo systemctl daemon-reload
sudo systemctl restart systemd-resolved
# Tie up the console with stats about the connection, until I press ctrl-c
watch -n 1 sudo wg show
# We get here after pressing ctrl-c, shutdown the VPN connection.
wg-quick down /path/to/vpns/connection-name/client.conf
# change DNS back to how it used to be.
sudo rm /etc/systemd/resolved.conf.d/wireguard.conf
sudo systemctl daemon-reload
sudo systemctl restart systemd-resolved
Question
Is there some way to configure wg-quick
to perform the systemd DNS configuration work, which would feel less hacky? It would be better from the point of view of having one DNS server IP set just once in the wg-quick client configuration, rather than me having to duplicate it in my workaround script as well.