ansible-role-wireguard
ansible-role-wireguard copied to clipboard
githubixx
Ubuntu (and systemd) DNS specifics
Executive summary: when the DNS option is set, wg-quick does not run on Ubuntu without openresolv. Installing (and using) openresolv, messes up with the standard way resolution is handled (via systemd-resolved). Use systemd-resolve on such distros to properly inject WG DNS servers.
I'm working around this by keeping the DNS empty and using the following command in PostUp:
systemd-resolve -i wg0 --set-dns=10.99.1.10 --set-dns=10.99.1.11 --set-dns=10.99.1.12
Would be nice if the role detected this and implemented the workaround automatically.
Alternative is to use systemd's netdevs, but that's pretty heavy-handed change.
Not sure if I can do that much in this case. According to https://systemd.io/RESOLVED-VPNS/ (The APIs -> 3):
If you don’t want to use any systemd-resolved commands,
you may use the resolvconf wrapper we provide. resolvectl
is actually a multi-call binary and may be symlinked to resolvconf,
and when invoked like that behaves in a way that is largely
compatible with FreeBSD’s and Ubuntu’s/Debian’s resolvconf(8) tool.
I just tried that out on Ubuntu 20.04:
host: > /usr/bin$ sudo ln -s resolvectl resolvconf
host: > /usr/bin$ resolvconf --help
resolvconf -a INTERFACE < FILE
resolvconf -d INTERFACE
Register DNS server and domain configuration with systemd-resolved.
-h --help Show this help
--version Show package version
-a Register per-interface DNS server and domain data
-d Unregister per-interface DNS server and domain data
-f Ignore if specified interface does not exist
-x Send DNS traffic preferably over this interface
This is a compatibility alias for the resolvectl(1) tool, providing native
command line compatibility with the resolvconf(8) tool of various Linux
distributions and BSD systems. Some options supported by other implementations
are not supported and are ignored: -m, -p. Various options supported by other
implementations are not supported and will cause the invocation to fail: -u,
-I, -i, -l, -R, -r, -v, -V, --enable-updates, --disable-updates,
--updates-are-enabled.
See the resolvectl(1) man page for details.
Seems to work. If I get that right then at least for Archlinux there is a package for just that purpose. It's also mentioned here (subtopic Broken DNS resolution). Maybe something exists for Ubuntu too.
Maybe just add an Ansible task that sets the softlink accordingly before running this role and try if that works. We can think about adding a variable that allows users to enable the softlink if needed if it works out.
ubuntu 18 does not have resolvectl and this is why I'm using systemd-resolve directly in the PostUp — this is guaranteed to work regardless the API version.
I suggest you add a task with the workaround to clear the DNS and add the PostUp line on systemd distros. Or at least put a warning somewhere about that problem/solution.
The standard advice to install openresolv is outright dangerous and doing that at scale with this play will cause damage.
True, it's wg-quick's bug, but in the end this is what we rely on and we must consider it's quirks or bugs.
The wg-quick.8 man page explicitly states under the DNS point:
If these particular invocations of resolvconf(8) are undesirable, the PostUp and PostDown keys below may be used instead.
Where the presence of resolvconf cannot be guaranteed, neither by a distribution package nor a manual symlink, the PostUp hook is therefore the canonical way to follow.
I'm having the same issue.
The standard advice to install openresolv is outright dangerous and doing that at scale with this play will cause damage.
@gdanov can you elaborate a little why this is dangerous?
because whatever is configured via systemd-resolved is lost. you could lose connectivity or bring your cluster down if (for example) your internal dns is configured via systemd.
I'm closing this. DNS requirements should be done outside this role as there is no "one size fits all". DNS setups are quite differently out there.