How to fix DNS issues when using Mullvad + Wireguard + NetworkManager on Linux?

Desired setup

The desired setup is what we call “should just work”:

• We want to use official Mullvad Daemon and Mullvad GUI
• Mullvad to auto-connect once Internet connection is established by NetworkManager
• Mullvad to auto-reconnect when Internet connection changes (like, you moved to another WiFi) — roaming
• Mullvad to use its own DNS servers when it is ON to not leak DNS queries
• Mullvad to not break default DNS servers when it is OFF

The primary issue is which piece of software, when and how modifies DNS servers via /etc/resolv.conf and/or resolvconf to not confuse other pieces.

After a long trial and error here is the setup that worked for me.

Cleanup

# Uninstall resolvconf providers if you have any:
pacman -Rs systemd-resolvconf openresolv
# Uninstall local DNS servers if you have any:
pacman -Rs dnsmasq bind unbound
# Mind stopping any local DNS servers still running

Use systemd-resolved DNS server

The systemd-resolved is built-in part of systemd and does not require installation. It does require enabling though:

# Symlink /etc/resolv.conf properly
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
# Enable and start systemd-resolved
systemctl enable systemd-resolved
systemctl start systemd-resolved

Configure NetworkManager

Make it use systemd-resolved DNS server:

# /etc/NetworkManager/conf.d/dns.conf
[main]
dns=systemd-resolved

Make sure it does not use resolvconf :

# /etc/NetworkManager/conf.d/rc-manager.conf
# These must be commented out:
#[main]
#rc-manager=resolvconf

Restart everything

systemctl stop mullvad-daemon
systemctl restart systemd-resolved
systemctl restart NetworkManager
systemctl enable mullvad-daemon
systemctl start mullvad-daemon

Hopefully, all should work just fine now!