I’ve been using F37 for a while since it was released and Wireguard was working fine.
This happens right after the latest update yesterday.
My laptop Wireguard config:
PrivateKey = redacted
Address = 10.1.0.12/24
DNS = 126.96.36.199, 188.8.131.52
PublicKey = redacted
PresharedKey = redacted
Endpoint = redacted
AllowedIPs = 10.1.0.0/24
PersistentKeepalive = 25
If I change the AllowedIPs to
0.0.0.0/0 - it works. But i do not want to route everything to Wireguard.
You specify nameservers for the wireguard link, but you do not allow them in AllowedIPs.
If you watch the output of wg-quick, you will see that resolvconf is called with argument “-x”, which means that DNS gets preferred via the wg0 link. Which is not possible.
So ping 184.108.40.206 works, dig @220.127.116.11 works, bur resolvectl query domainname and all normal DNS queries do not work because systemd-resolved binds to wg0 to access 18.104.22.168. So if you wanr to access the nameservers via wireguard, add them to AllowedIP’s or remove the DNS statement and specify the nameservers in /etc/systemd/resolved.conf.
thank you very much for your explanation and help me solve my problem.
things are back to normal. much appreciated
one question for education purposes @hmmsjan , why did it work previously though?
did something changed in the OS or it’s a bug that’s only just been fixed in the last update?
I do not know the exact version history, could be NetworkManager, systemd-resolved or wireguard. Key is “DNS Domain = ~.” in resolvectl, specifying a link for global DNS lookup. According to https://blogs.gnome.org/mcatanzaro/2020/12/17/understanding-systemd-resolved-split-dns-and-vpn-configuration/
there has been a change in NetworkManager preventing DNS leaks, so specifying not accessible nameservers for a VPN causes DNS to fail instead of falling back to the normal DNS servers. This should have been happening before.