Open nagisa opened 2 years ago
If you need to do split DNS, I suggest using systemd-resolve instead. This is what I use that works perfectly:
postSetup = ''
${pkgs.systemd}/bin/resolvectl dns ${cfg.interface} 10.1.1.1
${pkgs.systemd}/bin/resolvectl domain ${cfg.interface} the.internal.domain
'';
I would like to redirect all DNS queries to the DNS server hosted on the peer.
Why not have wg.example.com
be resolvable by 192.168.2.1
?
Ah, sorry for not making it clearer. 192.168.2.1
is wg.example.com
's IP within the wireguard subnet. So in order to resolve wg.example.com
with 192.168.2.1
the connection with the peer at wg.example.com
must already have been established. To break this chicken-and-egg looking-problem, wg.example.com
is also resolvable globally through DNS servers like those provided by Google, Cloudflare or Quad9, which allows resolving the peer's address when setting up the tunnel for the first time.
Note that this sort of setup does work correctly with wg-quick
as it sets up (⇒ resolves the address of) the peer first before adding the routes and the DNS configuration.
Describe the bug
The units generated by the
networking.wireguard
set-up disallow using DNS service provided by the peer and connecting to peers using a domain address, rather than an IP.A typical attempt to achieve this might look like this:
However here the sequence of operations will be:
ip link add dev wg0 type wireguard
wg set wg0 peer "..." endpoint "wg.example.com:12345"
Here resolving the wg.example.com will naturally fail, since it cannot be resolved anymore.
Instead the setup should provide an (easy) way to tie some setup to a specific peer – and it needs to work with the
dynamicEndpointRefreshSeconds
functionality too. For initial set-up I'd imagine the flow needs to look like this (this is also what wg-quick does)ip link add dev wg0 type wireguard
wg set wg0 peer "..." endpoint "wg.example.com:12345"
and for the refreshes it might make sense to first try resolving with the DNS server that has been set-up and failing that recreate the peer from scratch (which would involve removing the peer, unsetting the DNS settings tied to it, and recreating it.)
Notify maintainers
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result.