Installing and Using WireGuard VPN with NetworkManager on Arch Linux
WireGuard is a fast, modern VPN protocol designed for simplicity and high performance. On Arch Linux, it integrates smoothly using wg-quick, but things get tricky when NetworkManager and DNS resolution come into play.
This post shows you how to:
- Set up WireGuard using a prebuilt or custom config
- Fix the common DNS
resolvconferror - Integrate WireGuard with NetworkManager
✅ Install WireGuard
1
sudo pacman -S wireguard-tools
This installs:
wg: CLI tool for key and interface managementwg-quick: Script for quickly bringing interfaces up/down
⚡ Option A: I Have a Prebuilt Config File
If you received a ready-made .conf file from your VPN provider (like Mullvad, ProtonVPN, or a self-hosted server), follow these steps:
1. Copy the file into place:
1
2
sudo cp my-vpn.conf /etc/wireguard/wg0.conf
sudo chmod 600 /etc/wireguard/wg0.conf
You can name it anything (e.g.,
home.conf,server.conf), butwg0.confis conventional.
2. Remove the DNS line (important!)
Open the config file:
1
sudo nano /etc/wireguard/wg0.conf
Comment out or delete the line:
1
# DNS = 1.1.1.1
Why? Because wg-quick will try to apply this using resolvconf, which conflicts with NetworkManager and systemd-resolved.
3. Start the VPN:
1
sudo wg-quick up wg0
⚙️ Option B: Manual Configuration
If you’re setting up WireGuard manually:
1. Generate Keys
1
2
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
2. Create /etc/wireguard/wg0.conf
1
2
3
4
5
6
7
8
9
10
[Interface]
PrivateKey = <your-private-key>
Address = 10.0.0.2/24
# DNS = 1.1.1.1
[Peer]
PublicKey = <peer-public-key>
Endpoint = <server-ip>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Again, comment or remove the DNS line if you’re using NetworkManager.
🚫 Common Error: resolvconf: signature mismatch
If you try to start the VPN and see this:
1
resolvconf: signature mismatch: /etc/resolv.conf
It means wg-quick is trying to use resolvconf, but your system’s DNS is managed by systemd-resolved, often through NetworkManager.
✅ The Fix: Let NetworkManager Handle DNS
-
Edit your config:
- Remove or comment out the
DNS = ...line.
- Remove or comment out the
-
Restart the VPN interface:
1
sudo wg-quick up wg0
No more DNS error!
🌐 Optional: Manually Set DNS (If Needed)
If you want to override DNS manually:
Using systemd-resolved:
1
2
sudo resolvectl dns wg0 1.1.1.1
sudo resolvectl domain wg0 ~.
Using NetworkManager:
1
2
nmcli connection modify wg0 ipv4.dns "1.1.1.1"
nmcli connection up wg0
🧪 Test Your Connection
1
2
3
4
ping 1.1.1.1
ping archlinux.org
curl ip.me
curl ifconfig.me
If the IP shown is your VPN server’s IP, you’re connected securely.
⏹️ Stopping the VPN
To disconnect and stop the WireGuard VPN interface:
1
sudo wg-quick down wg0
This will bring down the VPN tunnel and restore your previous network settings.
🔁 Autostart on Boot (Optional)
To automatically start the VPN at boot:
1
sudo systemctl enable wg-quick@wg0
✅ Summary
| Task | Command or Tip |
|---|---|
| Install WireGuard | sudo pacman -S wireguard-tools |
| Use prebuilt config | Place in /etc/wireguard/wg0.conf |
| Avoid DNS errors | Remove DNS = ... if using NetworkManager |
| Start connection | sudo wg-quick up wg0 |
| Set DNS manually | Use resolvectl or nmcli |
| Verify connection | curl ifconfig.me |
| Autostart on boot | sudo systemctl enable wg-quick@wg0 |
WireGuard and Arch Linux are a perfect match: fast, lightweight, and modular. Just make sure DNS responsibilities are clear — let WireGuard handle the tunnel, and let NetworkManager handle the DNS.