Fixing wg-quick's DNS= directive with a hatchet

Daniel Kahn Gillmor dkg at
Mon Oct 30 13:10:57 CET 2017

On Sat 2017-10-28 20:57:06 +0200, Jason A. Donenfeld wrote:
> 1) wg-quick isn't a daemon, though openvpn is.

wg-quick could be invoked from a network management daemon.  Part of the
brilliance of wireguard is that the in-kernel stuff *doesn't* try to
integrate fancy configuration/setup policy.  But that does mean that
it's likely that there needs to be some user-space policy agent for
system integration.

> 2) I can think of at least 5 ways to implement a resolvconf binary without
> requiring root, making your argument moot. There's nothing inherent in the
> resolvconf model that would require it.
> If you're interested in spending the time implementing this for openresolv,
> I can spec those out in detail for you.

Please report these suggestions to openresolv or any other resolvconf
implementations.  My point is about what exists today, not about what is
theoretically possible.  This argument will be moot when any widely-used
resolvconf implementation doesn't have to be executed as the superuser
by default.  Please, make it moot! :)

> Alternatively, you can just wait for the systemd devs to add a
> resolvconf for controlling systemd-resolved, if that's the horse
> you're betting on.

That'd be fine with me, thanks for pushing on it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <>

More information about the WireGuard mailing list