Disclosure: Some links on this page are affiliate links. We may earn a commission if you make a purchase through them, at no additional cost to you.
Before we can set up WireGuard, ensure you have the WireGuard tools installed on your system. Below are the installation steps for a Linux-based operating system. For other systems, refer to the respective installation documentation.
To install WireGuard on Linux:
sudo apt update
sudo apt install wireguard wireguard-tools
For macOS, you can install WireGuard using Homebrew:
brew install wireguard-tools
Ensure the installation was successful by running:
wg –version
Setting Up WireGuard Configuration
WireGuard uses simple configuration files to define the network interface and peers. Below is an example configuration for a basic WireGuard setup.
Create a configuration file:
sudo nano /etc/wireguard/wg0.conf
Inside the configuration file, add the following details:
ini
[Interface]
PrivateKey =
Address = 10.0.0.2/24
ListenPort = 51820
[Peer]
PublicKey = Endpoint = :51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Replace and with the respective keys for your network. The AllowedIPs directive indicates that all traffic will be routed through the WireGuard VPN tunnel.
Enable and start the WireGuard interface:
sudo wg-quick up wg0
You should now have a working WireGuard VPN setup. Ensure the interface is active:
sudo wg
Choosing an Encrypted DNS Resolver
Encrypted DNS protocols such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt your DNS queries to prevent third parties from intercepting them. DNS-over-HTTPS encrypts DNS queries via an HTTPS connection, while DNS-over-TLS uses a secure TLS connection.
You can use public DNS services like Cloudflare’s 1.1.1.1 for DoH or DoT, or configure your own DNS server if desired. Below are the steps for configuring Cloudflare’s DoH or DoT resolver.
Configuring DNS-over-HTTPS (DoH) with WireGuard
To configure WireGuard to use DNS-over-HTTPS, we’ll set up systemd-resolved to route DNS requests through DoH.
First, ensure systemd-resolved is running:
sudo systemctl enable systemd-resolved
sudo systemctl start systemd-resolved
Next, modify the DNS settings in the WireGuard configuration file. Add the following DNS line under the [Interface] section:
ini
DNS = 1.1.1.1
Now, set up DoH using a proxy like cloudflared, which facilitates DNS-over-HTTPS queries. Install cloudflared:
sudo apt install cloudflared
Run cloudflared to set up the DoH proxy:
sudo cloudflared proxy-dns
Once cloudflared is running, point your WireGuard configuration to the DoH resolver by editing your network interface settings:
sudo nano /etc/resolv.conf
Add the following entry:
nameserver 127.0.0.1
Finally, restart the WireGuard interface:
sudo wg-quick down wg0
sudo wg-quick up wg0
WireGuard is now configured to route DNS queries over HTTPS securely.
Configuring DNS-over-TLS (DoT) with WireGuard
If you prefer DNS-over-TLS, you can configure it using a similar method. Start by installing the stubby DNS resolver, which supports DoT.
Install stubby:
sudo apt install stubby
Configure stubby to use Cloudflare’s DoT resolver. Edit the configuration file:
sudo nano /etc/stubby/stubby.yml
Ensure the DNS-over-TLS settings are configured:
yaml
tls_ca_file: “/etc/ssl/certs/ca-certificates.crt”
upstream_recursive_servers:
– address_data: 1.1.1.1
tls_port: 853
tls_auth_name: “cloudflare-dns.com”
Enable and start the stubby service:
sudo systemctl enable stubby
sudo systemctl start stubby
Lastly, update your resolv.conf file to point to stubby’s local DNS resolver:
sudo nano /etc/resolv.conf
Add the following entry:
nameserver 127.0.0.1
Restart your WireGuard interface:
sudo wg-quick down wg0
sudo wg-quick up wg0
Now, DNS queries are routed through DNS-over-TLS via stubby, ensuring encrypted communication.
Verifying the Setup
To verify that DNS queries are being routed securely through the encrypted DNS resolver, you can use tools like dig or nslookup to check if the DNS traffic is being encrypted.
For example, run:
dig @127.0.0.1 example.com
If the query is successful, and cloudflared or stubby is running correctly, the DNS response should be returned without any issues. Additionally, if you want to ensure WireGuard is functioning properly, check the status of the VPN connection:
sudo wg
This confirms that your VPN and DNS setup are both functioning as expected.
WireGuard and DNS Security Best Practices
Always use a reputable encrypted DNS resolver such as Cloudflare’s 1.1.1.1 or Google’s 8.8.8.8.
Regularly rotate your WireGuard keys to maintain security.
Monitor your DNS traffic using tools like tcpdump to detect any leaks.
