Configuration imported through Network Manager GUI doesn't work with IPv6 DNS

[Kwbmm]

Hello! After some testing with Network Manager, I have found out that if the wireguard configuration contains a primary DNS in IPv6 format, the VPN won't work. You will be able to connect to PiHole dashboard, but you won't be able to browse the internet, because the DNS, for some reason, is not handled properly.

I am quite confident this is an issue with NM-Wireguard-Plugin. The reason why I am saying this is because if the connection to the VPN is imported manually through nmcli connection import type wireguard file <wg-config-file> the VPN works fine. However, if the connection is imported through the command line, it won't be visible through NetworkManager GUI: no managing of the connection will be possible.

---

Given that NM-Wireguard-Plugin has not been updated in 7 months, it's unlikely to see an update now. So, I see only 2 solutions possible

Solution 1: Switch to IPv4 DNS in Wireguard config. That will do the trick and can even be done when creating the WG configuration on GCP. Basically, do not use IPv6 DNS.

Solution 2: Live with the problem. The plugin to handle Wireguard configuration graphically is not 100% reliable and can't handle IPv6 DNS. So, instead of importing WG config through NM GUI, just use nmcli . Be aware that, by default, the VPN connection will be activated automatically regardless of which WiFi network you are connected to. Also, unless you go specifically look for the VPN connection, it will be completely transparent to you and won't notice it.

[rajannpatel]

Thank you for your in depth analysis around this, in addition to reporting the issue. I think it makes sense to incorporate the pitfalls and solutions officially into the guide, and reference this issue number to resolve it. Are you open to performing another Pull Request to include these relevant details? I may or may not do some minor editorial patch-up afterwards.

[rajannpatel]

Optionally - we could do some OS detection in the script and default to writing IPv4 addresses for Arch Linux.

Lastly, what are your thoughts on opening an issue in tandem on the NM-Wireguard-Plugin project, as well?

[rajannpatel]

What if we changed Line 34 of setup.sh to reflect the IPv4 address:

CLIENT_DNS_2="10.66.66.1"

Would the resulting .conf files import the IPv4 portion of the DNS without any issues?

[Kwbmm]

Are you open to performing another Pull Request to include these relevant details?

Sure thing!

Optionally - we could do some OS detection in the script and default to writing IPv4 addresses for Arch Linux.

The issue is not related to Arch or any other distro. The issue is related to the stand-alone GUI that network manager uses to display its options. I haven't tried but I believe that desktop environments, like Gnome and KDE, are using their own GUI for network manager, so the problem is not there.

What if we changed Line 34 of setup.sh to reflect the IPv4 address:

CLIENT_DNS_2="10.66.66.1"

Would the resulting .conf files import the IPv4 portion of the DNS without any issues?

I don't think so. The current GUI plugin for wireguard in network manager does not support more than 1 DNS server.

Lastly, what are your thoughts on opening an issue in tandem on the NM-Wireguard-Plugin project, as well?

Can try, but I see that the owner of the repo is not replying to the issues anymore and not even merging PRs, so I'm not sure if that is going to do anything.

[rajannpatel]

There is considerable interest in IPv6 and I'm averse to changing setup.sh to cater to edge cases where IPv6 doesn't work. It may be worth documenting the workarounds in CONNECTING-TO-WG-VPN.md

[Kwbmm]

I agree. I will attempt to make a PR in the coming days

[rajannpatel]

commit 8958d3d7b037e45dccec460c49a8d5a06403c930 may impact this issue. It alters the client configuration files by providing both an IPv4 and an IPv6 DNS endpoint:

The client configuration files have changed from:

DNS = fd42:42:42::1, fd42:42:42::1

to this:

DNS = 10.66.66.1, fd42:42:42::1

This change attempted to resolve Full Tunnel connectivity issues to Google owned domains for Windows Wireguard clients, when hosting the server on Google Compute Engine. Alas, it did not.

[Kwbmm]

This change solves this issues :)