Hi Mathias, On Mon, Oct 16, 2023 at 09:33:14AM +0200, Mathias Behrle wrote: > > What is your exact use-case? I assume it's for a desktop VPN, in which case > > adding systemd-resolved support to wg-quick might be less > > problematic. > > Yes, indeed my use case is a desktop VPN. > > FWIW both resolvconf and systemd-resolved broke immediately my DNS, while > openresolv worked.
Right, so there's the real root-cause. I think we should take the time to debug and fix your systemd-resolved problem instead of bypassing it. In case you're not aware systemd-resolved has a resolvconf compatibility interface[1] now, so this will actually fix your wg-quick problem too. We should likely do a push to get all openresolv|resolvconf dependencies updated to add systemd-resolvd across Debian. [1]: https://github.com/systemd/systemd/issues/7202 Unlike openresolv/resolvconf systemd-resolved actually has a data/config model that has the potential to work for all use-cases I'm aware of without hacks, so as much as I lament relying on yet another thing from under the systemd umbrella it's the only reasonably modern solution capable of being the default I'm aware of. > I don't know for which reasons Recommends for the resolve tools were > dropped to Suggests. Unit 193, any explaination? commit 324d375b79fab138f0c83af022bbe9e795d5e696 Author: Unit 193 <unit...@unit193.net> Date: Fri May 15 18:32:09 2020 -0400 d/control: Lower 'openresolv | resolvconf' to suggests. diff --git a/debian/control b/debian/control index 09513a2..9093d4b 100644 --- a/debian/control +++ b/debian/control @@ -40,8 +40,8 @@ Depends: ${shlibs:Depends}, Recommends: nftables | iptables, - openresolv | resolvconf, wireguard-modules (>= 0.0.20171001) | wireguard-dkms (>= 0.0.20191219), +Suggests: openresolv | resolvconf, Description: fast, modern, secure kernel VPN tunnel (userland utilities) WireGuard is a novel VPN that runs inside the Linux Kernel and uses state-of-the-art cryptography (the "Noise" protocol). It aims to be > The issue for me is that > > 1) First the description in control > > This package contains command-line tools to interact with the > WireGuard kernel module. Currently, it provides only a single tool: > . > wg: set and retrieve configuration of WireGuard interfaces > > is no more appropriate. It ships now wg-quick, too. That's unrelated open a seperate bug for that please. > 2) The decision to downgrade resolve tools to Suggests may perhaps date back > to > a time where wg was indeed the only binary shipped in the package? I doubt it wg-quick has existed for a good long while. My guess is the recommends was demoted because of DNS problems with openresolv/resolvconf ;) > Now wg-quick failed from the beginning which is a major annoyance and a > really bad user experience. Right, but you have to admit that by using a commandline tool you're already well into poweruser territory so IMO you (or anyone doing that) is expected to be able to debug this. See I would expect most desktop users to deploy their wg VPN tunnels using NetworkManager integration or some such. If DNS is broken in that case I'd consider that a big problem as, say, my mum can't be expected to debug this, haha. > I think it could be a very common use case to use wireguard > configurations with DNS entries. Thus the package should work > out-of-the-box in a default Debian installation. It's just not that clear-cut due to the brokenness of the openresolv/resolvconf approach. I would agree if there were no known downsides to installing them but alas.. > As a thought: if it makes substantial problems to install by default a resolv > conf tool on servers would it perhaps improve things a little bit, if wg-quick > would be phased out into a separate package? Unfortunately the firewall functionality of wg-quick is still important on servers. There just aren't any easy solutions here. To move things forward we have to do the (hard) work of debugging why systemd-resolvd is broken in your case and fixing it. I'm happy to help with that tho. > Finally, if that all is yet not applicable for you then please document the > current situation in README.Debian where my next source of information for the > package is when I run into problems. It would have helped me lot ;) Was there not a reasonable error message pointing at the missing resolvconf? If so I think we may want to patch wg-quick to make the problem a bit more verbose. --Daniel
signature.asc
Description: PGP signature