Fixing wg-quick's DNS= directive with a hatchet
Jason A. Donenfeld
Jason at zx2c4.com
Thu Oct 26 15:11:08 CEST 2017
On Thu, Oct 26, 2017 at 12:43 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> The hatchet works as follows. On interface addition:
>
> # echo nameserver 1.2.3.4 > /etc/resolv.conf.wg-quick.wg0
> # [ -f /etc/resolv.conf ] || touch /etc/resolv.conf
> # mount -o ro --bind /etc/resolv.conf.wg-quick.wg0 /etc/resolv.conf
> # unlink /etc/resolv.conf.wg-quick.wg0
>
> On interface removal:
>
> # umount /etc/resolv.conf
Alternative version:
echo nameserver 1.2.3.4 | unshare -m --propagation shared sh -c "mount
--make-private /tmp && mount -t tmpfs none /tmp && cat >
/tmp/resolv.conf && mount -o remount,ro /tmp && mount -B
/tmp/resolv.conf /etc/resolv.conf"
This has the advantage of not using any disk temporary files or
creating dangling inodes, and it means that users can still bind mount
/etc/resolv.conf to other places, such as when they enter a chroot,
which is usually important to allow. The one maybe disadvantage is
that it still allows for people binding _on top_ of /etc/resolv.conf,
which may or may not be a good thing.
More information about the WireGuard
mailing list