WireGuard macOS App doesn't set system default DNS
Alexander Skwar
alexanders.mailinglists+nospam at gmail.com
Mon Aug 3 11:15:21 CEST 2020
Hello
I'm having issues with the macOS App. tl;dr: It doesn't set the system
DNS to the IP of my resolver which is only reachable once the tunnel
is up.
Here's my "clients" (macOS) configuration:
#####################################################################
[Interface]
PrivateKey = ...=
Address = 172.31.0.3/24
DNS = 10.136.16.2
[Peer]
PublicKey = ...=
AllowedIPs = 10.136.16.0/22, 169.254.169.253/32
Endpoint = wg.....ch:51820
#####################################################################
Matching "server" configuration (Debian 10):
#####################################################################
[Interface]
Address = 172.31.0.1/24
Listenport = 51820
PrivateKey = ...=
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o
wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD
-o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE
[Peer] # alexander-mac-1
PublicKey = kw6A7iN/sF0k2bePr15M10e6Ufhp7sJVWhZcZvGcrT8=
AllowedIPs = 172.31.0.3/32
#####################################################################
When I activate this tunnel on my mac and do a "dig" or "host" query
for some name which only the private resolver 10.136.16.2 knows, I get
an NXDOMAIN (query failed).
When I do "dig @10.136.16.2 $sameName", the name gets resolved (ie.
when I manually s). This shows that the routing is working fine.
As some extra tests, I set "DNS = 208.67.222.222" (OpenDNS) and tried
to resolve their test site www.internetbadguys.com. It resolves to
146.112.61.108, which means that OpenDNS is used (I'm normally not
using it). It also shows on https://welcome.opendns.com/.
Same result with setting "DNS = 1.1.1.1" and then going to
https://1.1.1.1/help - DNS is set.
This means that the macOS App *IS* able to set the system default
DNS, but for some reason doesn't set it to my private DNS IP of
10.136.16.2.
There is ONE (bad) work around: When I set "AllowedIPs = 0.0.0.0/0",
then the App DOES set the system default DNS to 10.136.16.2.
The log of the application doesn't show anything regarding DNS.
Pasted at https://paste.ee/p/ziqrg.
Well… Why does the macOS App refuse to set the DNS to 10.136.16.2?
Versions used:
App version: 0.0.20191105 (16)
Go backend version: 0.0.20191013
macOS: Catalina 10.15.5 (19F101)
Cheers,
Alexander
More information about the WireGuard
mailing list