Re: Wireguard Windows Service Issues

[tlhackque <tlhackque@yahoo.com>]

[-- Attachment #1.1: Type: text/plain, Size: 1849 bytes --]

On 17-Jan-22 05:51, Simon Rozman wrote:
> Hi,
>
>
> WireGuard services start early on boot - sometimes even before the DNSCache (DNS Client). If the service can't resolve hostnames used in the config file, it will stop. But it will log this. Resolution to this problem is:
> - Use IPs rather than hostnames.
> - Add hostnames you use in your .conf file to C:\Windows\system32\drivers\etc\hosts.
> - Add DNSCache dependency to the WireGuardTunnel$<your tunnel name> service.
>
> I personally would pick one of the first two options above. Don't like the idea my laptop is asking a coffee shop's DNS what is my VPN endpoint IP address.
>
>
 From this description, it seems that there's room for improvement.

It doesn't seem reasonable for the WireGuard service to stop. Log and 
perhaps display an error, sure.  But stopping seems harsh, and would 
prevent other tunnel endpoints from working - not a good user experience.

It would seem better for the service to set a timer and retry failures 
periodically - many DNS issues are transient.

It also seems to me that it would be better for the default to be option 
3 - make all tunnels dependent on DNSCache without requiring any 
user/admin action.  One could condition this on an endpoint being 
specified as a hostname, but that doesn't seem worth the effort.  Pretty 
much any use of a tunnel needs name resolution.  Even if your resolvers 
are at the other end of the tunnel, starting the client before it's up 
is harmless.

Anyone concerned about DNS snooping on name resolution of the endpoints 
can avoid it by using either of the other two options: hardcoded IP in 
the configuration, or an entry in "hosts".

"It just works" seems much more desirable than mystery service stops.  A 
UI status "waiting for hostname resolution" would be ideal.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]