我有一个在 macOS 上配置的 wireguard 隧道wg-quick;我的客户端配置如下所示:
$ cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = <snip>
# The address of this client
Address = fd37:5040::0002/64
# The address of my DNS server within the Wireguard VPN
DNS = fd37:5040::0001/64
[Peer]
PublicKey = <snip>
# Allow all traffic from the VPN subnet to flow from this peer
AllowedIPs = fd37:5040::/64
# Externally-visible endpoint
Endpoint = tunnel.mydomain.com:51820
PersistentKeepalive = 45
当我运行时wg-quick up,我得到如下输出:
INFO: (utun4) 2019/06/05 11:48:38 Starting wireguard-go version 0.0.20190409
[+] Interface for wg0 is utun4
[#] wg setconf utun4 /dev/fd/63
[#] ifconfig utun4 inet6 fd37:5040::0002/64 alias
[#] ifconfig utun4 up
[#] networksetup -getdnsservers USB 10/100/1000 LAN
[#] networksetup -getdnsservers iPad USB
[#] networksetup -getdnsservers Wi-Fi
[#] networksetup -getdnsservers iPhone USB
[#] networksetup -getdnsservers Bluetooth PAN
[#] networksetup -getdnsservers Thunderbolt Bridge
[#] networksetup -getdnsservers wg0
[#] networksetup -setdnsservers Bluetooth PAN fd37:5040::0001
[#] networksetup -setdnsservers wg0 fd37:5040::0001
[#] networksetup -setdnsservers iPhone USB fd37:5040::0001
[#] networksetup -setdnsservers Wi-Fi fd37:5040::0001
[#] networksetup -setdnsservers USB 10/100/1000 LAN fd37:5040::0001
[#] networksetup -setdnsservers Thunderbolt Bridge fd37:5040::0001
[#] networksetup -setdnsservers iPad USB fd37:5040::0001
[+] Backgrounding route monitor
这一切看起来都很好,在大多数网络上都能正常工作,但如果我没有可公开路由的 ipv6 地址,macOS 似乎会默默地删除 ipv6 DNS 条目。查看 中的 DNS 设置Network Preferences,我看到我的 DNS 服务器列在那里,但是询问scutil,我看不到任何类似的东西:
$ scutil --dns
DNS configuration
resolver #1
search domain[0] : home
nameserver[0] : 208.67.222.222
nameserver[1] : 208.67.220.220
if_index : 10 (en0)
flags : Request A records
reach : 0x00000002 (Reachable)
resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #3
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #4
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #5
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #6
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #7
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
search domain[0] : home
nameserver[0] : 208.67.222.222
nameserver[1] : 208.67.220.220
if_index : 10 (en0)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)
resolver #2
nameserver[0] : fd00:976a::9
if_index : 19 (ipsec0)
flags : Scoped, Request AAAA records
reach : 0x00000002 (Reachable)
似乎无论如何都networksetup -setdnsservers无法改变这种情况,并且在窗格中编辑内容Network Preferences显示我输入的任何 ipv4 地址都可以使用,但 ipv6 地址会被删除。当没有具有可公开路由的 ipv6 地址的接口时,如何说服 macOS 允许我使用这些私有 ipv6 地址访问位于我的 wireguard 隧道内的 DNS 服务器?