From c447a4886d9fe69113a969c4324a4a5594ac8d3a Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Fri, 18 Jun 2021 16:41:02 -0500 Subject: [PATCH 1/2] libnmc-base: don't set DNS priority when importing Wireguard connections This is actually trying *too* hard to prevent DNS leaks, breaking normal expected use of split DNS. Let systemd-resolved handle sending our DNS queries to the right place instead. It's true that NetworkManager is trying to emulate the behavior of wg-quick here, and wg-quick uses 'resolvconf -x' to attempt to set "exclusive" DNS. But with systemd-resolved this is implemented by setting a ~. routing domain for the Wireguard interface. That is a *really* big hammer already, since Domain=~. overrides +DefaultRoute, ensuring most DNS queries can only go to other interfaces with Domain=~. NetworkManager follows systemd-resolved's recommended convention by only applying Domain=~. to other "privacy VPNs" since 1.26.6. Setting DNS priority only prevents *domain-specific* "leaks", which are almost always desired. For example, it prevents using both the Wireguard VPN and a corporate VPN at the same time. Note that all of the justification behind !688 applies here as well. See-also: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/688 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/585 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/901 --- src/libnmc-base/nm-vpn-helpers.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/libnmc-base/nm-vpn-helpers.c b/src/libnmc-base/nm-vpn-helpers.c index 72691e34c2..4895014ece 100644 --- a/src/libnmc-base/nm-vpn-helpers.c +++ b/src/libnmc-base/nm-vpn-helpers.c @@ -761,11 +761,6 @@ fail_invalid_secret: data_addr ? method_manual : method_disabled, NULL); - /* For WireGuard profiles, always set dns-priority to a negative value, - * so that DNS servers on other profiles get ignored. This is also what - * wg-quick does, by calling `resolvconf -x`. */ - g_object_set(s_ip, NM_SETTING_IP_CONFIG_DNS_PRIORITY, (int) -50, NULL); - if (data_addr) { for (i = 0; i < data_addr->len; i++) nm_setting_ip_config_add_address(s_ip, data_addr->pdata[i]); From d06efa345fa5da0d62e757a2a96620121df217a1 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Wed, 23 Jun 2021 20:33:36 +0200 Subject: [PATCH 2/2] NEWS: update --- NEWS | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/NEWS b/NEWS index ed384d542c..fe8b9fd4ea 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,11 @@ subject to change and not guaranteed to be compatible with the later release. USE AT YOUR OWN RISK. NOT RECOMMENDED FOR PRODUCTION USE! +* wireguard: importing wg-quick configuration files with nmcli + no longer sets a negative, exclusive "dns-priority". This plays + better with common split DNS setups that use systemd-resolved. + Adjust the "dns-priority" to your liking after import yourself. + ============================================= NetworkManager-1.32 Overview of changes since NetworkManager-1.30