[solved] No DNS after starting wg-quick

cmonty14 · 2022-11-17 00:20:15

I started setup of wg-quick on my Arch Linux desktop PC.
I have configured systemd-networkd and systemd-resolved in a basic setup, means everything (IP, gateway and DNS nameserver) is provided by router (192.168.1.1) via DHCP.
In my router I have configured 2 DNSv4 servers providing DNS-over-TLS and DNS-over-HTTPS; this should work as expected.

Creating config file /etc/wireguard/ivpn-sui.conf was easy; starting wg-quick works w/o problems:

thomas@homer:~
$ sudo wg-quick up ivpn-sui
[#] ip link add ivpn-sui type wireguard
[#] wg setconf ivpn-sui /dev/fd/63
[#] ip -4 address add 172.21.204.65/32 dev ivpn-sui
[#] ip -6 address add fd00:4956:504e:ffff::ac15:cc41/128 dev ivpn-sui
[#] ip link set mtu 1420 up dev ivpn-sui
[#] resolvconf -a ivpn-sui -m 0 -x
[#] wg set ivpn-sui fwmark 51820
[#] ip -6 route add ::/0 dev ivpn-sui table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
[#] ip -4 route add 0.0.0.0/0 dev ivpn-sui table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63

Checking the "new" DNS settings shows this:

thomas@homer:~
$ sudo resolvectl status
Global
       Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (enp5s0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 3 (enp4s0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 4 (br0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.1.1
       DNS Servers: 192.168.1.1

Link 6 (ivpn-sui)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.0.254.2
       DNS Servers: 10.0.254.2
        DNS Domain: ~.

I would say: everything looks good.

However, when I try to do some DNS resolution with resolvectl query google.com I don't get a return.
Instead I can see this in log of service systemd-resolved.service:

Nov 16 18:13:30 homer systemd-resolved[8721]: ivpn-sui: Bus client set DNS server list to: 10.0.254.2
Nov 16 18:13:30 homer systemd-resolved[8721]: ivpn-sui: Bus client set search domain list to: ~.
Nov 16 18:13:37 homer systemd-resolved[8721]: Using degraded feature set UDP instead of UDP+EDNS0 for DNS server 10.0.254.2.
Nov 16 18:13:42 homer systemd-resolved[8721]: Using degraded feature set TCP instead of UDP for DNS server 10.0.254.2.
Nov 16 18:14:02 homer systemd-resolved[8721]: Using degraded feature set UDP instead of TCP for DNS server 10.0.254.2.
Nov 16 18:14:08 homer systemd-resolved[8721]: Using degraded feature set TCP instead of UDP for DNS server 10.0.254.2.

My conclusion is that routing all traffic over WireGuard is not working correctly.

Now it's getting mysterious.
If I start using IVPN app, and then name resolution works w/o problems.

However, when I compare the output of sudo resolvectl status it looks very similar to my VPN connection setup with wg-quick.

thomas@homer:~
$ sudo resolvectl status
Global
       Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (enp5s0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 3 (enp4s0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 4 (br0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.1.1
       DNS Servers: 192.168.1.1

Link 7 (wgivpn)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.0.254.2
       DNS Servers: 10.0.254.2
        DNS Domain: ~.

thomas@homer:~
$ resolvectl query google.com
google.com: 2a00:1450:4001:80e::200e           -- link: wgivpn
            142.250.185.78                     -- link: wgivpn

-- Information acquired via protocol DNS in 47.4ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network

This does not really explain what is causing the problem using wg-quick.
However it indicates that there's no general issue with my setup.

Can you please advise how to fix this issue?

Last edited by cmonty14 (2022-11-19 14:18:28)

-thc · 2022-11-17 06:45:09

Did you notice this:

cmonty14 wrote:

[#] resolvconf -a ivpn-sui -m 0 -x

Maybe resolvconf breaks something. Take a look at /etc/resolv.conf before and after connecting with wg-quick (and the client).

BTW: AFAIK wg-quick's only way to alter DNS is resolvconf and systemd-resolved is "unaware" of resolvconf.

Last edited by -thc (2022-11-17 07:35:33)

tucuxi · 2022-11-17 20:28:21

First of all, take the fwmark out of the equation and retry. Second, are you sure your /etc/wireguard/ivpn-sui.conf is correct?

-thc · 2022-11-18 07:55:12

@tucuxi: If you configure WireGuard as a full tunnel VPN ("AllowedIPs = 0.0.0.0/0, ::/0") wg-quick does all of this on it's own and - in my case - it works.

tucuxi · 2022-11-18 18:48:11

wg-quick did not create your configuration file. When I wrote my configuration file, I added what I needed and now I am sure that it does what I want. That did not seem to be the case for you. But if all is working now, good.

-thc · 2022-11-18 19:45:27

@tucuxi: I am not the TO of this thread - cmonty14 didn't answer yet.

You mentioned fwmark - this (and the creation of a separate routing table) does wg-quick on it's own.

icar · 2022-11-18 21:26:38

Add to the [Interface] section of the wg-quick configuration file the following:

PostUp = resolvectl dns %i 1.1.1.1 1.0.0.1; resolvectl domain %i ~.

(obviously, use the DNS server you want, I put Cloudflare's as an example).

I had the same issue a while back and this resolved it.

cmonty14 · 2022-11-19 11:50:31

tucuxi wrote:

First of all, take the fwmark out of the equation and retry. Second, are you sure your /etc/wireguard/ivpn-sui.conf is correct?

Can you please advise what you mean with "take the fwmark out of the equation"?

Here's my wireguard configuration:

[Interface]
PrivateKey = <private key>
Address = 172.21.204.65/32, fd00:4956:504e:ffff::ac15:cc41/128
DNS = 10.0.254.2
[Peer]
PublicKey = jVZJ61i1xxkAfriDHpwvF/GDuTvZUqhwoWSjkOJvaUA=
Endpoint = ch1.wg.ivpn.net:2049
AllowedIPs = 0.0.0.0/0, ::/0

Arch Linux

#1 2022-11-17 00:20:15

[solved] No DNS after starting wg-quick

#2 2022-11-17 06:45:09

Re: [solved] No DNS after starting wg-quick

#3 2022-11-17 20:28:21

Re: [solved] No DNS after starting wg-quick

#4 2022-11-18 07:55:12

Re: [solved] No DNS after starting wg-quick

#5 2022-11-18 18:48:11

Re: [solved] No DNS after starting wg-quick

#6 2022-11-18 19:45:27

Re: [solved] No DNS after starting wg-quick

#7 2022-11-18 21:26:38

Re: [solved] No DNS after starting wg-quick

#8 2022-11-19 11:50:31

Re: [solved] No DNS after starting wg-quick

Board footer