This repository was archived by the owner on Dec 6, 2025. It is now read-only.
This repository was archived by the owner on Dec 6, 2025. It is now read-only.
Split tunnel search domains do not work #524
Description
We found out in #496 that WireGuard does not support "match domains" on macOS, but it also does not properly support search domains in "split tunnel" configurations.
Take the below example, the PrivateKey value has been replaced by an invalid key.
# Portal: https://vpn-next.tuxed.net/vpn-user-portal/
# Profile: Default (default)
# Expires: 2024-09-19T19:30:20+00:00
[Interface]
MTU = 1392
PrivateKey = iH7dv30D/4M2Ld00hyywI2owsp6Kuxhh5vh3KPKj40w=
Address = 10.146.176.17/24,fdee:1ead:29e8:22a2::11/64
DNS = 9.9.9.9,2620:fe::fe,tuxed.net
[Peer]
PublicKey = Jw13c6BQ1f8YEoq/XPLRPvyrD9J0Ak/bceChbDD5u3Q=
AllowedIPs = 10.146.176.0/24,192.168.1.0/24,fd11::/64,fdee:1ead:29e8:22a2::/64
Endpoint = vpn-next.tuxed.net:51820
If we make AllowedIPs the following, it does work: AllowedIPs = 0.0.0.0/0,::/0
By "it", we mean here, typing for example ping www in the Terminal which would result in macOS figuring out it can put .tuxed.net (as listed under DNS) behind www, which then results in an actual ping of www.tuxed.net.
See also: https://lists.zx2c4.com/pipermail/wireguard/2021-July/006927.html
It seems it has been fixed in Tailscale (link to fix in above mailing list post), but never upstreamed to WireGuard proper?