Warning: /etc/resolv.conf is not a symbolic link to /etc/resolvconf/run/resolv.conf

[htilly]

Everything works except for DNS queries. Problem seems to be as the title says: /etc/resolv.conf is not a symbolic link to /etc/resolvconf/run/resolv.conf

If I manually configure /etc/resolv.conf to 1.1.1.1 or similar everything works as expected. /etc/resolvconf/run/resolv.conf contains the correct info.

dpkg-reconfigure resolvconf seems to be a way forward...

Logs:

Attaching to wireguard
wireguard           | Wed Apr  8 07:56:59 UTC 2020: Starting Wireguard /etc/wireguard/wg0.conf
wireguard           | [#] ip link add wg0 type wireguard
wireguard           | [#] wg setconf wg0 /dev/fd/63
wireguard           | [#] ip -4 address add 172.xx.xxx.xx/32 dev wg0
wireguard           | [#] ip -6 address add xxxx:0000:xxxx:cafe:1111:1111:xxf9:xxxx/128 dev wg0
wireguard           | [#] ip link set mtu 1420 up dev wg0
wireguard           | [#] resolvconf -a tun.wg0 -m 0 -x
wireguard           | /etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /etc/resolvconf/run/resolv.conf
wireguard           | [#] wg set wg0 fwmark 51820
wireguard           | [#] ip -6 route add ::/0 dev wg0 table 51820
wireguard           | [#] ip -6 rule add not fwmark 51820 table 51820
wireguard           | [#] ip -6 rule add table main suppress_prefixlength 0
wireguard           | [#] ip6tables-restore -n
wireguard           | [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
wireguard           | [#] ip -4 rule add not fwmark 51820 table 51820
wireguard           | [#] ip -4 rule add table main suppress_prefixlength 0
wireguard           | [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
wireguard           | [#] iptables-restore -n
wireguard           | Adding iptables NAT rule

My docker-compose:

wireguard:
  container_name: wireguard
  image: cmulk/wireguard-docker:buster
  volumes:
    - /config/wireguard:/etc/wireguard
    - /lib/modules:/lib/modules
  ports:
    - 9929:9929/udp
  restart: unless-stopped
  cap_add:
    - NET_ADMIN
    - SYS_MODULE
  sysctls:
  ### Unable to get it working without these settings. Running IPv6 on the host.
    - net.ipv6.conf.all.disable_ipv6=0
    - net.ipv6.conf.default.forwarding=1
    - net.ipv6.conf.all.forwarding=1
  environment:
    - PUID=${PUID}
    - PGID=${PGID}
  privileged: true

[cmulk]

Thanks for the info! I haven't tried running this container as a client although I've seen some others here that have. Do you have a DNS= line in wg0.conf or no?

[htilly]

I do. As for now I have solved it by providing DNS thru the docker-compose file.. But would be good to fully utilise wg.

wg0.conf:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 172.xx.xxx.xx/32, fd00:0000:xxx:cafe:1111:1111:xxx:xxx/128
DNS = 46.227.xx.xxx, 192.165.x.xxx

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn57.xxx.yyyyyy.xxxxx.com:9929

[htilly]

This seems to be working:

RUN  echo resolvconf resolvconf/linkify-resolvconf boolean false | debconf-set-selections && \
 echo "REPORT_ABSENT_SYMLINK=no" >> /etc/default/resolvconf && \
 apt-get -y install resolvconf && apt-get -y install debconf-utils && \
 apt clean

Played around a little with your code.. Changed some stuff for more client oriented things..
https://github.com/htilly/wireguard-docker

[cmulk]

Did some more testing here and it seems that the change you mentioned above removes the warning message but the actual resolv.conf file in the container still does not get updated appropriately. This is a little tricky as docker has resolv.conf as a bind-mounted copy of the hosts resolv.conf file by design. This means wireguard can't use the resolvconf script since symlinks aren't allowed. Luckily you can still edit the resolv.conf file so probably will just have to do sort of a hack in the run script to set DNS appropriately.

[cmulk]

Actually this was not as tricky as I thought, solved by using the openresolv package instead of resolvconf package

[tomodachi]

A bit late to the party but @cmulk for your docker use case you can bind-mount in your own resolv.conf file (which will give you read /write permissions to it)

along with the example htilly mentioned it works fine for me like this in docker.