apt install dnsmasq -yFind and add these items to /etc/dnsmasq.conf
server=1.1.1.1
server=1.0.0.1
bind-interfacesThen disable the systemd resolver:
systemctl stop systemd-resolved
systemctl disable systemd-resolvedAnd you should be able to start dnsmasq
systemctl start dnsmasq
systemctl enable dnsmasqIf LXC or LXD is running you may have to shut them down and/or kill their processes first or the above will output an error To shutdown lxc and lxd you may have to hack your way through the following roughly:
lxd shutdown
# find the lxc process that is running dnsmasq and kill it
ps -aux | grep lxc
kill -9 [PID NUMBER FROM LAST COMMAND]
After hacking your way through the above retry start dnsmasq in the previous example. If all else fails you may have to restart the container and everything should work.
Check to make sure you are getting dns resolution with ping or dig:
root@test:~# ping google.com
PING google.com (142.251.45.14) 56(84) bytes of data.
64 bytes from iad66s01-in-f14.1e100.net (142.251.45.14): icmp_seq=1 ttl=121 time=0.712 ms
64 bytes from iad66s01-in-f14.1e100.net (142.251.45.14): icmp_seq=2 ttl=121 time=0.669 ms
64 bytes from iad66s01-in-f14.1e100.net (142.251.45.14): icmp_seq=3 ttl=121 time=0.635 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2007ms
rtt min/avg/max/mdev = 0.635/0.672/0.712/0.031 ms
root@test:~# dig google.com
; <<>> DiG 9.16.1-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21369
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 205 IN A 142.251.45.14
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Feb 22 18:55:48 UTC 2022
;; MSG SIZE rcvd: 55
root@test:~#
Setup dnsmasq to load after wire guard so that it will bind the wg0 interface.
Modify these lines in the /lib/systemd/system/dnsmasq.service
[Unit]
After[email protected]
Wants[email protected]add these to /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1Run sysctl -p to make the system reread the /etc/sysctl.conf file
Config files on linux are located in /etc/wireguard
This file should be named /etc/wireguard/wg0.conf
SERVER CONFIG FILE:
[Interface]
Address = 10.132.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
PostUp = ip6tables -A FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
ListenPort = [SERVER_VPN_PORT]
PrivateKey = [PRIVATE KEY]
[Peer]
PublicKey = [PEER_1_PUBLIC_KEY]
AllowedIPs = 10.132.0.20/32
[Peer]
PublicKey = [PEER_2_PUBLIC_KEY]
AllowedIPs = 10.132.0.30/32
Config Files for windows can be imported/managed with the wireguard app
CLIENT CONFIG FILE:
[Interface]
PrivateKey = [CLIENT_PRIVATE_KEY]
ListenPort = 12345
Address = 10.132.0.20/24
DNS = 10.132.0.1
[Peer]
PublicKey = [SERVER_PUBLIC_KEY]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [SERVER_IP_ADDRESS]:[SERVER_VPN_PORT]
PersistentKeepalive = 25
Then run the following commands to setup systemd wireguard service:
sudo systemctl enable [email protected]
sudo systemctl daemon-reload
sudo systemctl start wg-quick@wg0