I have both Wireguard and Tailscale set up on my server (Debian 12). I was trying to make sure it was using Wireguard for DNS so I tried adding deny_keys or allow_keys to /etc/resolvconf.conf but whenever I do that the Wireguard service fails to start. This happens whether I try to deny tailscale, the local network adapter, or just allow Wireguard. However it does still update resolv.conf with the Wireguard DNS server so if I try to start the service a second time it will start successfully. I also tried removing nss-lookup.target from the Wants and After section of the Wireguard systemd unit but that made no difference. I did eventually solve the issue another way as it turns out Tailscale has a built in option to prevent it from overwriting resolv.conf, but I'd still like to know why editing resolvconf.conf breaks Wireguard.