You are not logged in.
Hello,
I am using systemd-networkd and systemd-resolved for network. systemd-resolvconf is installed. I aim to route all traffic over a Wireguard tunnel.
I followed https://wiki.archlinux.org/title/WireGu … _WireGuard, and it works great.
However, the peer through which I route my traffic is referenced by a static IP, which I would like to change. Over time, this IP will change (as it already has), and I would rather use a domain.
The problem is, when I use a domain, I can't connect to the peer properly. I feel like it's because my computer needs to connect to the peer BEFORE being able to resolve any DNS entry... But I can't figure out how to solve this.
Here is my config.
/etc/systemd/network/20-wired.network
[Match]
Name=enp8s0
[Network]
DHCP=yes
LinkLocalAddressing=ipv4
IPv6AcceptRA=no/etc/systemd/network/98-wg0.network
[Match]
Name=wg0
[Network]
Address=10.14.0.2/16
DNS=$DNS_IP
DNSDefaultRoute=true
Domains=~.
[RoutingPolicyRule]
To=192.168.1.0/24
Priority=9
[RoutingPolicyRule]
FirewallMark=0x8888
InvertRule=true
Table=1000
Priority=10
[Route]
Gateway=$PEER_IP # Here, I would like to use a domain name
GatewayOnLink=true
Table=1000/etc/systemd/network/99-wg0.network
[NetDev]
Name=wg0
Kind=wireguard
Description=WireGuard tunnel wg0
[WireGuard]
PrivateKey=$WIREGUARD_PRIVATE_KEY
FirewallMark=0x8888
[WireGuardPeer]
PublicKey=$PEER_PUBLIC_KEY
AllowedIPs=0.0.0.0/0
Endpoint=$PEER_IP:$PEER_PORT # Here, I would like to use a domain name/etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search .Note that $PEER_IP is different from $DNS_IP. I don't know if that changes anything, but just in case...
I tried to play with [RoutingPolicyRule] (adding a rule of lower priority, targeting the hostname of the peer), or with the resolvconf config without success.
Any idea how to solve this ?
Thank you.
Last edited by Pototo (2024-06-05 06:00:58)
Offline
https://wiki.archlinux.org/title/WireGu … _WireGuard
Note: Routing all DNS over WireGuard (i.e. Domains=~.) will prevent the DNS resolution of endpoints.However on https://wiki.archlinux.org/title/Systemd-resolved
Note:
Without the Domains=~. option in resolved.conf(5), systemd-resolved might use the per-link DNS servers, if any of them set Domains=~. in the per-link configuration.
This option will not affect queries of domain names that match the more specific search domains specified in per-link configuration, they will still be resolved using their respective per-link DNS servers.
For more information on per-link configuration see https://wiki.archlinux.org/title/Systemd-networkd#network_files.So you could try adding your peer domain to the normal network interface
/etc/systemd/network/20-wired.network
[Match]
Name=enp8s0
[Network]
DHCP=yes
LinkLocalAddressing=ipv4
IPv6AcceptRA=no
Domains=~PEER_DOMAIN.COM
#or Domains=PEER_DOMAIN.COMYou should probably also omit the Gateway address, it is not necessary for WireGuard and you cant use a domain name there (see https://man.archlinux.org/man/systemd.n … ON_OPTIONS.
Last edited by AaAaAAaaAAaARCH (2024-06-04 11:23:13)
Offline
Thanks for your reply.
First, adding the "Domains" field in the [Network] section for the enp8s0 network device allows me to use a domain name in the .netdev file.
Now, I "only" need to get rid of the one in the .network file of the tunnel.
You should probably also omit the Gateway address, it is not necessary for WireGuard and you cant use a domain name there (see https://man.archlinux.org/man/systemd.n … ON_OPTIONS.
I tried that but it didn't work. Traffic doesn't get through the tunnel.
When I do
ip route show table 1000 it doesn't display anything. I don't see any constraint on "Gateway" for the [Route] section in the man page, but it doesn't work either (and the aforementioned command doesn't display anything).
Anyway, I think it is needed because of the fwmark. Otherwise, in my understanding, I can't be sure that traffic only gets through the tunnel.
Offline
systemd-network uses different terminology from "ip route" which I'm not familiar with and can't trivially test. Maybe someone else can chime in.
In the working scenario you can check what rules it creates for you
ip -d route show table all | grep wg0I would expect that the following would create
[Route]
Table=1000unicast default dev wg0 table 1000 proto boot scope link metric XX But you can also try
[Route]
Destination=0.0.0.0/0
Table=1000Offline
Ah nice, it works.
This ip command was showing me a route when I was using an IP as the gateway. On the other hands, nothing was created with
[Route]
Table=1000alone (or with a domain name).
But indeed, when I add a Destination like this, the route is created properly.
default dev wg0 proto static scope linkThank you !
Offline