Wireguard client not honoring DNS setting [workaround discovered]

Update: now using dhcp.@dnsmasq[0].noresolv.

A followup to my previous comment.

I solved the issue in /etc/init.d/wireguard by checking if Stubby is enabled and if it is, removing the entry from the dnsmasq forwarders list and setting dhcp.@dnsmasq[0].noresolv=0 to force dnsmasq to use /tmp/resolv.conf.vpn.

When disconnecting from the VPN I revert the DNS forwarder value back to the default Stubby forwarding address (127.0.0.1#53535) and revert back to dhcp.@dnsmasq[0].noresolv=1 to ignore /tmp/resolv.conf.auto.

If DNS over TLS (and Stubby) is not used then the /tmp/resolv.conf.auto and /tmp/resolv.conf.vpn files will be used instead. Below is the patch file with my edits.

--- wireguard.orig	2021-05-18 01:12:07.000000000 +0200
+++ wireguard	2021-05-18 10:58:47.000000000 +0200
@@ -18,6 +18,7 @@
 ipv6_status="$(ifstatus wan6 2>/dev/null|grep '\"up\": true')"
 ipv6_enable="$(uci get glipv6.globals.enabled)"
 mode6=$(uci get glipv6.lan.mode)
+stubby_enable=$(uci get stubby.global.enable)

 proxy_func()
 {
@@ -115,6 +116,11 @@
 			echo -e "nameserver $dns" > /tmp/resolv.conf.vpn
 		fi
 		uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.vpn'
+		# Replace Stubby forwarder with VPN DNS
+		[ "$stubby_enable" = 1 ] && {
+    		uci delete dhcp.@dnsmasq[0].server
+    		uci set dhcp.@dnsmasq[0].noresolv=0
+		}
 		uci commit dhcp
 		/etc/init.d/dnsmasq restart
 	else
@@ -377,6 +383,12 @@
 		[ -f "/tmp/resolv.conf.vpn" ] && {
 			rm -rf /tmp/resolv.conf.vpn
 			uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
+			# Restore stubby forwarder
+			[ "$stubby_enable" = 1 ] && {
+    			uci delete dhcp.@dnsmasq[0].server
+    			uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#53535'
+			    uci set dhcp.@dnsmasq[0].noresolv=1
+			}
 			uci commit dhcp
 			/etc/init.d/dnsmasq restart
 		}
@@ -538,6 +550,12 @@
 	[ -f "/tmp/resolv.conf.vpn" ] && {
 	rm -rf /tmp/resolv.conf.vpn
 	uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
+	# Restore stubby forwarder
+	[ "$stubby_enable" = 1 ] && {
+    	uci delete dhcp.@dnsmasq[0].server
+    	uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#53535'
+		uci set dhcp.@dnsmasq[0].noresolv=1
+	}
 	uci commit dhcp
 	/etc/init.d/dnsmasq restart
 	}
@@ -631,6 +649,12 @@
 		[ -f "/tmp/resolv.conf.vpn" ] && {
 			rm -rf /tmp/resolv.conf.vpn
 			uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
+			# Restore stubby forwarder
+			[ "$stubby_enable" = 1 ] && {
+    			uci delete dhcp.@dnsmasq[0].server
+    			uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#53535'
+			    uci set dhcp.@dnsmasq[0].noresolv=1
+			}
 			uci commit dhcp
 			/etc/init.d/dnsmasq restart
 		}

3 Likes