Wireguard DNS leak

1st Official Post

    I've had nothing but trouble with wireguard. Sometimes it works and sometimes it doesn't. It's a coin toss. Sometimes rebooting brings it back. Totally frustrating buggy experience. Now, after the update to 9.2.3, no change in the spottiness of wireguard connecting. However, a serious issue has arisen which others in this community need to be aware of. The dns is leaking. I use an add-on called dnsleaktest. I run it after booting to check on the IP to ensure wireguard IP is showing and also checking for possible DNS leaks. Well, after upgrading to 9.2.3, I run dnsleaktest addon and it shows the wireguard IP, but my ISP IP for DNS. It then says, Conclusion, DNS may be leaking. Hell yes it is. Wow, that's scary. Had I not run this addon, I would have no idea of this serious DNS leak and exposing my ISP IP.

    I double checked my .config file and WireGuard.DNS = 1.1.1.1

    This is obviously a serious issue. It appears it's ignoring this line and using ISP IP. I urge others using wireguard to download the dnsleaktest addon and run it to check the IP and DNS IP for leaks.

    The dnsleaktest addon is an official kodi addon.

    Add-on:DNS Leak-Test - Official Kodi Wiki

    I also hope this bug can be isolated and resolved. In the meantime, I'm no longer using wireguard with libreelec until this issue is resolved.

    • Official Post

    WireGuard support is still new and somewhat experimental and there are some systemd changes being figured out (slowly) in another forum thread to ensure more reliable connectivity. The issue of DNS leaking in known but also not something that will be simple to solve. The issue is that connman will append DNS servers specified in the wireguard config file to /etc/resolve.conf but it will not remove the existing nameserver at the same time because connman does not "manage" the DNS servers. As a result, traffic will route through the tunnel, but DNS will still resolve through the local nameserver as this is still the primary (first listed) nameserver. Resolving [sic] this probably requires a switch to using networkd (part of systemd) which is a non-trivial change for the distro to make, and isn't likely to be done anytime soon. The next-best thing is to write a handler script to remove (and cache) and then restore (from cache) the DNS servers, but there are multiple ways to change network properties while a wireguard tunnel is up, which might alter the list of nameservers, so it's one of those things that sounds simple but is programatically complex with a load of caveats on realiblity. More serious investigation on the changes needed to eliminate DNS leaking are not on my personal to-do list right now; because WireGuard works reliably for me, I don't have much time due to a busy work schedule, and the DNS leak is not important for the personal use-case that I implemented WireGuard support for. Sorry if that sounds rather "not interested" but .. I don't have the time to deal with it so the community at large will need to contribute to solving it.