From cca5c48725999d4bd91c909bd0c649ad3b740d3a Mon Sep 17 00:00:00 2001
From: 0xWheatyz <wyatt@leeworks.dev>
Date: Wed, 15 Apr 2026 19:08:13 -0400
Subject: [PATCH] fix(wireguard): use public DNS to resolve endpoint before
 tunnel is up

Query @1.1.1.1 explicitly in postUp/preDown hooks since the VPN DNS
(10.0.1.65) is unreachable before the tunnel establishes.
---
 configuration.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index 676126c..6719a58 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -181,13 +181,13 @@
     privateKeyFile = "/etc/wireguard/private.key";
 
     postUp = ''
-      ENDPOINT_IP=$(${pkgs.dig}/bin/dig +short vpn.leeworks.dev | head -1)
+      ENDPOINT_IP=$(${pkgs.dig}/bin/dig +short vpn.leeworks.dev @1.1.1.1 | head -1)
       GATEWAY=$(${pkgs.iproute2}/bin/ip route show default | ${pkgs.gawk}/bin/awk '{print $3}')
       DEV=$(${pkgs.iproute2}/bin/ip route show default | ${pkgs.gawk}/bin/awk '{print $5}')
       ${pkgs.iproute2}/bin/ip route add "$ENDPOINT_IP" via "$GATEWAY" dev "$DEV"
     '';
     preDown = ''
-      ENDPOINT_IP=$(${pkgs.dig}/bin/dig +short vpn.leeworks.dev | head -1)
+      ENDPOINT_IP=$(${pkgs.dig}/bin/dig +short vpn.leeworks.dev @1.1.1.1 | head -1)
       ${pkgs.iproute2}/bin/ip route del "$ENDPOINT_IP" || true
     '';