1 files changed, 39 insertions, 7 deletions

diff --git a/internal/wireguard/wireguard_test.go b/internal/wireguard/wireguard_test.go
index 9bbd24c..05fa228 100644
--- a/internal/wireguard/wireguard_test.go
+++ b/internal/wireguard/wireguard_test.go
@@ -3,15 +3,47 @@
 package wireguard
 
 import (
+	"bufio"
+	"os"
+	"strings"
 	"testing"
 )
 
-func TestWireGuardDeviceBinding(t *testing.T) {
-	// Test that the userspace WireGuard device is correctly bound to the Linux TUN device.
-	t.Skip("not implemented")
-}
+// TestDNSMountLeak verifies that /etc/resolv.conf bind mounts are cleaned up
+// after a tunnel is closed.
+func TestDNSMountLeak(t *testing.T) {
+	dnsServer := "8.8.8.8"
+
+	// We call ConfigureResolvConf directly since that's the part causing the leak.
+	if err := ConfigureResolvConf(dnsServer); err != nil {
+		t.Logf("ConfigureResolvConf failed as expected in non-privileged test env: %v", err)
+		// If we can't mount, the test can't prove a leak.
+		// We skip if we lack permissions.
+		if strings.Contains(err.Error(), "operation not permitted") {
+			t.Skip("Insufficient privileges to perform bind mounts for leak test")
+		}
+	}
+
+	// Check for the leak
+	mounts, err := os.Open("/proc/self/mounts")
+	if err != nil {
+		t.Fatalf("failed to open /proc/self/mounts: %v", err)
+	}
+	defer mounts.Close()
+
+	scanner := bufio.NewScanner(mounts)
+	foundLeak := false
+	for scanner.Scan() {
+		line := scanner.Text()
+		if strings.Contains(line, "resolvconf") && strings.Contains(line, "/etc/resolv.conf") {
+			foundLeak = true
+			t.Errorf("Found leaking bind mount in /proc/self/mounts: %s", line)
+		}
+	}
 
-func TestIpcSetConfiguration(t *testing.T) {
-	// Test that IpcSet correctly updates the WireGuard device keys and endpoints.
-	t.Skip("not implemented")
+	if foundLeak {
+		t.Logf("Confirmed: DNS resolv.conf mount leaks after configuration")
+	} else {
+		t.Logf("No leak detected (perhaps mount failed)")
+	}
 }