Split tunnel search domains do not work

[ghost]

We found out in #496 that WireGuard does not support "match domains" on macOS, but it also does not properly support search domains in "split tunnel" configurations.

Take the below example, the PrivateKey value has been replaced by an invalid key.

# Portal: https://vpn-next.tuxed.net/vpn-user-portal/
# Profile: Default (default)
# Expires: 2024-09-19T19:30:20+00:00

[Interface]
MTU = 1392
PrivateKey = iH7dv30D/4M2Ld00hyywI2owsp6Kuxhh5vh3KPKj40w=
Address = 10.146.176.17/24,fdee:1ead:29e8:22a2::11/64
DNS = 9.9.9.9,2620:fe::fe,tuxed.net

[Peer]
PublicKey = Jw13c6BQ1f8YEoq/XPLRPvyrD9J0Ak/bceChbDD5u3Q=
AllowedIPs = 10.146.176.0/24,192.168.1.0/24,fd11::/64,fdee:1ead:29e8:22a2::/64
Endpoint = vpn-next.tuxed.net:51820

If we make AllowedIPs the following, it does work: AllowedIPs = 0.0.0.0/0,::/0

By "it", we mean here, typing for example ping www in the Terminal which would result in macOS figuring out it can put .tuxed.net (as listed under DNS) behind www, which then results in an actual ping of www.tuxed.net.

See also: https://lists.zx2c4.com/pipermail/wireguard/2021-July/006927.html

It seems it has been fixed in Tailscale (link to fix in above mailing list post), but never upstreamed to WireGuard proper?

[roop]

I can reproduce the issue. Will investigate more and let you know. Could be related to: https://developer.apple.com/forums/thread/113252