diff options
| author | Michael Catanzaro <mcatanzaro@redhat.com> | 2021-06-18 16:41:02 -0500 |
|---|---|---|
| committer | Thomas Haller <thaller@redhat.com> | 2021-06-23 20:31:14 +0200 |
| commit | c447a4886d9fe69113a969c4324a4a5594ac8d3a (patch) | |
| tree | 6b8e2ee8e1522c749647c427080700c87e0c6cc8 /src/libnmc-base | |
| parent | 88005e36a4ecff50bfbbaca43581082c92920122 (diff) | |
| download | NetworkManager-c447a4886d9fe69113a969c4324a4a5594ac8d3a.tar.gz | |
libnmc-base: don't set DNS priority when importing Wireguard connections
This is actually trying *too* hard to prevent DNS leaks, breaking normal
expected use of split DNS. Let systemd-resolved handle sending our DNS
queries to the right place instead.
It's true that NetworkManager is trying to emulate the behavior of
wg-quick here, and wg-quick uses 'resolvconf -x' to attempt to set
"exclusive" DNS. But with systemd-resolved this is implemented by
setting a ~. routing domain for the Wireguard interface. That is a
*really* big hammer already, since Domain=~. overrides +DefaultRoute,
ensuring most DNS queries can only go to other interfaces with Domain=~.
NetworkManager follows systemd-resolved's recommended convention by only
applying Domain=~. to other "privacy VPNs" since 1.26.6. Setting DNS
priority only prevents *domain-specific* "leaks", which are almost
always desired. For example, it prevents using both the Wireguard VPN
and a corporate VPN at the same time.
Note that all of the justification behind !688 applies here as well.
See-also: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/688
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/585
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/901
Diffstat (limited to 'src/libnmc-base')
| -rw-r--r-- | src/libnmc-base/nm-vpn-helpers.c | 5 |
1 files changed, 0 insertions, 5 deletions
diff --git a/src/libnmc-base/nm-vpn-helpers.c b/src/libnmc-base/nm-vpn-helpers.c index 72691e34c2..4895014ece 100644 --- a/src/libnmc-base/nm-vpn-helpers.c +++ b/src/libnmc-base/nm-vpn-helpers.c @@ -761,11 +761,6 @@ fail_invalid_secret: data_addr ? method_manual : method_disabled, NULL); - /* For WireGuard profiles, always set dns-priority to a negative value, - * so that DNS servers on other profiles get ignored. This is also what - * wg-quick does, by calling `resolvconf -x`. */ - g_object_set(s_ip, NM_SETTING_IP_CONFIG_DNS_PRIORITY, (int) -50, NULL); - if (data_addr) { for (i = 0; i < data_addr->len; i++) nm_setting_ip_config_add_address(s_ip, data_addr->pdata[i]); |