From 18bda9f1c6cbad1ed1ee95c5dde2a83933af2ff0 Mon Sep 17 00:00:00 2001 From: Paul-Christian Volkmer Date: Sat, 21 Jan 2023 01:41:41 +0100 Subject: [PATCH] Use dnsmasq and configure dns server config for clients This will add a DNS config to the client configurations pointing to the wireguard server. With this configuration, all DNS requests are sent through the VPN and are no longer answered by the local DNS server. Each client now has a hostname like -client. --- Dockerfile | 2 +- scripts/add-client.sh | 4 ++++ scripts/create-config.sh | 5 ++++- scripts/entrypoint.sh | 5 +++++ scripts/hosts.sh | 24 ++++++++++++++++++++++++ scripts/rm-client.sh | 3 +++ 6 files changed, 41 insertions(+), 2 deletions(-) create mode 100755 scripts/hosts.sh diff --git a/Dockerfile b/Dockerfile index aae63d6..a00a7a1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ ENV WG_LOG_LEVEL info ENV WG_LOG_FILE /var/log/boringtun ENV WG_SUDO 1 -RUN apk --update add iproute2 wireguard-tools-wg-quick libqrencode +RUN apk --update add iproute2 wireguard-tools-wg-quick libqrencode dnsmasq WORKDIR /scripts diff --git a/scripts/add-client.sh b/scripts/add-client.sh index 612b080..8355d1b 100755 --- a/scripts/add-client.sh +++ b/scripts/add-client.sh @@ -54,6 +54,7 @@ cat < $DEVICE-client_$CLIENT_ID.conf Address = $NETWORK.$(($CLIENT_ID+10))/24, $NETWORK6:$(printf "%x" $(($CLIENT_ID+10)))/64 ListenPort = $SERVER_PORT PrivateKey = ${CLIENT_SEC_KEY} +DNS = $NETWORK.1 EOF if [ $MTU ]; then @@ -68,6 +69,9 @@ AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = $SERVER_HOST:$SERVER_PORT EOF +# Update dnsmasq hosts file +/scripts/hosts.sh + if [ -z $1 ]; then echo "Added Client # $CLIENT_ID" else diff --git a/scripts/create-config.sh b/scripts/create-config.sh index a5e8a43..1b249f1 100755 --- a/scripts/create-config.sh +++ b/scripts/create-config.sh @@ -111,7 +111,6 @@ EOF done # Print out client configs - for (( i=1; i<=$CLIENTS; i++ )); do cat <> $DEVICE-client_$i.conf ############## @@ -123,6 +122,7 @@ cat <> $DEVICE-client_$i.conf Address = $NETWORK.$(($i+10))/24, $NETWORK6:$(printf "%x" $(($i+10)))/64 ListenPort = $SERVER_PORT PrivateKey = ${CLIENT_SEC_KEYS[$i]} +DNS = $NETWORK.1 EOF if [ $MTU ]; then @@ -138,3 +138,6 @@ Endpoint = $SERVER_HOST:$SERVER_PORT EOF done + +# Create dnsmasq hosts file +/scripts/hosts.sh $NETWORK $NETWORK6 \ No newline at end of file diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh index fe928c4..86f0a95 100755 --- a/scripts/entrypoint.sh +++ b/scripts/entrypoint.sh @@ -55,6 +55,7 @@ case "$1" in ;; 'purge') cd /etc/wireguard + rm -rf hosts.d 2>/dev/null rm *.conf 2>/dev/null echo "Removed all configuration files" exit 0 @@ -81,8 +82,12 @@ case "$1" in /scripts/create-config.sh fi echo "Starting wg-quick on $DEVICE" + cd /etc/wireguard + /scripts/hosts.sh + cd - touch "${WG_LOG_FILE}" wg-quick up $DEVICE + dnsmasq -D --hostsdir=/etc/wireguard/hosts.d echo "done!" tail -f "${WG_LOG_FILE}" ;; diff --git a/scripts/hosts.sh b/scripts/hosts.sh new file mode 100755 index 0000000..46b7318 --- /dev/null +++ b/scripts/hosts.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +# Prepare and cleanup hosts file +mkdir hosts.d 2>/dev/null +echo -n "" > hosts.d/wg + +NETWORK=$(cat $DEVICE.conf | grep Address | sed 's/Address = //g; s/\.[0-9\/]*,.*$//g') +NETWORK6=$(cat $DEVICE.conf | grep Address | sed 's/Address = //g; s/^.*, //g; s/\:[0-9a-f\/]*$//g') + +# Print hosts file +echo "# IPv4 clients" >> hosts.d/wg +echo "$NETWORK.1 $DEVICE-server" >> hosts.d/wg +for i in {1..240}; do + if [ -f "$DEVICE-client_$i.conf" ]; then + echo "$NETWORK.$(($i+10)) $DEVICE-client$i" >> hosts.d/wg + fi +done +echo "# IPv6 clients" >> hosts.d/wg +echo "$NETWORK6:1 $DEVICE-server" >> hosts.d/wg +for i in {1..240}; do + if [ -f "$DEVICE-client_$i.conf" ]; then + echo "$NETWORK6:$(printf "%x" $(($i+10))) $DEVICE-client$i" >> hosts.d/wg + fi +done \ No newline at end of file diff --git a/scripts/rm-client.sh b/scripts/rm-client.sh index 5ae8c92..c2beb8b 100755 --- a/scripts/rm-client.sh +++ b/scripts/rm-client.sh @@ -12,4 +12,7 @@ echo "$CONFIG" > "$DEVICE.conf" rm "$DEVICE-client_$1.conf" 2>/dev/null rm "$DEVICE-client_$1.png" 2>/dev/null +# Update dnsmasq hosts file +/scripts/hosts.sh + echo "Client # $1 removed" \ No newline at end of file