Use dnsmasq and configure dns server config for clients

This will add a DNS config to the client configurations pointing to the
wireguard server. With this configuration, all DNS requests are sent
through the VPN and are no longer answered by the local DNS server.

Each client now has a hostname like <device>-client<id>.

Dockerfile

@@ -13,7 +13,7 @@ ENV WG_LOG_LEVEL info
 ENV WG_LOG_FILE /var/log/boringtun
 ENV WG_SUDO 1
 
-RUN apk --update add iproute2 wireguard-tools-wg-quick libqrencode
+RUN apk --update add iproute2 wireguard-tools-wg-quick libqrencode dnsmasq
 
 WORKDIR /scripts
 

scripts/add-client.sh

@@ -54,6 +54,7 @@ cat <<EOF > $DEVICE-client_$CLIENT_ID.conf
 Address = $NETWORK.$(($CLIENT_ID+10))/24, $NETWORK6:$(printf "%x" $(($CLIENT_ID+10)))/64
 ListenPort = $SERVER_PORT
 PrivateKey = ${CLIENT_SEC_KEY}
+DNS = $NETWORK.1
 EOF
 
 if [ $MTU ]; then
@@ -68,6 +69,9 @@ AllowedIPs = 0.0.0.0/0, ::/0
 Endpoint = $SERVER_HOST:$SERVER_PORT
 EOF
 
+# Update dnsmasq hosts file
+/scripts/hosts.sh
+
 if [ -z $1 ]; then
   echo "Added Client # $CLIENT_ID"
 else

scripts/create-config.sh

@@ -111,7 +111,6 @@ EOF
 done
 
 # Print out client configs
-
 for (( i=1; i<=$CLIENTS; i++ )); do
 cat <<EOF >> $DEVICE-client_$i.conf
 ##############
@@ -123,6 +122,7 @@ cat <<EOF >> $DEVICE-client_$i.conf
 Address = $NETWORK.$(($i+10))/24, $NETWORK6:$(printf "%x" $(($i+10)))/64
 ListenPort = $SERVER_PORT
 PrivateKey = ${CLIENT_SEC_KEYS[$i]}
+DNS = $NETWORK.1
 EOF
 
 if [ $MTU ]; then
@@ -138,3 +138,6 @@ Endpoint = $SERVER_HOST:$SERVER_PORT
 EOF
 
 done
+
+# Create dnsmasq hosts file
+/scripts/hosts.sh $NETWORK $NETWORK6

scripts/entrypoint.sh

@@ -55,6 +55,7 @@ case "$1" in
     ;;
   'purge')
     cd /etc/wireguard
+    rm -rf hosts.d 2>/dev/null
     rm *.conf 2>/dev/null
     echo "Removed all configuration files"
     exit 0
@@ -81,8 +82,12 @@ case "$1" in
       /scripts/create-config.sh
     fi
     echo "Starting wg-quick on $DEVICE"
+    cd /etc/wireguard
+    /scripts/hosts.sh
+    cd -
     touch "${WG_LOG_FILE}"
     wg-quick up $DEVICE
+    dnsmasq -D --hostsdir=/etc/wireguard/hosts.d
     echo "done!"
     tail -f "${WG_LOG_FILE}"
     ;;

scripts/hosts.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Prepare and cleanup hosts file
+mkdir hosts.d 2>/dev/null
+echo -n "" > hosts.d/wg
+
+NETWORK=$(cat $DEVICE.conf | grep Address | sed 's/Address = //g; s/\.[0-9\/]*,.*$//g')
+NETWORK6=$(cat $DEVICE.conf | grep Address | sed 's/Address = //g; s/^.*, //g; s/\:[0-9a-f\/]*$//g')
+
+# Print hosts file
+echo "# IPv4 clients" >> hosts.d/wg
+echo "$NETWORK.1    $DEVICE-server" >> hosts.d/wg
+for i in {1..240}; do
+  if [ -f "$DEVICE-client_$i.conf" ]; then
+    echo "$NETWORK.$(($i+10))    $DEVICE-client$i" >> hosts.d/wg
+  fi
+done
+echo "# IPv6 clients" >> hosts.d/wg
+echo "$NETWORK6:1    $DEVICE-server" >> hosts.d/wg
+for i in {1..240}; do
+  if [ -f "$DEVICE-client_$i.conf" ]; then
+    echo "$NETWORK6:$(printf "%x" $(($i+10)))    $DEVICE-client$i" >> hosts.d/wg
+  fi
+done

scripts/rm-client.sh

@@ -12,4 +12,7 @@ echo "$CONFIG" > "$DEVICE.conf"
 rm "$DEVICE-client_$1.conf" 2>/dev/null
 rm "$DEVICE-client_$1.png" 2>/dev/null
 
+# Update dnsmasq hosts file
+/scripts/hosts.sh
+
 echo "Client # $1 removed"