<div dir="ltr"><div style="font-size:small" class="gmail_default">I think restarting Wireguard caused NetworkManager to force systemd-resolved to restart.</div><div style="font-size:small" class="gmail_default">A Wireguard restart effectively destroys the wg0 interface, and creates it again.</div><div style="font-size:small" class="gmail_default"> </div><div style="font-size:small" class="gmail_default">And that cleared the issue I was facing. </div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">This is what the logs show when Wireguard was restarted (note the resolvconf, though it is wg0 specific)</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default"><span style="font-family:monospace"><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">Feb 11 09:35:36 ssp wg-quick[3410803]: [#] ip link add wg0 type wireguard
</span><br>Feb 11 09:35:36 ssp wg-quick[3410803]: [#] wg setconf wg0 /dev/fd/63
<br>Feb 11 09:35:36 ssp wg-quick[3410803]: [#] ip -4 address add <a href="http://10.10.0.4/24">10.10.0.4/24</a> dev wg0
<br>Feb 11 09:35:36 ssp wg-quick[3410803]: [#] ip link set mtu 1392 up dev wg0
<br>Feb 11 09:35:36 ssp wg-quick[3410822]: [#] resolvconf -a wg0 -m 0 -x
<br>Feb 11 09:35:36 ssp wg-quick[3410803]: [#] wg set wg0 private-key /etc/wireguard/wg0.key<br></span><br></div><div style="font-size:small" class="gmail_default">The -x option is as follows:</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default"><span style="font-family:monospace"><span style="font-weight:bold;color:rgb(0,0,0);background-color:rgb(255,255,255)">-x</span><span style="color:rgb(0,0,0);background-color:rgb(255,255,255)">
</span><br>This switch for "exclusive" operation is supported only partially. It is mapped to an additional configured search domain of "~." \u2014 i.e. ensures that DNS traffic is preferably routed to the DNS servers on this interface, unless there are other, more specific domains configured on other interfaces.
<br><br></span></div><div style="font-size:small" class="gmail_default">So perhaps all DNS queries are going over the VPN, regardless if they are coming from a 10.10.*.* host, or 192.168.0.* one.</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">The /etc/wireguard/wg0.conf has the following:</div><div><br></div><div><div style="font-size:small" class="gmail_default">[Interface]<br>Address = <a href="http://10.10.0.4/24">10.10.0.4/24</a><br>MTU = 1392<br>DNS = 10.10.0.1<br>PostUp = wg set %i private-key /etc/wireguard/%i.key<br><br>[Peer]<br>PublicKey = foo<br>AllowedIPs = <a href="http://10.10.0.0/24">10.10.0.0/24</a><br>Endpoint = a.a.a.a:51820<br>PersistentKeepalive = 15</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">My understanding is that DNS, only for that interface will be the 10.10.0.1</div><div style="font-size:small" class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">Thoughts?</div><br></div></div>