I'm also having trouble with my search domain not working when using a split tunnel. Is there any way I could test these changes? I don't have an Apple Developer account that can build this project. Is a build of this commit downloadable somewhere or has there been any progress for merging this into upstream?

I will see if I can get a build to you. I haven't formally proposed this patch to upstream yet. It's been on my todo list for too long now.

It seems I cannot build a version to publish for general distribution. Network Extensions packaged as app extensions cannot be distributed outside the app store due to Apple's limitations. If the network extension was packaged as a system extension, then I believe I could sign with my developer ID for general distribution. Alas, I don't have the time right now to patch the wireguard app to use the system extension feature. Moreover, that would bump the minimum system version to 10.15 which may be undesirable for upstream.

Thank you for replying so quickly! I was also unable to build this project with the free developer account due to those extensions. The mailinglist WireGuard uses is also another hurdle to send in bug reports so I thought I'd reach out this way.

My only concern for this to be merged upstream is that it introduces a new configuration semantic; ~matchdomain. They will likely want to keep the configuration the same for all clients. I did some reading on this (can't test anything unfortunately) and I think the problem lies in this line like anothers have mentioned;

dnsSettings.matchDomains = [""] // All DNS queries must first go through the tunnel's DNS

This works fine if I'm not using Split DNS (AllowedIPs = 0.0.0.0/0) but doesn't work when I only route some internal IP's. That's probably why someone else used this solution;

dnsSettings.matchDomains = [""] + dnsSettings.searchDomains // All DNS queries must first go through the tunnel's DNS

The solution I'll try to suggest to upstream is using the tunnel's DNS only when all traffic is routed through the tunnel or as a matchDomain when only some traffic is routed. I think that behaviour makes more sense without changing semantics. As far as I understand, the matchDomains will also be used as searchDomain (see https://developer.apple.com/documentation/networkextension/nednssettings/1406735-matchdomainsnosearch).

let dnsSettings = NEDNSSettings(servers: dnsServerStrings)
if tunnelConfiguration.interface.addresses.contains("0.0.0.0/0") { // Not sure if this works in Swift
    dnsSettings.searchDomains = tunnelConfiguration.interface.dnsSearch
    if !tunnelConfiguration.interface.dns.isEmpty {
        dnsSettings.matchDomains = [""] // All DNS queries must first go through the tunnel's DNS
    }
} else if !tunnelConfiguration.interface.dns.isEmpty {
    dnsSettings.matchDomains = tunnelConfiguration.interface.dnsSearch // Use the tunnel's DNS only for the given domains
}

I'm not sure if this code works for both our use cases. Any suggestions before I try to post this on the mailinglist?

Just noticed you posted the patch on the mailinglist. Thank you for trying to resolve this upstream! Much appreciated!

Just to let you know, I posted a message to the mailinglist but it is still awaiting approval by a moderator. Those mailing lists are really a pain to use!

Hello Andrew,

I just want to chime in here and say that I think the current
implementation of search domains is simply not working the way it
should on the MacOS client.

My use case is pretty common, an internal DNS server that has entries
for internal servers. I defined a search domain in the WireGuard
configuration; DNS = 10.13.13.1 mydomain.internal. The search domain
is for convenience, so I can just use the servername instead of
servername.mydomain.internal. Now this works fine when I route all the
traffic through the VPN (AllowedIPs = 0.0.0.0/0) but the search domain
is completely ignored when I only route the traffic I need to
(AllowedIPs = 10.13.13.0/24 192.168.0.0/24).

I don't think this is a configuration error on my side. The DNS
responds fine when using servername.mydomain.internal. This problem is
even mentioned in the "WireGuard macOS & iOS TODO List"
9. matchDomains=[“”] doesn’t do what the documentation says.
Specifically, DNS servers are not used if allowed IPs isn’t 0.0.0.0/0.

The description isn't 100% accurate (or outdated), the DNS server is
used but the search domain isn't being set on the primary resolver.
Some have solved this issue by adding the search domains to the list
of matchDomains; dnsSettings.matchDomains = [""] +
dnsSettings.searchDomains. But that way the DNS server specified in
WireGuard is still the primary resolver for all DNS queries.

Here is a link on how OpenVPN handles this and I think it's how it
should work when not using AllowedIPs 0.0.0.0/0.
https://openvpn.net/faq/how-does-ios-interpret-pushed-dns-servers-and-search-domains/
On a split-tunnel, where redirect-gateway is not pushed by the server,
and at least one pushed DNS server is present:

• route all DNS requests through pushed DNS server(s) if no added
  search domains.
• route DNS requests for added search domains only, if at least one
  added search domain.

Yours sincerely,
Matty

I hope this gets added to the release version soon. Has anyone found a workaround in the interim?

Thank you for the work that has been done here. I've recently started evaluating switching to Wireguard from OpenVPN and have run into the same issue with search domains on MacOS which is blocking me currently. It's now 2023 and it doesn't seem like this has ever been resolved, or am I wrong?

When routing a specific subnet through wireguard and DNS short names do not work, even if I add search domain suffix to wireguard config like x.x.x.x, company.internal for ex. as it's not added to the primary resolver. It does seem to work if I route all traffic through the VPN i.e. 0.0.0.0/0 (which is not ideal for our use case).

It’s been a while since I ran into this issue, but I think no progress has been made since. This client isn’t really being actively maintained anymore.

I believe the search domains work when you activate the VPN connection with the wg-quick command. That command is part of the wireguard-tools package, installable with Homebrew.

For the most part, I don't actively use this fork anymore. I had hoped it would get merged into the main wireguard-apple project, but there wasn't a lot of movement on that project at the time. I haven't paid close attention to actual commit activity in wireguard-apple, but my observation from the wireguard mailing list is that a lot of iOS and macOS work is stalled.

Crappy, appreciate the updates. Maybe I will need to re-evaluate our internal procedures for using DNS/short names and implement a better strategy. Wireguard looks like a great alternative to OpenVPN but the MacOS client does not seem very robust to say the least.