DNS fails after undetermined time in-tunnel

Lee Yates rainmakerraw at icloud.com
Tue Dec 31 19:49:07 CET 2019


I hope everyone had an enjoyable festive period.

I have posted this issue on the /r/WireGuard subreddit, and several
Linux people responded that they are also experiencing it. As such I'm
posting here 'properly'.

For a while now, I have noticed that a WG tunnel on my Linux machines
will at some point lose DNS. It doesn't matter what the DNS was set to
in the .conf (i.e. VPN provider's own, my own local resolver on a Pi,
Cloudflare, whatever) - after a seemingly arbitrary time DNS will just
stop working whether in a browser, CLI or elsewhere. For example:

> $ update
> Password: 
> [*] Updating `https://alpha.de.repo.voidlinux.org/current/x86_64-repodata' ...
> ERROR: [reposync] failed to fetch file `https://alpha.de.repo.voidlinux.org/current/x86_64-repodata': Transient resolver failure

Only taking down the tunnel and bringing it back up will resolve the
issue, at least until it recurs again a short while later. Curiously
though, wg-quick reports that there's no such process during the
take-down, but it does nonetheless disconnect it. Reconnecting does, as
I said, work fine for a while again.

> $ sudo cat /etc/resolv.conf
> nameserver

> $ wg-quick down mullvad
> [#] ip -4 rule delete table 51820
> [#] ip -4 rule delete table main suppress_prefixlength 0
> [#] ip -6 rule delete table 51820
> [#] ip -6 rule delete table main suppress_prefixlength 0
> [#] ip link delete dev mullvad
> [#] resolvconf -d mullvad -f
> [#] iptables-restore -n
> [#] ip6tables-restore -n
> [#] ip route del via
> RTNETLINK answers: No such process

I am currently in Void Linux with WireGuard version 20191219 (the latest
in the repo). Void has openresolv (3.9.2_1) installed also, by default.
Because Void uses runit rather then systemd, there's no access to the
wg-quick@ system service. As such I am bringing up and taking down the
connection manually with wg-quick up/down. However I get the same
behaviour on Ubuntu 19.10, Arch Linux and Fedora 31 which all use
systemd and the related wg-quick@ service (and resolvconf instead of

I have also tried adding a PersistentKeepalive = 25 to my .conf with no
effect either way. My home router is actually a repurposed Dell Optiplex
Core i7 x64 machine with Arch Linux installed, and WireGuard has never
needed NAT keepalive on my network before (nor did enabling it change
this DNS drop behaviour). Finally, I have tried several WireGuard
providers including Mullvad, TunSafe, AzireVPN and a manual VPS install
- all have the same DNS failure after a short while.

I don't know how to start debugging this, but hopefully I've provided
enough to help someone get an idea (or provide me further steps to help).

Best wishes,

Lee Yates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 3849 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20191231/641506a5/attachment.key>

More information about the WireGuard mailing list