You specify nameservers for the wireguard link, but you do not allow them in AllowedIPs.
If you watch the output of wg-quick, you will see that resolvconf is called with argument “-x”, which means that DNS gets preferred via the wg0 link. Which is not possible.
So ping 8.8.8.8 works, dig @8.8.8.8 works, bur resolvectl query domainname and all normal DNS queries do not work because systemd-resolved binds to wg0 to access 8.8.8.8. So if you wanr to access the nameservers via wireguard, add them to AllowedIP’s or remove the DNS statement and specify the nameservers in /etc/systemd/resolved.conf.
1 Like