Use dnsmasq and configure dns server config for clients

This will add a DNS config to the client configurations pointing to the wireguard server. With this configuration, all DNS requests are sent through the VPN and are no longer answered by the local DNS server. Each client now has a hostname like <device>-client<id>.
2025-04-19 13:26:50 +00:00 · 2023-01-21 01:41:41 +01:00 · 2023-01-21 01:41:41 +01:00 · 18bda9f1c6
commit 18bda9f1c6
parent 9bacc0cc4c
6 changed files with 41 additions and 2 deletions
--- a/2
+++ b/2
@ -13,7 +13,7 @@ ENV WG_LOG_LEVEL info
 ENV WG_LOG_FILE /var/log/boringtun
 ENV WG_SUDO 1

-RUN apk --update add iproute2 wireguard-tools-wg-quick libqrencode
+RUN apk --update add iproute2 wireguard-tools-wg-quick libqrencode dnsmasq

 WORKDIR /scripts

--- a/scripts/add-client.sh
+++ b/scripts/add-client.sh
@ -54,6 +54,7 @@ cat <<EOF > $DEVICE-client_$CLIENT_ID.conf
 Address = $NETWORK.$(($CLIENT_ID+10))/24, $NETWORK6:$(printf "%x" $(($CLIENT_ID+10)))/64
 ListenPort = $SERVER_PORT
 PrivateKey = ${CLIENT_SEC_KEY}
+DNS = $NETWORK.1
 EOF

 if [ $MTU ]; then
@ -68,6 +69,9 @@ AllowedIPs = 0.0.0.0/0, ::/0
 Endpoint = $SERVER_HOST:$SERVER_PORT
 EOF

+# Update dnsmasq hosts file
+/scripts/hosts.sh
+
 if [ -z $1 ]; then
  echo "Added Client # $CLIENT_ID"
 else
--- a/scripts/create-config.sh
+++ b/scripts/create-config.sh
@ -111,7 +111,6 @@ EOF
 done

 # Print out client configs
-
 for (( i=1; i<=$CLIENTS; i++ )); do
 cat <<EOF >> $DEVICE-client_$i.conf
 ##############
@ -123,6 +122,7 @@ cat <<EOF >> $DEVICE-client_$i.conf
 Address = $NETWORK.$(($i+10))/24, $NETWORK6:$(printf "%x" $(($i+10)))/64
 ListenPort = $SERVER_PORT
 PrivateKey = ${CLIENT_SEC_KEYS[$i]}
+DNS = $NETWORK.1
 EOF

 if [ $MTU ]; then
@ -138,3 +138,6 @@ Endpoint = $SERVER_HOST:$SERVER_PORT
 EOF

 done
+
+# Create dnsmasq hosts file
+/scripts/hosts.sh $NETWORK $NETWORK6
--- a/scripts/entrypoint.sh
+++ b/scripts/entrypoint.sh
@ -55,6 +55,7 @@ case "$1" in
    ;;
  'purge')
    cd /etc/wireguard
+    rm -rf hosts.d 2>/dev/null
    rm *.conf 2>/dev/null
    echo "Removed all configuration files"
    exit 0
@ -81,8 +82,12 @@ case "$1" in
      /scripts/create-config.sh
    fi
    echo "Starting wg-quick on $DEVICE"
+    cd /etc/wireguard
+    /scripts/hosts.sh
+    cd -
    touch "${WG_LOG_FILE}"
    wg-quick up $DEVICE
+    dnsmasq -D --hostsdir=/etc/wireguard/hosts.d
    echo "done!"
    tail -f "${WG_LOG_FILE}"
    ;;
--- a/scripts/hosts.sh
+++ b/scripts/hosts.sh
@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Prepare and cleanup hosts file
+mkdir hosts.d 2>/dev/null
+echo -n "" > hosts.d/wg
+
+NETWORK=$(cat $DEVICE.conf | grep Address | sed 's/Address = //g; s/\.[0-9\/]*,.*$//g')
+NETWORK6=$(cat $DEVICE.conf | grep Address | sed 's/Address = //g; s/^.*, //g; s/\:[0-9a-f\/]*$//g')
+
+# Print hosts file
+echo "# IPv4 clients" >> hosts.d/wg
+echo "$NETWORK.1    $DEVICE-server" >> hosts.d/wg
+for i in {1..240}; do
+  if [ -f "$DEVICE-client_$i.conf" ]; then
+    echo "$NETWORK.$(($i+10))    $DEVICE-client$i" >> hosts.d/wg
+  fi
+done
+echo "# IPv6 clients" >> hosts.d/wg
+echo "$NETWORK6:1    $DEVICE-server" >> hosts.d/wg
+for i in {1..240}; do
+  if [ -f "$DEVICE-client_$i.conf" ]; then
+    echo "$NETWORK6:$(printf "%x" $(($i+10)))    $DEVICE-client$i" >> hosts.d/wg
+  fi
+done
--- a/scripts/rm-client.sh
+++ b/scripts/rm-client.sh
@ -12,4 +12,7 @@ echo "$CONFIG" > "$DEVICE.conf"
 rm "$DEVICE-client_$1.conf" 2>/dev/null
 rm "$DEVICE-client_$1.png" 2>/dev/null

+# Update dnsmasq hosts file
+/scripts/hosts.sh
+
 echo "Client # $1 removed"